diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn
index 4adf09ac5a..e680e14a80 100644
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@@ -1,4 +1,4 @@
-{:allowed-branchname-matches ["main"]
+{:allowed-branchname-matches ["main" "release-.*"]
:allowed-filename-matches ["windows/"]
:targets
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 2d21a68dd9..a466519b7f 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20520,10 +20520,140 @@
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/client-management/mdm/applocker-xsd.md",
+ "redirect_url": "/windows/client-management/mdm/applocker-csp#policy-xsd-schema",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/client-management/mdm/vpnv2-profile-xsd.md",
+ "redirect_url": "/windows/client-management/mdm/vpnv2-csp#profilexml-xsd-schema",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md",
+ "redirect_url": "/windows/client-management/mdm/enterprisedesktopappmanagement-csp#downloadinstall-xsd-schema",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/client-management/mdm/enterprisemodernappmanagement-xsd.md",
+ "redirect_url": "/windows/client-management/mdm/enterprisemodernappmanagement-csp#enterprisemodernappmanagement-xsd",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "education/windows/education-scenarios-store-for-business.md",
+ "redirect_url": "/windows/resources",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/teacher-get-minecraft.md",
+ "redirect_url": "/education/windows/get-minecraft-for-education",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/school-get-minecraft.md",
+ "redirect_url": "/education/windows/get-minecraft-for-education",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard",
"redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/get-support-for-security-baselines.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/mbsa-removal-and-guidance.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/identity-protection/credential-guard/credential-guard-scripts.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/whats-new/windows-10-insider-preview.md",
+ "redirect_url": "/windows/whats-new",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md",
+ "redirect_url": "/windows/security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/s-mode-switch-to-edu.md",
+ "redirect_url": "/education/windows",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/change-to-pro-education.md",
+ "redirect_url": "/education/windows",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/test-windows10s-for-edu.md",
+ "redirect_url": "/windows/deployment/s-mode",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/enable-s-mode-on-surface-go-devices.md",
+ "redirect_url": "/windows/deployment/s-mode",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md",
+ "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy",
+ "redirect_document_id": true
}
]
}
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index bbfd85b95e..c8b17e2ff9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -57,7 +57,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
> The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.yml).
- **Use an update management solution to control update deployment.**
- If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
+ If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
> [!NOTE]
> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
@@ -66,7 +66,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t
## Availability of Internet Explorer 11
-Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS.
+Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Configuration Manager and WSUS.
## Prevent automatic installation of Internet Explorer 11 with WSUS
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index c0fb369154..1dd3438086 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -50,7 +50,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage
| Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
| Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note** Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important** When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Endpoint Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:** Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:** Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:** Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 7015595563..2090ed72ef 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -33,7 +33,7 @@ Before you begin, you should:
- **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md).
-- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Endpoint Configuration Manager, or your network.
+- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Configuration Manager, or your network.
- **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons.
diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml
index 15833fa467..23a57d2206 100644
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@@ -16,3 +16,9 @@ items:
- name: Windows
tocHref: /windows/configuration/
topicHref: /education/windows/index
+ - name: Windows
+ tocHref: /windows/deployment/
+ topicHref: /education/windows/index
+ - name: Windows
+ tocHref: /windows/Security/Application Control for Windows/
+ topicHref: /education/windows/index
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index e41ec1ade3..e9d3004423 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -1,29 +1,40 @@
----
-ms.date: 10/24/2020
----
-## Week of January 09, 2023
+## Week of March 06, 2023
| Published On |Topic title | Change |
|------|------------|--------|
-| 1/12/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | added |
+| 3/8/2023 | Change to Windows 10 Education from Windows 10 Pro | removed |
+| 3/8/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
+| 3/8/2023 | Enable S mode on Surface Go devices for Education | removed |
+| 3/8/2023 | Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode | removed |
+| 3/8/2023 | Test Windows 10 in S mode on existing Windows 10 education devices | removed |
+| 3/9/2023 | [Windows for Education documentation](/education/windows/index) | modified |
-## Week of December 19, 2022
+## Week of February 27, 2023
| Published On |Topic title | Change |
|------|------------|--------|
-| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+| 2/28/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | modified |
+| 2/28/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
-## Week of December 12, 2022
+## Week of February 20, 2023
| Published On |Topic title | Change |
|------|------------|--------|
-| 12/13/2022 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
+| 2/22/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified |
+| 2/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 2/22/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
+| 2/22/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified |
+| 2/22/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified |
+| 2/23/2023 | Education scenarios Microsoft Store for Education | removed |
+| 2/23/2023 | [Get and deploy Minecraft Education](/education/windows/get-minecraft-for-education) | modified |
+| 2/23/2023 | For IT administrators get Minecraft Education Edition | removed |
+| 2/23/2023 | For teachers get Minecraft Education Edition | removed |
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index bc030c32e4..69693b6fdf 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -18,10 +18,12 @@ items:
href: windows-11-se-faq.yml
- name: Windows in S Mode
items:
- - name: Test Windows 10 in S mode on existing Windows 10 education devices
- href: test-windows10s-for-edu.md
- - name: Enable Windows 10 in S mode on Surface Go devices
- href: enable-s-mode-on-surface-go-devices.md
+ - name: Overview
+ href: /windows/deployment/s-mode?context=/education/context/context
+ - name: Switch Windows edition from S mode
+ href: /windows/deployment/windows-10-pro-in-s-mode?context=/education/context/context
+ - name: Deploy Win32 apps to S Mode devices
+ href: /windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s?context=/education/context/context
- name: Windows 10 editions for education customers
href: windows-editions-for-education-customers.md
- name: Considerations for shared and guest devices
@@ -46,26 +48,12 @@ items:
href: configure-aad-google-trust.md
- name: Configure Shared PC
href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
+ - name: Get and deploy Minecraft Education
+ href: get-minecraft-for-education.md
- name: Use the Set up School PCs app
href: use-set-up-school-pcs-app.md
- - name: Change Windows edition
- items:
- - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
- href: s-mode-switch-to-edu.md
- - name: Change to Windows 10 Pro Education from Windows 10 Pro
- href: change-to-pro-education.md
- - name: Upgrade Windows Home to Windows Education on student-owned devices
- href: change-home-to-edu.md
- - name: "Get and deploy Minecraft: Education Edition"
- items:
- - name: "Get Minecraft: Education Edition"
- href: get-minecraft-for-education.md
- - name: "For IT administrators: get Minecraft Education Edition"
- href: school-get-minecraft.md
- - name: "For teachers: get Minecraft Education Edition"
- href: teacher-get-minecraft.md
- - name: Work with Microsoft Store for Education
- href: education-scenarios-store-for-business.md
+ - name: Upgrade Windows Home to Windows Education on student-owned devices
+ href: change-home-to-edu.md
- name: Migrate from Chromebook to Windows
items:
- name: Chromebook migration guide
diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md
index fea632b61a..f92de780a3 100644
--- a/education/windows/change-home-to-edu.md
+++ b/education/windows/change-home-to-edu.md
@@ -74,7 +74,7 @@ It's critical that MAKs are protected whenever they're used. The following proce
- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp);
> [!IMPORTANT]
> If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students.
-- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager.
+- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager.
For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades).
@@ -117,7 +117,7 @@ These steps provide instructions on how to use Microsoft Intune to upgrade devic
These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters).
-- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com)
+- Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431)
- Select **Tenant administration** > **Filters**
- Select **Create**
- Specify a name for the filter (for example *Windows Home edition*)
@@ -142,7 +142,7 @@ These steps configure a filter that will only apply to devices running the *Wind
These steps create and assign a Windows edition upgrade policy. For more information, see [Windows 10/11 device settings to upgrade editions or enable S mode in Intune](/mem/intune/configuration/edition-upgrade-windows-settings).
-- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com)
+- Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431)
- Select **Devices** > **Configuration profiles**
- Select **Create profile**
- Select the **Platform** as **Windows 10 or later**
@@ -177,9 +177,9 @@ The edition upgrade policy will now apply to all existing and new Windows Home e
### Step 3: Report on device edition
-You can check the Windows versions of managed devices in the Microsoft Endpoint Manager admin console.
+You can check the Windows versions of managed devices in the Microsoft Intune admin center.
-- Start in the **Microsoft Endpoint Manager admin console**
+- Start in the **Microsoft Intune admin center**
- Select **Devices** > **Windows**
- Select the **Columns** button
- Select **Sku Family**
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
deleted file mode 100644
index a134019d38..0000000000
--- a/education/windows/change-to-pro-education.md
+++ /dev/null
@@ -1,303 +0,0 @@
----
-title: Change to Windows 10 Education from Windows 10 Pro
-description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
-ms.collection:
- - highpri
- - tier2
- - education
----
-
-# Change to Windows 10 Pro Education from Windows 10 Pro
-Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
-
-If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt in to a free change to Windows 10 Pro Education depending on your scenario.
-- [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](./s-mode-switch-to-edu.md)
-
-To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance.
-
->[!IMPORTANT]
->If you change a Windows 10 Pro device to Windows 10 Pro Education using Microsoft Store for Education, [subscription activation](/windows/deployment/windows-10-subscription-activation) won't work.
-
-## Requirements for changing
-Before you change to Windows 10 Pro Education, make sure you meet these requirements:
-- Devices must be running Windows 10 Pro, version 1607 or higher.
-- Devices must be Azure Active Directory-joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
-
- If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses).
-
-- The Azure AD tenant must be recognized as an education approved tenant.
-- You must have a Microsoft Store for Education account.
-- The user making the changes must be a member of the Azure AD global administrator group.
-
-## Compare Windows 10 Pro and Pro Education editions
-You can [compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
-
-For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
-
-## Change from Windows 10 Pro to Windows 10 Pro Education
-
-For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt in to a free change through the Microsoft Store for Education.
-
-In this scenario:
-
-- The IT admin of the tenant chooses to turn on the change for all Azure AD-joined devices.
-- Any device that joins the Azure AD will change automatically to Windows 10 Pro Education.
-- The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
-
-See [change using Microsoft Store for Education](#change-using-microsoft-store-for-education) for details on how to turn on the change.
-
-### Change using Intune for Education
-
-1. In Intune for Education, select **Groups** and then choose the group that you want to apply the MAK license key to.
-
- For example, to apply the change for all teachers, select **All Teachers** and then select **Settings**.
-
-2. In the settings page, find **Edition upgrade** and then:
- 1. Select the edition in the **Edition to upgrade to** field
- 2. Enter the MAK license key in the **Product key** field
-
- **Figure 1** - Enter the details for the Windows edition change
-
- 
-
-3. The change will automatically be applied to the group you selected.
-
-
-### Change using Windows Configuration Designer
-You can use Windows Configuration Designer to create a provisioning package that you can use to change the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package.
-
-1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions.
-2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to change to Windows 10 Pro Education.
-
- **Figure 2** - Enter the license key
-
- 
-
-3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education.
-
- For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](./set-up-students-pcs-to-join-domain.md).
-
-
-### Change using the Activation page
-
-1. On the Windows device that you want to change, open the **Settings** app.
-2. Select **Update & security** > **Activation**, and then click **Change product key**.
-3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**.
-
-
-## Education customers with Azure AD-joined devices
-
-Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system changes to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
-
-When you change to Windows 10 Pro Education, you get the following benefits:
-
-- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit doesn't include Long Term Service Branch (LTSB).
-- **Support from one to hundreds of users**. The Windows 10 Pro Education program doesn't have a limitation on the number of licenses an organization can have.
-- **Roll back options to Windows 10 Pro**
- - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
- - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro.
-
- See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro) for more info.
-
-
-### Change using Microsoft Store for Education
-Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you can't select which users will receive the change. The change will only apply to Windows 10 Pro devices.
-
-**To turn on the automatic change to Windows 10 Pro Education**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account.
-
- If you're signing into the Microsoft Store for Education for the first time, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
-
-2. Click **Manage** from the top menu and then select the **Benefits tile**.
-3. In the **Benefits** tile, look for the **Change to Windows 10 Pro Education for free** link and then click it.
-
-4. In the **Change all your devices to Windows 10 Pro Education for free** page, check box next to **I understand enabling this setting will change all domain-joined devices running Windows 10 Pro in my organization**.
-
- **Figure 3** - Check the box to confirm
-
- 
-
-5. Click **Change all my devices**.
-
- A confirmation window pops up to let you know that an email has been sent to you to enable the change.
-
-6. Close the confirmation window and check the email to proceed to the next step.
-7. In the email, click the link to **Change to Windows 10 Pro Education**. Once you click the link, you are taken back to the Microsoft Store for Education portal.
-
-8. Click **Change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store.
-
- You'll see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device.
-
-9. Click **Close** in the **Success** window.
-
-Enabling the automatic change also triggers an email message notifying all global administrators in your organization about the change. It also contains a link that enables any global administrators to cancel the change if they choose. For more info about rolling back or canceling the change, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
-
-
-## Explore the change experience
-
-So what will users experience? How will they change their devices?
-
-### For existing Azure AD-joined devices
-Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No other steps are needed.
-
-### For new devices that are not Azure AD joined
-Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition.
-
-#### Step 1: Join users' devices to Azure AD
-
-Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, version 1703.
-
-**To join a device to Azure AD the first time the device is started**
-
-There are different methods you can use to join a device to Azure AD:
-- For multiple devices, we recommend using the [Set up School PCs app](use-set-up-school-pcs-app.md) to create a provisioning package to quickly provision and set up Windows 10 devices for education.
-- For individual devices, you can use the Set up School PCs app or go through the Windows 10 device setup experience. If you choose this option, see the following steps.
-
-**To join a device to Azure AD using Windows device setup**
-
-If the Windows device is running Windows 10, version 1703, follow these steps.
-
-1. During initial device setup, on the **How would you like to set up?** page, select **Set up for an organization**, and then click **Next**.
-
-2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**.
-
-3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription.
-
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
-
-If the Windows device is running Windows 10, version 1703, follow these steps.
-
-1. Go to **Settings > Accounts > Access work or school**.
-
- **Figure 6** - Go to **Access work or school** in Settings
-
- 
-
-2. In **Access work or school**, click **Connect**.
-3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom.
-
- **Figure 7** - Select the option to join the device to Azure Active Directory
-
- 
-
-4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. The device is joined with the school's Azure AD.
-5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD.
-
- **Figure 8** - Verify the device connected to Azure AD
-
- 
-
-
-#### Step 2: Sign in using Azure AD account
-
-Once the device is joined to your Azure AD subscription, users will sign in by using their Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device.
-
-
-#### Step 3: Verify that Pro Education edition is enabled
-
-You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**.
-
-**Figure 9** - Windows 10 Pro Education in Settings
-
-
-
-If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-### Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows:
-
-- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) isn't activated.
-- The Windows 10 Pro Education change has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-**Figure 10** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education change is active.
-
-
-
-
-**Figure 11** - Illustrates a device on which the existing operating system isn't activated, but the Windows 10 Pro Education change is active.
-
-
-
-
-### Review requirements on devices
-
-Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements.
-
-**To determine if a device is Azure AD joined**
-
-1. Open a command prompt and type the following command:
-
- ```
- dsregcmd /status
- ```
-
-2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined.
-
-**To determine the version of Windows 10**
-
-- At a command prompt, type:
-
- ```
- winver
- ```
-
- A popup window will display the Windows 10 version number and detailed OS build information.
-
- > [!NOTE]
- > If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be changed to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
-
-### Roll back Windows 10 Pro Education to Windows 10 Pro
-
-If your organization has the Windows 10 Pro to Windows 10 Pro Education change enabled, and you decide to roll back to Windows 10 Pro or to cancel the change, perform the following task:
-
-- Log into Microsoft Store for Education page and turning off the automatic change.
-- Selecting the link to turn off the automatic change from the notification email sent to all global administrators.
-
-Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. Therefore, users whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro.
-
-> [!NOTE]
-> Devices that were changed from mode to Windows 10 Pro Education can't roll back to Windows 10 Pro Education S mode.
-
-**To roll back Windows 10 Pro Education to Windows 10 Pro**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change.
-2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
-3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.
-
- **Figure 12** - Revert to Windows 10 Pro
-
- 
-
-4. You'll be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**.
-5. Click **Close** in the **Success** page.
-
- All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changes again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education.
-
-
-## Preparing for deployment of Windows 10 Pro Education licenses
-
-If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
-
-You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-
-(Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
-
-For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
-- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
-- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
-
-## Related topics
-
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 subscription activation](/windows/deployment/windows-10-subscription-activation)
\ No newline at end of file
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 05c7db8963..969f81b3be 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -346,7 +346,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
|--- |--- |--- |--- |
|Use Office 365||✔️|✔️|
|Use Intune for management||✔️|✔️|
-|Use Microsoft Endpoint Manager for management|✔️||✔️|
+|Use Microsoft Configuration Manager for management|✔️||✔️|
|Use Group Policy for management|✔️||✔️|
|Have devices that are domain-joined|✔️||✔️|
|Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️|
@@ -359,7 +359,7 @@ You may ask the question, “Why plan for device, user, and app management befor
Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
-Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Endpoint Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
+Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
Table 6. Device, user, and app management products and technologies
@@ -464,7 +464,7 @@ Use the following Microsoft management systems and the deployment resources to p
- [Windows Autopilot](/mem/autopilot/windows-autopilot)
-- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
+- Microsoft Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
- Provisioning packages:
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 60ad9dce9e..2afa86f4c1 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
-ms.date: 02/10/2023
+ms.date: 02/24/2023
ms.topic: how-to
---
@@ -24,7 +24,8 @@ To test federation, the following prerequisites must be met:
1. A Google Workspace environment, with users already created
> [!IMPORTANT]
- > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD
+ > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD.
+ > For more information about identity matching, see [Identity matching in Azure AD](federated-sign-in.md#identity-matching-in-azure-ad).
1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
- School Data Sync (SDS)
- Azure AD Connect sync for environment with on-premises AD DS
@@ -38,14 +39,14 @@ To test federation, the following prerequisites must be met:
1. Select **Add app > Search for apps** and search for *microsoft*
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
-1. On the *Google Identity Provider details* page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
-1. On the *Service provider details* page
+1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
+1. On the **Service provider detail*s** page
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
If using Google auto-provisioning, select **Basic Information > Primary email**
- Select **Continue**
-1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes
+1. On the **Attribute mapping** page, map the Google attributes to the Azure AD attributes
|Google Directory attributes|Azure AD attributes|
|-|-|
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 587d279c84..f736b5adc6 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -10,7 +10,7 @@ appliesto:
Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
+We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
@@ -45,7 +45,7 @@ It's easy to be education ready when using Microsoft products. We recommend the
3. Enroll the PCs in MDM.
* If you've activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
4. Ensure that needed assistive technology apps can be used.
- * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
+ * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
4. Distribute the PCs to students.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 4935d37ed7..25b23567fd 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1,6 +1,6 @@
---
title: Deploy Windows 10 in a school district (Windows 10)
-description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices.
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
ms.topic: how-to
ms.date: 08/10/2022
appliesto:
@@ -9,7 +9,7 @@ appliesto:
# Deploy Windows 10 in a school district
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for district deployment
@@ -125,7 +125,7 @@ Now that you've the plan (blueprint) for your district and individual schools an
The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
-You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md).
@@ -163,7 +163,7 @@ The high-level process for deploying and configuring devices within individual c
6. On the reference devices, deploy Windows 10 and the Windows desktop apps on the device, and then capture the reference image from the devices.
-7. Import the captured reference images into MDT or Microsoft Endpoint Configuration Manager.
+7. Import the captured reference images into MDT or Microsoft Configuration Manager.
8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
@@ -191,9 +191,9 @@ Before you select the deployment and management methods, you need to review the
|Scenario feature |Cloud-centric|On-premises and cloud|
|---|---|---|
|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD |
-|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT |
+|Windows 10 deployment | MDT only | Microsoft Configuration Manager with MDT |
|Configuration setting management | Intune | Group Policy
Intune|
+|App and update management | Intune |Microsoft Configuration Manager
Intune|
*Table 1. Deployment and management scenarios*
@@ -205,19 +205,19 @@ These scenarios assume the need to support:
Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind:
* You can use Group Policy or Intune to manage configuration settings on a device but not both.
-* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both.
+* You can use Configuration Manager or Intune to manage apps and updates on a device but not both.
* You can't manage multiple users on a device with Intune if the device is AD DS domain joined.
Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district.
### Select the deployment methods
-To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
+To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
|Method|Description|
|--- |--- |
|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates. Select this method when you:
Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
Don’t have an existing AD DS infrastructure.
Need to manage devices regardless of where they are (on or off premises). The advantages of this method are that:
You can deploy Windows 10 operating systems
You can manage device drivers during initial deployment.
You can deploy Windows desktop apps (during initial deployment)
It doesn’t require an AD DS infrastructure.
It doesn’t have extra infrastructure requirements.
MDT doesn’t incur extra cost: it’s a free tool.
You can deploy Windows 10 operating systems to institution-owned and personal devices. The disadvantages of this method are that it:
Can’t manage applications throughout entire application life cycle (by itself).
Can’t manage software updates for Windows 10 and apps (by itself).
Doesn’t provide antivirus and malware protection (by itself).
Has limited scaling to large numbers of users and devices.|
-|Microsoft Endpoint Configuration Manager|
Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. Select this method when you:
Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
Typically deploy Windows 10 to on-premises devices. The advantages of this method are that:
You can deploy Windows 10 operating systems.
You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
You can manage software updates for Windows 10 and apps.
You can manage antivirus and malware protection.
It scales to large number of users and devices. The disadvantages of this method are that it:
Carries an extra cost for Microsoft Endpoint Manager server licenses (if the institution doesn't have Configuration Manager already).
Can deploy Windows 10 only to domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution doesn't have AD DS already).|
+|Microsoft Configuration Manager|
Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. Select this method when you:
Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
Typically deploy Windows 10 to on-premises devices. The advantages of this method are that:
You can deploy Windows 10 operating systems.
You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
You can manage software updates for Windows 10 and apps.
You can manage antivirus and malware protection.
It scales to large number of users and devices. The disadvantages of this method are that it:
Carries an extra cost for Microsoft Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
Can deploy Windows 10 only to domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution doesn't have AD DS already).|
*Table 2. Deployment methods*
@@ -226,7 +226,7 @@ Record the deployment methods you selected in Table 3.
|Selection | Deployment method|
|--------- | -----------------|
| |MDT by itself |
-| |Microsoft Endpoint Manager and MDT|
+| |Microsoft Configuration Manager and MDT|
*Table 3. Deployment methods selected*
@@ -260,9 +260,9 @@ Use the information in Table 6 to determine which combination of app and update
|Selection|Management method|
|--- |--- |
-|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
Selected Configuration Manager to deploy Windows 10.
Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
Want to manage AD DS domain-joined devices.
Have an existing AD DS infrastructure.
Typically manage on-premises devices.
Want to deploy operating systems.
Want to provide application management for the entire application life cycle. The advantages of this method are that:
You can deploy Windows 10 operating systems.
You can manage applications throughout the entire application life cycle.
You can manage software updates for Windows 10 and apps.
You can manage antivirus and malware protection.
It scales to large numbers of users and devices. The disadvantages of this method are that it:
Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
Carries an extra cost for Windows Server licenses and the corresponding server hardware.
Can only manage domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Microsoft Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
Selected Configuration Manager to deploy Windows 10.
Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
Want to manage AD DS domain-joined devices.
Have an existing AD DS infrastructure.
Typically manage on-premises devices.
Want to deploy operating systems.
Want to provide application management for the entire application life cycle. The advantages of this method are that:
You can deploy Windows 10 operating systems.
You can manage applications throughout the entire application life cycle.
You can manage software updates for Windows 10 and apps.
You can manage antivirus and malware protection.
It scales to large numbers of users and devices. The disadvantages of this method are that it:
Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
Carries an extra cost for Windows Server licenses and the corresponding server hardware.
Can only manage domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD. Select this method when you:
Selected MDT only to deploy Windows 10.
Want to manage institution-owned and personal devices that aren't domain joined.
Want to manage Azure AD domain-joined devices.
Need to manage devices regardless of where they are (on or off premises).
Want to provide application management for the entire application life cycle. The advantages of this method are that:
You can manage institution-owned and personal devices.
It doesn’t require that devices be domain joined.
It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition). The disadvantages of this method are that it:
Carries an extra cost for Intune subscription licenses.
can't deploy Windows 10 operating systems.|
-|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune. Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. Select this method when you:
Selected Microsoft Endpoint Manager to deploy Windows 10.
Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
Want to manage domain-joined devices.
Want to manage Azure AD domain-joined devices.
Have an existing AD DS infrastructure.
Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
Want to provide application management for the entire application life cycle. The advantages of this method are that:
You can deploy operating systems.
You can manage applications throughout the entire application life cycle.
You can scale to large numbers of users and devices.
You can support institution-owned and personal devices.
It doesn’t require that devices be domain joined.
It can manage devices regardless of their location (on or off premises). The disadvantages of this method are that it:
Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
Carries an extra cost for Windows Server licenses and the corresponding server hardware.
Carries an extra cost for Intune subscription licenses.
Requires an AD DS infrastructure (if the institution doesn't have AD DS already).|
+|Microsoft Configuration Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
Select this method when you:
Selected Microsoft Configuration Manager to deploy Windows 10.
Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
Want to manage domain-joined devices.
Want to manage Azure AD domain-joined devices.
Have an existing AD DS infrastructure.
Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
Want to provide application management for the entire application life cycle.
The advantages of this method are that:
You can deploy operating systems.
You can manage applications throughout the entire application life cycle.
You can scale to large numbers of users and devices.
You can support institution-owned and personal devices.
It doesn’t require that devices be domain joined.
It can manage devices regardless of their location (on or off premises).
The disadvantages of this method are that it:
Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
Carries an extra cost for Windows Server licenses and the corresponding server hardware.
Carries an extra cost for Intune subscription licenses.
Requires an AD DS infrastructure (if the institution doesn't have AD DS already).|
*Table 6. App and update management products*
@@ -270,9 +270,9 @@ Record the app and update management methods that you selected in Table 7.
|Selection | Management method|
|----------|------------------|
-| |Microsoft Endpoint Manager by itself|
+| |Microsoft Configuration Manager by itself|
| |Intune by itself|
-| |Microsoft Endpoint Manager and Intune (hybrid mode)|
+| |Microsoft Configuration Manager and Intune (hybrid mode)|
*Table 7. App and update management methods selected*
@@ -315,16 +315,16 @@ For more information about how to create a deployment share, see [Step 3-1: Crea
### Install the Configuration Manager console
> [!NOTE]
-> If you selected Microsoft Endpoint Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
+> If you selected Microsoft Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers.
-For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole).
+For more information about how to install the Configuration Manager console, see [Install Microsoft Configuration Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole).
### Configure MDT integration with the Configuration Manager console
> [!NOTE]
-> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next.
+> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next.
You can use MDT with Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT.
@@ -841,7 +841,7 @@ At the end of this section, you should know the Windows 10 editions and processo
## Prepare for deployment
-Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
+Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
### Configure the MDT deployment share
@@ -851,17 +851,17 @@ The first step in preparing for Windows 10 deployment is to configure—that is,
|--- |--- |
|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat. Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
-|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10. Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:
For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business. If you've Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps. In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10. Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:
For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business. If you've Intune or Microsoft Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps. In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you've sufficient licenses for them. To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source). If you've Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps. **Note:** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
Deploy 64-bit Windows 10 Education to devices.
Deploy 32-bit Windows 10 Education to devices.
Upgrade existing devices to 64-bit Windows 10 Education.
Upgrade existing devices to 32-bit Windows 10 Education.
Again, you'll create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services. For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
*Table 16. Tasks to configure the MDT deployment share*
-### Configure Microsoft Endpoint Configuration Manager
+### Configure Microsoft Configuration Manager
> [!NOTE]
-> If you've already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
+> If you've already configured your Microsoft Configuration Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you'll need to deploy a new infrastructure.
@@ -871,21 +871,21 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
* [Start using Configuration Manager](/mem/configmgr/core/servers/deploy/start-using)
-#### To configure an existing Microsoft Endpoint Manager infrastructure for operating system deployment
+#### To configure an existing Microsoft Configuration Manager infrastructure for operating system deployment
1. Perform any necessary infrastructure remediation.
- Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment).
+ Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment).
2. Add the Windows PE boot images, Windows 10 operating systems, and other content.
You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you'll use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard.
- You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
+ You can add this content by using Microsoft Configuration Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
3. Add device drivers.
You must add device drivers for the different device types in your district. For example, if you've a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device.
- Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
+ Create a Microsoft Configuration Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
4. Add Windows apps.
Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you can't capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
@@ -914,14 +914,14 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
-### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
+### Configure Windows Deployment Services for Microsoft Configuration Manager
> [!NOTE]
-> If you've already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
+> If you've already configured your Microsoft Configuration Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
You can use Windows Deployment Services in conjunction with Configuration Manager to automatically initiate boot images on target devices. These boot images are Windows PE images that you use to boot the target devices, and then initiate Windows 10, app, and device driver deployment.
-#### To configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
+#### To configure Windows Deployment Services for Microsoft Configuration Manager
1. Set up and configure Windows Deployment Services.
@@ -944,7 +944,7 @@ You can use Windows Deployment Services in conjunction with Configuration Manage
#### Summary
-Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district.
+Your MDT deployment share and Microsoft Configuration Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district.
## Capture the reference image
@@ -1015,7 +1015,7 @@ Both the Deployment Workbench and the Configuration Manager console have wizards
For more information about how to import the reference image into:
* An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](/mem/configmgr/mdt/use-the-mdt#ImportaPreviouslyCapturedImageofaReferenceComputer).
-* Microsoft Endpoint Configuration Manager, see [Manage operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images).
+* Microsoft Configuration Manager, see [Manage operating system images with Microsoft Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images).
### Create a task sequence to deploy the reference image
@@ -1026,10 +1026,10 @@ As you might expect, both the Deployment Workbench and the Configuration Manager
For more information about how to create a task sequence in the:
* Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).
-* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system).
+* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system).
#### Summary
-In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Endpoint Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices.
+In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices.
## Prepare for device management
@@ -1095,7 +1095,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
### Deploy and manage apps by using Intune
-If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section.
+If you selected to deploy and manage apps by using Microsoft Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager) section.
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that aren't enrolled in Intune or that another solution manages.
@@ -1106,9 +1106,9 @@ For more information about how to configure Intune to manage your apps, see the
- [Protect apps and data with Microsoft Intune](/mem/intune/apps/app-protection-policy)
- [Help protect your data with full or selective wipe using Microsoft Intune](/mem/intune/remote-actions/devices-wipe)
-### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
+### Deploy and manage apps by using Microsoft Configuration Manager
-You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
+You can use Microsoft Configuration Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, iOS, and Android. You can deploy the one application to multiple device types.
@@ -1121,7 +1121,7 @@ For more information about how to configure Configuration Manager to deploy and
### Manage updates by using Intune
-If you selected to manage updates by using Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager) section.
+If you selected to manage updates by using Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using Microsoft Configuration Manager](#manage-updates-by-using-microsoft-configuration-manager) section.
To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune.
@@ -1133,7 +1133,7 @@ For more information about how to configure Intune to manage updates and malware
- [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/mem/intune/protect/endpoint-protection-configure)
-### Manage updates by using Microsoft Endpoint Configuration Manager
+### Manage updates by using Microsoft Configuration Manager
To ensure that your users have the most current features and security protection, use the software updates feature in Configuration Manager to manage updates. The software updates feature works in conjunction with WSUS to manage updates for Windows 10 devices.
@@ -1146,7 +1146,7 @@ For more information about how to configure Configuration Manager to manage Wind
#### Summary
-In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or Microsoft Endpoint Manager to manage your apps. Finally, you configured Intune or Microsoft Endpoint Manager to manage software updates for Windows 10 and your apps.
+In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or Microsoft Configuration Manager to manage your apps. Finally, you configured Intune or Microsoft Configuration Manager to manage software updates for Windows 10 and your apps.
## Deploy Windows 10 to devices
@@ -1159,7 +1159,7 @@ Prior to deployment of Windows 10, complete the tasks in Table 18. Most of these
| | Task |
|:---|:---|
|**1.** |Ensure that the target devices have sufficient system resources to run Windows 10.|
-|**2.** |Identify the necessary devices drivers, and then import them into the MDT deployment share or Microsoft Endpoint Configuration Manager.|
+|**2.** |Identify the necessary devices drivers, and then import them into the MDT deployment share or Microsoft Configuration Manager.|
|**3.** |For each Microsoft Store and Windows desktop app, create an MDT application or Configuration Manager application.|
|**4.** |Notify the students and faculty about the deployment.|
@@ -1243,11 +1243,11 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
|Verify that Windows Update is active and current with operating system and software updates. For more information about completing this task when you have:
Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new). Neither Intune, Group Policy, nor WSUS, see "Install, upgrade, & activate" in Windows 10 help.|✔️|✔️|✔️|
|Verify that Windows Defender is active and current with malware Security intelligence. For more information about completing this task, see [Turn Windows Defender on or off](/mem/intune/user-help/turn-on-defender-windows) and [Updating Windows Defender](/mem/intune/user-help/turn-on-defender-windows).|✔️|✔️|✔️|
|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found. For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
-|Download and approve updates for Windows 10, apps, device driver, and other software. For more information, see:
[Manage updates by using Intune](#manage-updates-by-using-intune)
[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
+|Download and approve updates for Windows 10, apps, device driver, and other software. For more information, see:
[Manage updates by using Intune](#manage-updates-by-using-intune)
[Manage updates by using Microsoft Configuration Manager](#manage-updates-by-using-microsoft-configuration-manager)|✔️|✔️|✔️|
|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business). For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|
|Refresh the operating system and apps on devices. For more information about completing this task, see the following resources:
[Prepare for deployment](#prepare-for-deployment)
[Capture the reference image](#capture-the-reference-image)
[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
-|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum. For more information, see:
[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
-|Install new or update existing Microsoft Store apps used in the curriculum. Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download. You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum. For more information, see:
[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
[Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager)||✔️|✔️|
+|Install new or update existing Microsoft Store apps used in the curriculum. Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download. You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Configuration Manager, or both in a hybrid configuration. For more information, see:
[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
[Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager)||✔️|✔️|
|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you've an on-premises AD DS infrastructure). For more information about how to:
Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
|Add new accounts (and corresponding licenses) to AD DS (if you've an on-premises AD DS infrastructure). For more information about how to:
Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you don't have an on-premises AD DS infrastructure). For more information about how to:
Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 1655458c44..34726cf380 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -79,13 +79,13 @@ Now that you've the plan (blueprint) for your classroom, you’re ready to learn
The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
-You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
-The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), [Configuration Manager](/mem/configmgr/core/understand/introduction), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
The configuration process requires the following devices:
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 392497fa7d..fc74fcd614 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -9,9 +9,9 @@ appliesto:
# Deployment recommendations for school IT administrators
-Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we'd like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
+We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
## Deployment best practices
@@ -20,16 +20,16 @@ Keep these best practices in mind when deploying any edition of Windows 10 in sc
* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account
* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school
* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store
-* If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info
+* If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info
## Windows 10 Contacts privacy settings
-If you’re an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district:
+If you're an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district:
* [Configure Windows telemetry in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) - Describes the types of telemetry we gather and the ways you can manage this data
* [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data
-In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student’s contacts list. By default, this setting is turned on.
+In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student's contacts list. By default, this setting is turned on.
To change the setting, you can:
* [Turn off access to contacts for all apps](#turn-off-access-to-contacts-for-all-apps)
@@ -78,7 +78,7 @@ If the school allows the use of personal or Microsoft account in addition to org
#### Skype
-Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype.
+Skype uses the user's contact details to deliver important information about the account and it also lets friends find each other on Skype.
To manage and edit your profile in the Skype UWP app, follow these steps:
@@ -101,20 +101,20 @@ To manage and edit your profile in the Skype UWP app, follow these steps:
#### Xbox
-A user’s Xbox friends and their friends’ friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child’s family can change these default settings to allow it to be more permissive.
+A user's Xbox friends and their friends' friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child's family can change these default settings to allow it to be more permissive.
To learn more about how families can manage security and privacy settings on Xbox, see this [Xbox article on security](https://go.microsoft.com/fwlink/?LinkId=821445).
### Delete an account if username is identifying
-If you want to delete either (or both) the Skype and the Xbox accounts, here’s how to do it.
+If you want to delete either (or both) the Skype and the Xbox accounts, here's how to do it.
#### Skype
To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](https://go.microsoft.com/fwlink/?LinkId=816515)
-If you need help with deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can:
+If you need help with deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you've signed in, you can:
1. Select a help topic (**Account and Password**)
1. Select a related problem (**Deleting an account**)
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
deleted file mode 100644
index 1a86e4e1c4..0000000000
--- a/education/windows/education-scenarios-store-for-business.md
+++ /dev/null
@@ -1,144 +0,0 @@
----
-title: Education scenarios Microsoft Store for Education
-description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools.
-ms.topic: article
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10 and later
----
-
-# Working with Microsoft Store for Education
-
-Learn about education scenarios for Microsoft Store for Education. IT admins and teachers can use Microsoft Store to find, acquire, distribute, and manage apps.
-
-Many of the [settings in Microsoft Store for Business](/microsoft-store/settings-reference-microsoft-store-for-business) also apply in Microsoft Store for Education. Several of the items in this topic are unique to Microsoft Store for Education.
-
-## Basic Purchaser role
-Applies to: IT admins
-
-By default, when a teacher with a work or school account signs up for Microsoft Store for Education, the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to:
-- View the Minecraft: Education Edition product description page
-- Acquire and manage Minecraft: Education Edition, and other apps from Store for Education
-- Use info on **Support** (including links to documentation and access to support through customer service)
-
-> [!NOTE]
-> People with the **Basic Purchaser** role can only manage (assign and reclaim licenses) for apps that they purchased. They can't manage apps purchased by people with **Purchaser** or **Admin** roles.
-
-Admins can control whether or not teachers are automatically assigned the **Basic Purchaser** role. You can configure this with **Make everyone a Basic Purchaser**. You'll find this on **Settings**, with **Shop** settings.
-
-**To manage Make everyone a Basic Purchaser**
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, and then click **Settings**.
-3. On **Shop**, select or clear **Make everyone a Basic Purchaser**.
-
-> [!NOTE]
-> **Make everyone a Basic Purchaser** is on by default.
-
-When **Make everyone a Basic Purchaser** is turned off, admins can manually assign the role to teachers.
-
-**To assign Basic Purchaser role**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, and then choose **Permissions**.
-3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**.
-
-
-**Blocked Basic Purchasers**
-
-When **Make everyone a Basic Purchaser** is on, admins can still manage which users have the **Basic Purchaser** role. An admin can unassign the **Basic Purchaser** role from a user, and the user is added to a list of **Blocked Basic Purchasers**. Admins can review who are **Basic Purchasers** and **Blocked Basic Purchasers** on **Permissions**.
-
-## Private store
-
-Applies to: IT admins
-
-When you create your Microsoft Store for Education account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use.
-
-These apps will automatically be in your private store:
-- Word mobile
-- Excel mobile
-- PowerPoint mobile
-- OneNote
-- Sway
-- Fresh Paint
-- Minecraft: Education Edition
-
-As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
-
-## Manage domain settings
-
-Applies to: IT admins
-
-### Self-service sign up
-Self-service sign-up makes it easier for users in your organization to sign up for online services from Microsoft. We call this sign up process "self-service sign-up" because your users can sign up to use services paid by your subscription, or use free services, without asking you to take action on their behalf. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
-
-### Domain verification
-For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Microsoft 365 admin center. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
-
-## Acquire apps
-Applies to: IT admins and teachers
-
-Find apps for your school using Microsoft Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps.
-
-**To acquire apps**
-- For info on how to acquire apps, see [Acquire apps in Microsoft Store for Business](/microsoft-store/acquire-apps-windows-store-for-business#acquire-apps)
-
-**To add a payment method - debit or credit card**
-
-If the app you purchase has a price, you’ll need to provide a payment method.
-- During your purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
-
-For more information on payment options, see [payment options](/microsoft-store/acquire-apps-windows-store-for-business#payment-options).
-
-For more information on tax rates, see [tax information](/microsoft-store/update-windows-store-for-business-account-settings#organization-tax-information).
-
-## Manage apps and software
-Applies to: IT admins and teachers
-
-## Manage purchases
-IT admins and teachers in educational settings can purchase apps from Microsoft Store for Education. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default.
-
-While both groups can purchase apps, they can't manage purchases made by the other group.
-
-Admins can:
-- Manage and distribute apps they purchased and apps purchased by other admins in the organization.
-- View apps purchased by teachers.
-- View and manage apps on **Manage**, under **Apps & software**.
-
-Teachers can:
-- Manage and distribute apps they purchased.
-- View and manage apps on **Manage**, under **Apps & software**.
-
-> [!NOTE]
-> Teachers with the Basic purchaser role can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
-
-## Distribute apps
-
-**To manage and distribute apps**
-- For info on how to manage and distribute apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business)
-
-**To assign an app to a student**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, and then choose **Apps & software**.
-3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
-4. Type the email address, or name for the student that you're assigning the app to, and click **Assign**.
-
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**.
-
-### Purchase more licenses
-Applies to: IT admins and teachers
-
-You can manage current app licenses, or purchase more licenses for apps in **Apps & software**.
-
-**To purchase additional app licenses**
-1. Click **Manage**, click **Apps & software**, and then click an app.
-2. Click **Buy more** to purchase more licenses
-
-You'll have a summary of current license availability.
-
-## Manage order history
-Applies to: IT admins and teachers
-
-You can manage your orders through Microsoft Store for Business. For info on order history and how to refund an order, see [Manage app orders in Microsoft Store for Business](/microsoft-store/manage-orders-microsoft-store-for-business).
-
-It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**.
diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md
deleted file mode 100644
index 6fa45fd3e7..0000000000
--- a/education/windows/enable-s-mode-on-surface-go-devices.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Enable S mode on Surface Go devices for Education
-description: Learn how to enable S mode on Surface Go devices.
-ms.date: 08/10/2022
-ms.topic: how-to
-appliesto:
- - ✅ Windows 10
----
-
-# Surface Go for Education - Enabling S mode
-
-Surface Go devices are available with both Windows 10 Home in S mode and Windows 10 Pro configurations. Education customers who purchase Surface Go devices with Windows 10 Pro may wish to take advantage of S mode on their Pro devices. These customers can create their own S mode image for Surface Go or enable S mode on a per-device basis.
-
-## Prerequisites
-
-Here are some things you’ll need before attempting any of these procedures:
-
-- A Surface Go device or Surface Go device image based on Windows 10 Pro
- (1803)
-- General understanding of [Windows deployment scenarios and related
- tools](/windows/deployment/windows-deployment-scenarios-and-tools)
-- [Windows ADK for Windows 10
- 1803](/windows/deployment/windows-adk-scenarios-for-it-pros)
-- [Bootable Windows Preinstall Environment
- (WinPE)](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
-
-## Enabling S Mode – Windows Image (WIM)
-
-Like enterprise administrators performing large-scale deployment of customized Windows images, education customers can create their own customized Windows images for deployment to multiple classroom devices. An education customer who plans to follow [a traditional image-based deployment
-process](/windows/deployment/windows-10-deployment-scenarios#traditional-deployment) using a Windows 10 Pro (1803) image for Surface Go devices can enable S mode as follows:
-
-1. Use DISM to mount your offline Windows 10 Pro (1803) image.
-
- ```
- dism /Mount-image /imagefile:\ {/Index:\ | /Name:\} /MountDir:\
- ```
-
-2. Create an unattend.xml answer file, adding the
- amd64_Microsoft_Windows_CodeIntegrity component to Pass 2 offline Servicing
- and setting amd64_Microsoft_Windows_CodeIntegrity\\SkuPolicyRequired to “1”.
- The resulting xml should look like this…
-
- Copy
- ```
-
-
- 1
-
-
- ```
-3. Save the answer file in the **Windows\Panther** folder of your mounted image as unattend.xml.
-4. Use DISM to apply the unattend.xml file and enable S Mode:
-
- Copy
- ```
- dism /image:C:\mount\windows /apply-unattend:C:\mount\windows\windows\panther\unattend.xml
- ```
-
- > Note: in the above example, C:\\mount\\ is the local directory used to mount
- > the offline image.
-5. Commit the image changes and unmount the image
-
- Copy
- ```
- dism /Unmount-image /MountDir:C:\\mount /Commit
- ```
- >Note: don’t forget the /Commit parameter to ensure you don’t lose your
- changes.
-
-Your Windows 10 Pro (1803) image now has S mode enabled and is ready to deploy to Surface Go devices.
-
-## Enabling S Mode – Per Device
-
-Education customers who wish to avoid the additional overhead associated with Windows image creation, customization, and deployment can enable S mode on a per-device basis. Performing the following steps on a Surface Go device will enable S mode on an existing installation of Windows 10 Pro (1803).
-
-1. Create a bootable WinPE media. See [Create a bootable Windows PE USB
- drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) for details.
-
-2. Create an unattend.xml answer file, adding the
- amd64_Microsoft_Windows_CodeIntegrity component to Pass 2 offline Servicing
- and setting amd64_Microsoft_Windows_CodeIntegrity\\SkuPolicyRequired to “1”. The resulting xml should look like this…
-
- Copy
- ```
-
-
- 1
-
-
- ```
-
-3. Attach your bootable WinPE USB drive to a Surface Go device and perform a USB boot (hold the **volume down** button while powering on the device… continue to hold until the Surface logo appears)
-4. Wait for WinPE to launch a command window (*X:\\windows\\system32\\cmd.exe*).
-5. Apply the unattend.xml created in step 2 using DISM.
-
- Copy
- ```
- dism /image:C:\ /apply-unattend:D:\unattend.xml
- ```
- > Note: in the above example, C:\\ is the local OS drive (offline). D:\ is where the S mode unattend.xml file (from Step 2) resides.
-
-6. Once DISM has successfully applied the unattend.xml, reboot the Surface Go device.
-Upon reboot, you should find your Surface Go device now is now in S mode.
-
-## Troubleshooting
-
-|ISSUE | RESOLUTION |
-|------------------------ |-----------------------|
-|DISM fails to apply the unattend.xml because the OS drive is encrypted. | This is one reason why it’s best to enable S mode before setting up and configuring a device. If the OS drive has already been encrypted, you’ll need to fully decrypt the drive before you can enable S mode. |
-|Unattend.xml has been applied and dism reports success. However, when I boot the device, it’s not in S mode. This can happen when a device was booted to Windows 10 Pro before S mode was enabled. To resolve this issue, do the following: | 1. **Run** “shutdown.exe -p -f” to force a complete shutdown. 2. Hold the **vol-up** button while pressing the **power** button to power on the device. Continue to hold **vol-up** until you see the Surface UEFI settings. 3. Under **Security** find the **Secure Boot** option and disable it. 4. With SecureBoot disabled choose **exit** -\> **restart now** to exit UEFI settings and reboot the device back to Windows. 5. Confirm that S mode is now properly enabled. 6. Once you’ve confirmed S mode, you should re-enable Secure Boot… repeat the above steps, choosing to **Enable** Secure Boot from the UEFI securitysettings.
-
-## Additional Info
-
-[Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios)
-
-[Windows 10 deployment scenarios and tools](/windows/deployment/windows-deployment-scenarios-and-tools)
-
-[Download and install the Windows ADK](/windows-hardware/get-started/adk-install)
-
-[Windows ADK for Windows 10 scenarios for IT Pros](/windows/deployment/windows-adk-scenarios-for-it-pros)
-
-[Modify a Windows Image Using DISM](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
-
-[Service a Windows Image Using DISM](/windows-hardware/manufacture/desktop/service-a-windows-image-using-dism)
-
-[DISM Image Management Command-Line Options](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
\ No newline at end of file
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 0ea3ad5e3d..eefe5ce3e3 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,20 +1,21 @@
---
title: Configure federated sign-in for Windows devices
-description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune
-ms.date: 01/12/2023
+description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
+ms.date: 02/24/2023
ms.topic: how-to
appliesto:
- - ✅ Windows 11 SE
+ - ✅ Windows 11
ms.collection:
- highpri
- tier1
- education
---
-
-# Configure federated sign-in for Windows 11 SE
+# Configure federated sign-in for Windows devices
-Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
+This feature is called *federated sign-in*.\
+Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
## Benefits of federated sign-in
@@ -27,33 +28,44 @@ With fewer credentials to remember and a simplified sign-in process, students ar
To implement federated sign-in, the following prerequisites must be met:
-1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
+1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Azure AD?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
>[!NOTE]
>If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
- >
- >For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md).
+
+ - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md)
+ - For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1]
1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
- [School Data Sync (SDS)][SDS-1]
- [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
- PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
- provisioning tools offered by the IdP
+
+ For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad).
1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
-1. Enable federated sign-in on the Windows devices that the users will be using
- > [!IMPORTANT]
- > This feature is exclusively available for Windows 11 SE, version 22H2.
+1. Enable federated sign-in on the Windows devices
To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet.
-## Enable federated sign-in on devices
-
-
-To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune.
+To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
@@ -69,25 +81,25 @@ To sign-in with a SAML 2.0 identity provider, your devices must be configured wi
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
-
## How to use federated sign-in
@@ -106,24 +118,62 @@ Federated sign-in doesn't work on devices that have the following settings enabl
- **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1]
- **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2]
-- **Take a Test**, since it leverages the security policy above
+- **Take a Test**, since it uses the security policy above
+
+### Identity matching in Azure AD
+
+When an Azure AD user is federated, the user's identity from the IdP must match an existing user object in Azure AD.
+After the token sent by the IdP is validated, Azure AD searches for a matching user object in the tenant by using an attribute called *ImmutableId*.
+
+> [!NOTE]
+> The ImmutableId is a string value that **must be unique** for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId value should be based on the federation setup and configuration with your IdP, so confirm with your IdP before setting it.
+
+If the matching object is found, the user is signed-in. If not, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
+
+:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
+
+> [!IMPORTANT]
+> The ImmutableId matching is case-sensitive.
+
+The ImmutableId is typically configured when the user is created in Azure AD, but it can also be updated later.\
+In a scenario where a user is federated and you want to change the ImmutableId, you must:
+
+1. Convert the federated user to a cloud-only user (update the UPN to a non-federated domain)
+1. Update the ImmutableId
+1. Convert the user back to a federated user
+
+Here's a PowerShell example to update the ImmutableId for a federated user:
+
+```powershell
+#1. Convert the user from federated to cloud-only
+Get-AzureADUser -SearchString alton@example.com | Set-AzureADUser -UserPrincipalName alton@example.onmicrosoft.com
+
+#2. Convert the user back to federated, while setting the immutableId
+Get-AzureADUser -SearchString alton@example.onmicrosoft.com | Set-AzureADUser -UserPrincipalName alton@example.com -ImmutableId '260051'
+```
## Troubleshooting
- The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen
- Select the *Other User* button, and the standard username/password credentials are available to log into the device
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
+
+
+[AZ-1]: /azure/active-directory/hybrid/whatis-fed
[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign
[AZ-3]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
+[AZ-4]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
[GRAPH-1]: /graph/api/user-post-users?tabs=powershell
+[EXT-1]: https://support.clever.com/hc/s/articles/000001546
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843
[SDS-1]: /schooldatasync
+[KB-1]: https://support.microsoft.com/kb/5022913
+
[WIN-1]: /windows/client-management/mdm/sharedpc-csp
[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
\ No newline at end of file
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 53ac374a11..0c1e50cd52 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,8 +1,8 @@
---
-title: Get Minecraft Education Edition
-description: Learn how to get and distribute Minecraft Education Edition.
+title: Get and deploy Minecraft Education
+description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
-ms.date: 08/10/2022
+ms.date: 02/23/2023
appliesto:
- ✅ Windows 10 and later
ms.collection:
@@ -11,20 +11,139 @@ ms.collection:
- tier2
---
-# Get Minecraft: Education Edition
+# Get and deploy Minecraft Education
-[Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft.
+Minecraft Education is a game-based platform that inspires creative and inclusive learning through play. Explore blocky worlds that unlock new ways to tackle any subject or challenge. Dive into subjects like reading, math, history, and coding with lessons and standardized curriculum designed for all types of learners. Or explore and build together in creative open worlds.
-
+**Use it your way**: with hundreds of ready-to-teach lessons, creative challenges, and blank canvas worlds, there are lots of ways to make Minecraft Education work for your students. It's easy to get started, no gaming experience necessary.
-Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution.
+**Prepare students for the future**: learners develop key skills like problem solving, collaboration, digital citizenship, and critical thinking to help them thrive now and in the future workplace. Spark a passion for STEM.
-## Prerequisites
-
-- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements).
-- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
- - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
- - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office)
- - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
+**Game based learning**: unlock creativity and deep learning with immersive content created with partners including BBC Earth, NASA, and the Nobel Peace Center. Inspire students to engage in real-world topics, with culturally relevant lessons and build challenges.
-[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
+## Minecraft Education key features
+
+- Multiplayer mode enables collaboration in-game across platforms, devices, and hybrid environments
+- Code Builder supports block-based coding, JavaScript, and Python with intuitive interface and in-game execution
+- Immersive Reader helps players read and translate text
+- Camera and Book & Quill items allow documentation and export of in-game creations
+- Integration with Microsoft Teams and Flipgrid supports assessment and teacher controls
+
+## Try or purchase Minecraft Education
+
+Users in a Microsoft-verified academic organization with Microsoft 365 accounts have [access to a free trial][EDU-1] for Minecraft Education. This grants faculty accounts 25 free logins, and student accounts 10 free logins before a paid license is required to continue playing. Users in non-Microsoft-verified academic organizations have 10 free logins.
+
+Organizations can [purchase subscriptions][EDU-2] directly in the *Microsoft 365 admin center*, via volume licensing agreements, or through partner resellers.
+
+When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Azure Active Directory (Azure AD) tenant. If you don't have an Azure AD tenant:
+
+- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes an Azure AD tenant
+- Non-Microsoft-verified academic organizations can set up a free Azure AD tenant when they [purchase Minecraft Education commercial licenses][EDU-4]
+
+### Direct purchase
+
+To purchase direct licenses:
+
+1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar
+1. Scroll down and select **Buy Now** under **Direct Purchase**
+1. In the *purchase* page, sign in with an account that has *Billing Admin* privileges in your organization
+1. If necessary, fill in any requested organization or payment information
+1. Select the quantity of licenses you'd like to purchase and select **Place Order**
+1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
+
+If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
+
+### Volume licensing
+
+Qualified education institutions can purchase Minecraft Education licenses through their Microsoft channel partner. Schools need to be part of the *Enrollment for Education Solutions* (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft Education licensing offer is best for their institution. The process looks like this:
+
+1. Your channel partner will submit and process your volume license order
+1. Your licenses will show on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
+1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
+
+### Payment options
+
+You can pay for Minecraft Education with a debit or credit card, or with an invoice.
+
+#### Debit or credit cards
+
+During the purchase, select **Add a new payment method**. Provide the information needed for your debit or credit card.
+
+#### Invoices
+
+Invoices are a supported payment method for Minecraft Education. There are a few requirements:
+
+- $500 invoice minimum for your initial purchase
+- $15,000 invoice maximum (for all invoices within your organization)
+
+To pay with an invoice:
+
+1. During the purchase, select **Add a new payment method.**
+2. Select the **Invoice** option, and provide the information needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization.
+
+For more information about invoices and how to pay by invoice, see [Payment options for your Microsoft subscription][M365-1].
+
+## Assign Minecraft Education licenses
+
+You can assign and manage Minecraft Education licenses from the Microsoft 365 admin center.\
+You must be a *Global*, *License*, or *User admin* to assign licenses. For more information, see [About Microsoft 365 admin roles][M365-2].
+
+1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
+1. From the left-hand menu in Microsoft Admin Center, select *Users*
+1. From the Users list, select the users you want to add or remove for Minecraft Education access
+1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
+ > [!Note]
+ > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
+1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
+ > [!Note]
+ > If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
+
+:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
+
+For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
+
+## Distribute Minecraft Education
+
+There are different ways to install Minecraft Education on Windows devices. You can manually install the app on each device, or you can use a deployment tool to distribute the app to multiple devices.
+If you're using Microsoft Intune to manage your devices, follow these steps to deploy Minecraft Education:
+
+1. Go to the Microsoft Intune admin center
+1. Select **Apps > Windows > Add**
+1. Under *App type*, select **Microsoft Store app (new)** and choose **Select**
+1. Select **Search the Microsoft Store app (new)** and search for **Minecraft Education**
+1. Select the app and choose **Select**
+1. On the *App information* screen, select **Next**
+1. On the *Assignments* screen, choose how you want to target the installation of Minecraft Education
+ - *Required* means that Intune installs the app without user interaction
+ - *Available* enables Minecraft Education in the Company Portal, where users can install the app on-demand
+1. Select **Next**
+1. On the *Review + Create* screen, select **Create**
+
+Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
+
+:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
+
+For more information how to deploy Minecraft Education, see:
+
+- [Windows installation guide][EDU-6]
+- [Chromebook installation guide][EDU-7]
+- [iOS installation guide][EDU-8]
+- [macOS installation guide][EDU-9]
+
+If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
+
+
+[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
+[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
+[EDU-3]: https://www.microsoft.com/education/products/office
+[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
+[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
+[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
+[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
+[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
+[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
+
+[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
+[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
+
+[AKA-1]: https://aka.ms/minecraftedusupport
diff --git a/education/windows/images/federated-sign-in-settings-ppkg.png b/education/windows/images/federated-sign-in-settings-ppkg.png
new file mode 100644
index 0000000000..553c40b0dd
Binary files /dev/null and b/education/windows/images/federated-sign-in-settings-ppkg.png differ
diff --git a/education/windows/images/federation/user-match-lookup-failure.png b/education/windows/images/federation/user-match-lookup-failure.png
new file mode 100644
index 0000000000..93fc3a4aa2
Binary files /dev/null and b/education/windows/images/federation/user-match-lookup-failure.png differ
diff --git a/education/windows/images/minecraft/admin-center-minecraft-license.png b/education/windows/images/minecraft/admin-center-minecraft-license.png
new file mode 100644
index 0000000000..ef96f3ef69
Binary files /dev/null and b/education/windows/images/minecraft/admin-center-minecraft-license.png differ
diff --git a/education/windows/images/minecraft/mcee-invoice-info.png b/education/windows/images/minecraft/mcee-invoice-info.png
deleted file mode 100644
index f4bf29f8b2..0000000000
Binary files a/education/windows/images/minecraft/mcee-invoice-info.png and /dev/null differ
diff --git a/education/windows/images/minecraft/win11-minecraft-education.png b/education/windows/images/minecraft/win11-minecraft-education.png
new file mode 100644
index 0000000000..84a8d86b96
Binary files /dev/null and b/education/windows/images/minecraft/win11-minecraft-education.png differ
diff --git a/education/windows/images/suspcs/2023-02-16_13-02-37.png b/education/windows/images/suspcs/2023-02-16_13-02-37.png
new file mode 100644
index 0000000000..dc396099bf
Binary files /dev/null and b/education/windows/images/suspcs/2023-02-16_13-02-37.png differ
diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md
index a8d82dfea6..c5eee0e2a8 100644
--- a/education/windows/includes/intune-custom-settings-1.md
+++ b/education/windows/includes/intune-custom-settings-1.md
@@ -1,13 +1,13 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 11/08/2022
+ms.date: 02/22/2022
ms.topic: include
---
To configure devices with Microsoft Intune, use a custom policy:
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the Microsoft Intune admin center
2. Select **Devices > Configuration profiles > Create profile**
3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
4. Select **Create**
diff --git a/education/windows/index.yml b/education/windows/index.yml
index a84e4b3961..691901dcf2 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -12,17 +12,11 @@ metadata:
ms.collection:
- education
- highpri
+ - tier1
author: paolomatarazzo
ms.author: paoloma
- ms.date: 08/10/2022
- ms.reviewer:
+ ms.date: 03/09/2023
manager: aaroncz
- ms.localizationpriority: medium
-
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
landingContent:
@@ -41,7 +35,6 @@ landingContent:
- text: Management functionalities for Surface devices
url: tutorial-school-deployment/manage-surface-devices.md
-
- title: Learn about Windows 11 SE
linkLists:
- linkListType: concept
@@ -63,7 +56,6 @@ landingContent:
- text: Deploy Windows 11 SE using Set up School PCs
url: https://www.youtube.com/watch?v=Ql2fbiOop7c
-
- title: Deploy devices with Set up School PCs
linkLists:
- linkListType: concept
@@ -83,7 +75,6 @@ landingContent:
- text: Use the Set up School PCs App
url: https://www.youtube.com/watch?v=2ZLup_-PhkA
-
- title: Configure devices
linkLists:
- linkListType: concept
@@ -100,5 +91,5 @@ landingContent:
url: edu-take-a-test-kiosk-mode.md
- text: Configure Shared PC
url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
- - text: "Deploy Minecraft: Education Edition"
+ - text: Get and deploy Minecraft Education
url: get-minecraft-for-education.md
\ No newline at end of file
diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md
deleted file mode 100644
index fafc2716c8..0000000000
--- a/education/windows/s-mode-switch-to-edu.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-title: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
-description: Learn how to switch out of Windows 10 Pro in S mode to Windows 10 Pro Education.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
----
-
-# Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
-The S mode switch motion enables users to switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode. This gives users access to the Microsoft Store for Education and to other Education offers.
-
-## Benefits of Windows 10 Pro in S mode for Education
-
-S mode is an enhanced security mode of Windows 10 – streamlined for security and superior performance. With Windows 10 in S mode, everyone can download and install Microsoft-verified apps from the Microsoft Store for Education – this mode keeps devices running fast and secure day in and day out.
-
-- **Microsoft-verified security** - It reduces risk of malware and exploitations that harm students and educators, because only Microsoft-verified apps can be installed.
-- **Performance that lasts** - Provides all-day battery life to keep students on task and not tripping over cords. Also, verified apps won’t degrade device performance over time.
-- **Streamlined for Speed** - Offers faster log-in times so teachers spend less time waiting and more time teaching.
-
-
-| |Home |S mode |Pro/Pro Education |Enterprise/Education |
-|:---------|:---:|:---:|:---:|:---:|
-|**Start Menu/Hello/Cortana/ Windows Ink/Microsoft Edge** | X | X | X | X |
-|**Store apps (including Windows desktop bridge apps)** | X | X | X | X |
-|**Windows Update** | X | X | X | X |
-|**Device Encryption** | X | X | X | X |
-|**BitLocker** | | X | X | X |
-|**Windows Update for Business** | | X | X | X |
-|**Microsoft Store for Education** | | X | X | X |
-|**Mobile Device Management** **and Azure AD join** | | X | X | X |
-|**Group Policy management and** **Active Directory Domain Services** | | | X | X |
-|**Desktop (Windows 32) Apps** | X | | X | X |
-|**Change App Defaults** **Search/Browser/Photos/etc.** | X | | X | X |
-|**Credential Guard** | | | | X |
-|**Device Guard** | | | | X |
-
-### Windows 10 in S mode is safe, secure, and fast.
-However, in some limited scenarios, you might need to switch to Windows 10 Education. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
-
-## How to switch
-
-### Devices running Windows 10, version 1803
-
-**Switch using the Microsoft Store for Education**
-There are two switch options available using the Microsoft Store for Education:
-
-Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode
-Tenant-wide Windows 10 Pro > Pro Education
-
-> [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to roll back this kind of switch is through a [bare metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
-
-### Devices running Windows 10, version 1709
-
-1. **Bulk switch through Microsoft Store for Education** - In this scenario, the global admin for the Azure AD education tenant can use Microsoft Store to switch all Windows 10 Pro in S mode devices on the tenant to Windows 10 Pro Education. (Devices running Windows 10, version 1803 will switch to Windows 10 Pro EDU in S mode.)
-
-2. **Key acquisition options** - For schools with **active Microsoft Volume Licensing** agreements, global admins can obtain free MAK keys for Windows 10 Pro Education. For schools without an active Microsoft Volume Licensing agreement, the global admin can contact CSS, fill out a form and provide a proof of purchase to receive MAK keys for Windows 10 Pro Education.
-
-> [!NOTE]
-> There is currently no "bulk-switch" option for devices running Windows 10, version 1803.
-
-## Related Topics
-[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
\ No newline at end of file
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
deleted file mode 100644
index 150285950b..0000000000
--- a/education/windows/school-get-minecraft.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: For IT administrators get Minecraft Education Edition
-description: Learn how IT admins can get and distribute Minecraft in their schools.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
-ms.collection:
- - highpri
- - education
- - tier2
----
-
-# For IT administrators - get Minecraft: Education Edition
-
-When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription, Minecraft: Education Edition will be added to the inventory in your Microsoft Admin Center which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Admin Center is only displayed to members of your organization with administrative roles.
-
->[!Note]
->If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you purchase Minecraft: Education Edition. For more information, see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
-
-## Settings for Microsoft 365 A3 or Microsoft 365 A5 customers
-
-Schools that purchased Microsoft 365 A3 or Microsoft 365 A5 have an extra option for making Minecraft: Education Edition available to their students:
-
-If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Microsoft 365 A3 or Microsoft 365 A5. From the left-hand menu in Microsoft Admin Center, select Users. From the Users list, select the users you want to add or remove for Minecraft: Education Edition access. Add the relevant A3 or A5 license if it hasn't been assigned already.
-
-> [!Note]
-> If you add a faculty license, the user will be assigned an instructor role in the application and will have elevated permissions.
-
-After selecting the appropriate product license, ensure Minecraft: Education Edition is toggled on or off, depending on if you want to add or remove Minecraft: Education Edition from the user (it will be on by default).
-
-If you turn off this setting after students have been using Minecraft: Education Edition, they will have up to 30 more days to use Minecraft: Education Edition before they don't have access.
-
-## How to get Minecraft: Education Edition
-
-Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies).
-
-If you've been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
-
-### Minecraft: Education Edition - direct purchase
-
-1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar.
-
-2. Scroll down and select **Buy Now** under Direct Purchase.
-
-3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account.
-
-4. If necessary, fill in any requested organization or payment information.
-
-5. Select the quantity of licenses you would like to purchase and select **Place Order**.
-
-6. After you've purchased licenses, you'll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).
-
-If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
-
-### Minecraft: Education Edition - volume licensing
-
-Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
-
-- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory.
-- You'll receive an email with a link to Microsoft Store for Education.
-- Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
-
-## Minecraft: Education Edition payment options
-
-You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice.
-
-### Debit or credit cards
-
-During the purchase, click **Add a new payment method**. Provide the info needed for your debit or credit card.
-
-### Invoices
-
-Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements:
-
-- Admins only (not supported for Teachers)
-- $500 invoice minimum for your initial purchase
-- $15,000 invoice maximum (for all invoices within your organization)
-
-**To pay with an invoice**
-
-1. During the purchase, click **Add a new payment method.**
-
-2. Select the Invoice option, and provide the info needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization.
-
- 
-
-For more info on invoices and how to pay by invoice, see [How to pay for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?).
-
-## Distribute Minecraft
-
-After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee).
-
-## Learn more
-
-[About Intune Admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac)
-
-## Related topics
-
-[Get Minecraft: Education Edition](get-minecraft-for-education.md)
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
deleted file mode 100644
index f11f1f684a..0000000000
--- a/education/windows/teacher-get-minecraft.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: For teachers get Minecraft Education Edition
-description: Learn how teachers can obtain and distribute Minecraft.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10 and later
-ms.collection:
- - highpri
- - education
- - tier2
----
-
-# For teachers - get Minecraft: Education Edition
-
-The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers.
-
-
-## Try Minecraft: Education Edition for Free
-
-Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing.
-
-To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download)
-
-## Purchase Minecraft: Education Edition for Teachers and Students
-
-As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription.
-
-M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly.
-
-
-#### Troubleshoot
-
-If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport).
-
-## Related topics
-
-[Get Minecraft: Education Edition](get-minecraft-for-education.md)
-[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
-
-
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
deleted file mode 100644
index eaeda25979..0000000000
--- a/education/windows/test-windows10s-for-edu.md
+++ /dev/null
@@ -1,232 +0,0 @@
----
-title: Test Windows 10 in S mode on existing Windows 10 education devices
-description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices.
-ms.topic: conceptual
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
-ms.collection:
- - highpri
- - education
- - tier2
----
-
-# Test Windows 10 in S mode on existing Windows 10 education devices
-
-The Windows 10 in S mode self-installer will allow you to test Windows 10 in S mode on various individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Test Windows 10 in S mode on various devices in your school and share your feedback with us.
-
-Windows 10 in S mode is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2).
-
-Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps can't be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted, and you'll only be able to install apps from the Microsoft Store.
-
-**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these configurations, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
-
-**Installing Office 365 for Windows 10 in S mode (Education preview)**: To install the Office applications in a school environment, you must use the free Setup School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store.
-
-As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they're installed. For more information about Office 365 for Education plans, see [Office on Windows 10 in S mode](https://support.microsoft.com/office/office-on-windows-10-in-s-mode-717193b5-ff9f-4388-84c0-277ddf07fe3f?ui=en-us&rs=en-us&ad=us).
-
-## Before you install Windows 10 in S mode
-
-### Important information
-
-Before you install Windows 10 in S mode, understand that non-Microsoft Store apps won't work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode:
-
-- Is intended for education customers to test compatibility with existing hardware
-- May not work with some device drivers, which may not yet be ready for Windows 10 in S mode and may cause some loss in functionality
-- May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
-- Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 in S mode is limited to Store apps only
-
- > [!WARNING]
- > You can install Windows 10 in S mode on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 in S mode on Windows 10 Home devices as you won't be able to activate it.
-
-- Won't run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
-
-Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media.
-
-Before you install Windows 10 in S mode on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
-
-- Make sure that you updated your existing device to Windows 10, version 1703.
-
- To update your device to Windows 10, version 1703, see [Download Windows 10](https://www.microsoft.com/software-download/windows10). You can verify your current version in **Settings > System > About**.
-
-- Install the latest Windows Update.
-
- To do this task, go to **Settings > Update & security > Windows Update**.
-
-- Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 in S mode.
-
- For more information on how to create the system backup, see [Create a recovery drive](#create-a-recovery-drive).
-
-## Supported devices
-
-The Windows 10 in S mode install will install and activate on the following editions of Windows 10 in use by schools:
-
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows 10 Education
-- Windows 10 Enterprise
-
-Other Windows 10 editions can't be activated and aren't supported. If your device isn't running one of these supported Windows 10 editions, don't proceed with using the Windows 10 in S mode installer. Windows 10-N editions and running in virtual machines aren't supported by the Windows 10 in S mode installer.
-
-### Preparing your device to install drivers
-
-Make sure all drivers are installed and working properly on your device running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise before installing Windows 10 in S mode.
-
-### Supported devices and drivers
-
-Check with your device manufacturer before trying Windows 10 in S mode on your device to see if the drivers are available and supported by the device manufacturer.
-
-## Kept files
-
-Back up all your data before installing Windows 10 in S mode. Only personal files may be kept during installation. Your settings and apps will be deleted.
-
-> [!NOTE]
-> All existing Win32 applications and data will be deleted. Save any data or installation files in case you may need to access that data again or need to reinstall these applications later.
-
-## Domain join
-
-Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
-
-- Local administrator
-- Microsoft account administrator
-- Azure Active Directory administrator
-
-> [!WARNING]
-> If you don't have one of these administrator accounts accessible before migration, you'll not be able to sign in to your device after migrating to Windows 10 in S mode.
-
-We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 in S mode in case you run into this issue.
-
-## Installing Office applications
-
-After installing Windows 10 in S mode, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 in S mode (Education preview). You must have an Office license to activate the applications once they're installed.
-
-## Switch to previously installed Windows 10 editions
-
-If Windows 10 in S mode isn't right for you, you can switch to the Windows 10 edition previously installed on your device(s).
-
-- Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md).
-- If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
-
-## Device recovery
-
-Before installing Windows 10 in S mode, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 in S mode.
-
-### Create a recovery drive
-
-To create a recovery drive, follow these steps.
-
-1. From the taskbar, search for **Create a recovery drive** and then select it. You might be asked to enter an admin password or confirm your choice.
-2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then select **Next**.
-3. Connect a USB drive to your PC, select it, and then select **Next > Create**.
-
- Many files need to be copied to the recovery drive; so this process might take a while.
-
-4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link, and then select **Delete**. If not, select **Finish**.
-
-### Go back to your previous edition of Windows 10
-
-Alternatively, for 10 days after you install Windows 10 in S mode, you can go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This revert operation will keep your personal files, but it will remove installed apps and any changes you made to **Settings**.
-
-To go back, you need to:
-
-- Keep everything in the `windows.old` and `$windows.~bt` folders after the upgrade.
-- Remove any user accounts you added after the upgrade.
-
-If going back isn't available:
-
-- Check if you can restore your PC to factory settings. This restoration will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
-- If you've a product key for your previous version of Windows, use the media creation tool. It can create installation media of your previous Windows 10 edition, and do a clean install.
-
-After going back to your previous edition of Windows 10, you may receive the following message when launching Win32 apps:
-
-> For security and performance, this mode of Windows only runs verified apps from the Store.
-
-If you see this message, follow these steps to stop receiving the message:
-
-1. If you've BitLocker enabled, disable it first in the Control Panel. Go to **Manage BitLocker** and select **Turn off BitLocker**.
-2. Open Windows **Settings** and go to **Update & security > Recovery**.
-3. In the **Recovery** page, find **Advanced startup** and select **Restart now** to start your PC.
-4. After restarting, in the **Choose an option** page, select **Troubleshoot**.
-5. In the **Troubleshoot** page, select **Advanced options**, and in the **Advanced options** page select **UEFI Firmware Settings**.
-6. In the **UEFI Firmware Settings** page, select **Restart** to get to the device-specific UEFI/BIOS menu.
-7. Once you've accessed UEFI, look for the menu item labeled **Security** or **Security Settings**, and navigate to it.
-8. Look for an option called **Secure boot configuration**, **Secure boot**, or **UEFI Boot**. If you can't find one of these options, check the **Boot** menu.
-9. Disable the secure boot/UEFI boot option.
-10. Save your settings and then exit UEFI. This exit action will restart your PC.
-11. After Windows is done booting up, confirm that you no longer see the message.
-
- > [!NOTE]
- > We recommend following these steps again to re-enable the **Secure boot configuration**, **Secure boot**, or **UEFI Boot** option, which you disabled in step 9, and then subsequently re-enable BitLocker (if you previously had this enabled).
-
-### Use installation media to reinstall Windows 10
-
-> [!WARNING]
-> This will remove all your personal files, apps, and installed drivers. apps and customizations from your PC manufacturer, and changes you made to **Settings**.
-
-To use an installation media to reinstall Windows 10, follow these steps.
-
-1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/software-download/windows10).
-2. Download the Media Creation Tool and then run it.
-3. Select **Create installation media for another PC**.
-4. Choose a language, edition, and architecture (64-bit or 32-bit).
-5. Follow the steps to create an installation media and then select **Finish**.
-6. Connect the installation media that you created to your non-functional PC, and then turn it on.
-7. On the initial setup screen, enter your language and other preferences, and then select **Next**.
-
- If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
-
-8. Select **Install now**.
-9. On the **Enter the product key to active Windows** page, enter a product key if you've one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227).
-10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
-11. On the **Which type of installation do you want?** page, select **Custom**.
-12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
-13. When you're done formatting, select **Next**.
-14. Follow the rest of the setup instructions to finish installing Windows 10.
-
-## Download Windows 10 in S mode
-
-Ready to test Windows 10 in S mode on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information.
-
-When you're ready, you can download the Windows 10 in S mode installer by clicking the **Download installer** button below:
-
-> [!div class="nextstepaction" style="center"]
-> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
-
-After you install Windows 10 in S mode, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages**, select **Add a language** to add a new language or select an existing language, and set it as the default.
-
-## Terms and Conditions
-
-Because you're installing Windows 10 in S mode on a running version of Windows 10, you've already accepted the Windows 10 Terms and Conditions. you'ren't required to accept it again and the Windows 10 installer doesn't show a Terms and Conditions page during installation.
-
-## Support
-
-Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you're having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This feedback is the best way to help improve Windows 10 in S mode with your feedback.
-
-Common support questions for the Windows 10 in S mode test program:
-
-### How do I activate if I don't have a Windows 10 in S mode product key?
-
-As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home isn't recommended and supported at this time.
-
-### Will my OEM help me run Windows 10 in S mode?
-
-OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 in S mode. When testing Windows 10 in S mode, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
-
-### What happens when I run Reset or Fresh Start on Windows 10 in S mode?
-
-**Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 in S mode. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 in S mode.
-
-### What if I want to move from Windows 10 in S mode to Windows 10 Pro?
-
-If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you're testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
-
-For help with activation issues, select the appropriate link below for support options.
-
-- For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you're seeking commercial support to contact our commercial support team.
-- If you don't have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option.
-
-
-1 Internet access fees may apply.
-2 Devices must be configured for educational use by applying SetEduPolicies using the Setup School PCs app.
-
-
diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md
index f70081a995..5b63ea0b0b 100644
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@@ -70,7 +70,7 @@ To create a Windows Update policy:
For more information, see [Updates and upgrade][INT-6].
> [!NOTE]
-> If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information:
+> If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information:
> - [What is Windows Update for Business?][WIN-1]
> - [Manage Windows software updates in Intune][MEM-1]
@@ -92,7 +92,7 @@ To create a security policy:
For more information, see [Security][INT-4].
> [!NOTE]
-> If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information:
+> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
> - [Antivirus][MEM-2]
> - [Disk encryption][MEM-3]
> - [Firewall][MEM-4]
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
index 01394b420a..32ff8c37ed 100644
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@@ -54,7 +54,7 @@ Here are the steps for creating a dynamic group for the devices that have an ass
1. Select **Create group**
:::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
-More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
+More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
> [!TIP]
> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
@@ -76,7 +76,7 @@ To create an Autopilot deployment profile:
1. Ensure that **User account type** is configured as **Standard**
1. Select **Save**
-While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
+While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
### Configure an Enrollment Status Page
@@ -87,7 +87,7 @@ An Enrollment Status Page (ESP) is a greeting page displayed to users while enro
> [!NOTE]
> Some Windows Autopilot deployment profiles **require** the ESP to be configured.
-To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager.
+To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune.
> [!TIP]
> While testing the deployment process, you can configure the ESP to:
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
index 98574366e1..a23afe72b0 100644
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -29,8 +29,8 @@ This content provides a comprehensive path for schools to deploy and manage new
Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
-Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
-Microsoft Endpoint Manager services include:
+Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
+Microsoft Intune services include:
- [Microsoft Intune][MEM-1]
- [Microsoft Intune for Education][INT-1]
diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md
index e374fd8f7d..94efd0d46b 100644
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@@ -17,25 +17,25 @@ Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that
DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
-:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true":::
+:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true":::
## Microsoft Surface Management Portal
-Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
+Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
To access and use the Surface Management Portal:
-1. Sign in to Microsoft Endpoint Manager admin center
-1. Select **All services** > **Surface Management Portal**
- :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true":::
-1. To obtain insights for all your Surface devices, select **Monitor**
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **All services** > **Surface Management Portal**
+ :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
+3. To obtain insights for all your Surface devices, select **Monitor**
- Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
-1. To obtain details on each insights category, select **View report**
+4. To obtain details on each insights category, select **View report**
- This dashboard displays diagnostic information that you can customize and export
-1. To obtain the device's warranty information, select **Device warranty and coverage**
-1. To review a list of support requests and their status, select **Support requests**
+5. To obtain the device's warranty information, select **Device warranty and coverage**
+6. To review a list of support requests and their status, select **Support requests**
diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
index d27616f71e..899b8298dd 100644
--- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md
+++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
@@ -30,7 +30,7 @@ For more information, see [Create your Office 365 tenant account][M365-1]
The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the Microsoft Entra admin center, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
-From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others:
+From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Intune, Intune for Education, and others:
:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
index f4d3b44e2e..8d1b84254e 100644
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@@ -7,9 +7,9 @@ ms.topic: tutorial
# Set up Microsoft Intune
-Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale.
+Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale.
-Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
+The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
@@ -44,13 +44,13 @@ With enrollment restrictions, you can prevent certain types of devices from bein
To block personally owned Windows devices from enrolling:
-1. Sign in to the Microsoft Endpoint Manager admin center
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
1. Select the **Windows restrictions** tab
1. Select **Create restriction**
1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
- :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true":::
+ :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png":::
1. Optionally, on the **Scope tags** page, add scope tags > **Next**
1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
1. On the **Review + create** page, select **Create** to save the restriction
@@ -63,13 +63,13 @@ Windows Hello for Business is a biometric authentication feature that allows use
It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
To disable Windows Hello for Business at the tenant level:
-1. Sign in to the Microsoft Endpoint Manager admin center
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
1. Select **Save**
-:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png":::
+:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png":::
For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
index dd9817a5b9..a58a7f2d9a 100644
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot Windows devices
-description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services.
+description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
@@ -9,7 +9,7 @@ appliesto:
# Troubleshoot Windows devices
-Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices.
+Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
- [Troubleshooting device enrollment in Intune][MEM-2]
@@ -27,11 +27,12 @@ Here's a collection of resources to help you troubleshoot Windows devices manage
Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
-Follow these steps to obtain support in Microsoft Endpoint Manager:
+Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
+:
-- Sign in to the Microsoft Endpoint Manager admin center
+- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Select **Troubleshooting + support** > **Help and support**
- :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png":::
+ :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
@@ -43,7 +44,7 @@ Follow these steps to obtain support in Microsoft Endpoint Manager:
> When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
-For more information, see [Microsoft Endpoint Manager support page][MEM-1]
+For more information, see [Microsoft Intune support page][MEM-1]
[MEM-1]: /mem/get-support
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 05dbf61f4b..301a6d1da2 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -13,7 +13,7 @@ IT administrators and technical teachers can use the **Set up School PCs** app t
Set up School PCs also:
* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.
* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.
-* Utilizes Windows Update and maintenance hours to keeps student PCs up-to-date, without interfering with class time.
+* Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
* Locks down the student PC to prevent activity that isn't beneficial to their education.
This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
@@ -23,8 +23,6 @@ Before you begin, make sure that you, your computer, and your school's network a
* Office 365 and Azure Active Directory
* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)
-* Permission to buy apps in Microsoft Store for Education
-* Set up School PCs app has permission to access the Microsoft Store for Education
* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
* Student PCs must either:
* Be within range of the Wi-Fi network that you configured in the app.
@@ -170,9 +168,9 @@ The following table describes each setting and lists the applicable Windows 10 v
|---------|---------|---------|---------|---------|---------|---------|
|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be shared between different students.|
-|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
+|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
|Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
-|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|
After you've made your selections, click **Next**.
diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml
index c45c1980a0..d03213a9d3 100644
--- a/education/windows/windows-11-se-faq.yml
+++ b/education/windows/windows-11-se-faq.yml
@@ -3,7 +3,7 @@ metadata:
title: Windows 11 SE Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.
ms.topic: faq
- ms.date: 09/14/2022
+ ms.date: 03/09/2023
appliesto:
- ✅ Windows 11 SE
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 9b877306f7..5744997054 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -2,7 +2,7 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: article
-ms.date: 09/12/2022
+ms.date: 03/09/2023
appliesto:
- ✅ Windows 11 SE
ms.collection:
@@ -94,6 +94,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
+| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
@@ -106,7 +107,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
-| `Google Chrome` | 109.0.5414.75 | Win32 | `Google` |
+| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` |
+| `GuideConnect` | 1.23 | Win32 | `Dolphin Computer Access` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 36e841ae91..633ac67aa7 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -2,7 +2,7 @@
title: Windows 11 SE settings list
description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
ms.topic: article
-ms.date: 09/12/2022
+ms.date: 03/09/2023
appliesto:
- ✅ Windows 11 SE
ms.collection:
@@ -53,7 +53,7 @@ The following settings can't be changed.
| Allowed Account Types | Microsoft accounts and Azure AD accounts are allowed. |
| Virtual Desktops | Virtual Desktops are blocked. |
| Microsoft Store | The Microsoft Store is blocked. |
-| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
+| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Intune can run. |
| Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). |
## Next steps
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index d6bbee15ca..e4d5e9ef2e 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -16,7 +16,7 @@ ms.date: 07/21/2021
# Acquire apps in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index 4ea7713429..d2cf5a3906 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -19,7 +19,7 @@ ms.localizationpriority: medium
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot).
diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md
index 3555366945..926aa750f9 100644
--- a/store-for-business/app-inventory-management-microsoft-store-for-business.md
+++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md
@@ -20,7 +20,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role.
diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md
index f59d3fa018..661d98861a 100644
--- a/store-for-business/apps-in-microsoft-store-for-business.md
+++ b/store-for-business/apps-in-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education has thousands of apps from many different categories.
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index 7225de9903..c296c8f37d 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization.
diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md
index a258d9af7e..5205cbadba 100644
--- a/store-for-business/billing-payments-overview.md
+++ b/store-for-business/billing-payments-overview.md
@@ -17,7 +17,7 @@ manager: dansimp
# Billing and payments
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Access invoices and managed your payment methods.
diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md
index 77f5fa0713..82581997ea 100644
--- a/store-for-business/billing-profile.md
+++ b/store-for-business/billing-profile.md
@@ -17,7 +17,7 @@ manager: dansimp
# Understand billing profiles
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices.
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index d3b06dbe77..e500732cc9 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -16,7 +16,7 @@ manager: dansimp
# Understand your Microsoft Customer Agreement invoice
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The invoice provides a summary of your charges and provides instructions for payment. It's available for
download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements).
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 70adfcef94..190b9be3e6 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
@@ -45,6 +45,6 @@ After your management tool is added to your Azure AD directory, you can configur
Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics:
- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
-- [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
\ No newline at end of file
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index 2cc25547e0..b443e48e71 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
index 39518d2c87..7f88c7212e 100644
--- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
+++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store.
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 8bde8ed28d..90e4939804 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index b1b43828f9..765f0b39ce 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
>
Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
@@ -45,7 +45,7 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y
- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages).
- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
- - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+ - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- [Manage apps from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
index 0a239cee50..ad4b5f621a 100644
--- a/store-for-business/find-and-acquire-apps-overview.md
+++ b/store-for-business/find-and-acquire-apps-overview.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 82901c7ebe..369336371c 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -20,7 +20,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.
diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md
index 84c39959bb..2b8c3e26f4 100644
--- a/store-for-business/manage-access-to-private-store.md
+++ b/store-for-business/manage-access-to-private-store.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
index 855e3839ed..706e1bc726 100644
--- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md
+++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**.
diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md
index 4b6f8bd99e..dfc9b3d00d 100644
--- a/store-for-business/manage-orders-microsoft-store-for-business.md
+++ b/store-for-business/manage-orders-microsoft-store-for-business.md
@@ -16,7 +16,7 @@ manager: dansimp
# Manage app orders in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds.
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index b7765c7ea3..218f2b5aac 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -21,7 +21,7 @@ ms.localizationpriority: medium
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md
index 37505459c3..e3d9147262 100644
--- a/store-for-business/manage-settings-microsoft-store-for-business.md
+++ b/store-for-business/manage-settings-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
index de70959d59..36ec4938f9 100644
--- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index a5149c0b1e..3318a1ca0c 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -19,7 +19,7 @@ manager: dansimp
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 6516ad323c..a7009160fa 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index 548f8ecce0..264f2228e9 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store.
diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md
index b0d445d780..b56a2ebe5e 100644
--- a/store-for-business/payment-methods.md
+++ b/store-for-business/payment-methods.md
@@ -17,7 +17,7 @@ manager: dansimp
# Payment methods
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards:
- VISA
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 59d4c2b19b..0dd6457beb 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index 5d9ea05e6c..e1fd90b393 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -15,7 +15,7 @@ manager: dansimp
# Microsoft Store for Business and Education release history
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 6b9ac86995..1ca0ec4692 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
index 4a44723dd6..f29dace9ef 100644
--- a/store-for-business/settings-reference-microsoft-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -17,7 +17,7 @@ ms.date: 07/21/2021
# Settings reference: Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The Microsoft Store for Business and Education has a group of settings that admins use to manage the store.
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index 32cdba4b8f..4c4e855373 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps.
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index 074a34eb0f..f9154689ca 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Troubleshooting topics for Microsoft Store for Business.
@@ -53,7 +53,7 @@ The private store for your organization is a page in Microsoft Store app that co
-## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
+## Troubleshooting Microsoft Store for Business integration with Microsoft Configuration Manager
If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](/troubleshoot/mem/configmgr/troubleshoot-microsoft-store-for-business-integration).
diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md
index b277705e60..78cd7532b8 100644
--- a/store-for-business/update-microsoft-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@@ -17,7 +17,7 @@ manager: dansimp
# Update Billing account settings
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
A billing account contains defining information about your organization.
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index ee29b9c93f..bc329afe4d 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -15,7 +15,7 @@ manager: dansimp
# What's new in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education regularly releases new and improved features.
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 92b489f6ab..0a71365353 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry.
diff --git a/template.md b/template.md
index 6049d2ff6d..c9529e25a3 100644
--- a/template.md
+++ b/template.md
@@ -290,4 +290,4 @@ Always include alt text for accessibility, and always end it with a period.
## docs.ms extensions
> [!div class="nextstepaction"]
-> [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)
+> [Microsoft Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index 96f2e3ec05..2ae9fdd4fd 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -1,15 +1,16 @@
---
title: Add or hide optional apps and features on Windows devices | Microsoft Docs
description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.localizationpriority: medium
ms.date: 08/30/2021
-ms.reviewer:
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Add or hide features on the Windows client OS
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 506b43cbea..523ee3c2d8 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -1,15 +1,16 @@
---
title: Learn about the different app types in Windows 10/11 | Microsoft Docs
description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.date: 12/07/2017
-ms.reviewer:
-ms.localizationpriority: medium
+ms.date: 02/09/2023
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Overview of apps on Windows client devices
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index f55199f3a5..19c8ec6649 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -1,14 +1,16 @@
---
title: Remove background task resource restrictions
description: Allow enterprise background tasks unrestricted access to computer resources.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 10/03/2017
-ms.reviewer:
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Remove background task resource restrictions
diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md
index 87c9ec2b04..14de444ad4 100644
--- a/windows/application-management/includes/app-v-end-life-statement.md
+++ b/windows/application-management/includes/app-v-end-life-statement.md
@@ -3,9 +3,10 @@ author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 09/20/2021
-ms.reviewer:
-ms.prod: w10
ms.topic: include
+ms.prod: w10
+ms.collection: tier1
+ms.reviewer:
---
Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at Azure Virtual Desktop with MSIX app attach. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal).
diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md
index b26f9904a6..13ec789f1d 100644
--- a/windows/application-management/includes/applies-to-windows-client-versions.md
+++ b/windows/application-management/includes/applies-to-windows-client-versions.md
@@ -3,9 +3,12 @@ author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 09/28/2021
-ms.reviewer:
-ms.prod: w10
ms.topic: include
+ms.prod: windows-client
+ms.technology: itpro-apps
+ms.localizationpriortiy: medium
+ms.collection: tier1
+ms.reviewer:
---
**Applies to**:
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index 73c14c4195..da969d420b 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -6,14 +6,15 @@ summary: Learn about managing applications in Windows client, including how to r
metadata:
title: Windows application management
description: Learn about managing applications in Windows 10 and Windows 11.
- ms.topic: landing-page
- ms.prod: windows-client
- ms.collection:
- - highpri
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 08/24/2021
+ ms.topic: landing-page
+ ms.prod: windows-client
+ ms.collection:
+ - tier1
+ - highpri
landingContent:
# Cards and links should be based on top customer tasks or top subjects
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 56381683e9..d094fba726 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -1,18 +1,24 @@
---
title: Per-user services in Windows 10 and Windows Server
description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 09/14/2017
-ms.reviewer:
+ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Per-user services in Windows 10 and Windows Server
-> Applies to: Windows 10, Windows Server
+**Applies to**:
+
+- Windows 10
+- Windows Server
Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks.
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index e9d56cf86b..5b0372ddb2 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -4,11 +4,13 @@ description: Use the Company Portal app in Windows 11 devices to access the priv
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.reviewer: amanh
-ms.prod: windows-client
ms.date: 09/15/2021
-ms.localizationpriority: medium
+ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer: amanh
---
# Private app repository in Windows 11
@@ -63,7 +65,7 @@ To install the Company Portal app, you have some options:
- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
- - In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
+ - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
- When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates.
@@ -80,17 +82,17 @@ To install the Company Portal app, you have some options:
## Customize the Company Portal app
-Many organizations customize the Company Portal app to include their specific information. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more.
+Many organizations customize the Company Portal app to include their specific information. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more.
For more information, see [Configure the Intune Company Portal app](/mem/intune/apps/company-portal-app).
## Add your organization apps to the Company Portal app
-When you add an app in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting.
+When you add an app in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting.
On co-managed devices (Microsoft Intune + Configuration Manager together), your Configuration Manager apps can also be shown in the Company Portal app. For more information, see [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal).
-When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Endpoint Manager admin center, see:
+When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Intune admin center, see:
- [Add Microsoft 365 apps using Intune](/mem/intune/apps/apps-add-office365)
- [Add web apps using Intune](/mem/intune/apps/web-app)
diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md
index fb6660fbcf..80dcf53c89 100644
--- a/windows/application-management/provisioned-apps-windows-client-os.md
+++ b/windows/application-management/provisioned-apps-windows-client-os.md
@@ -1,15 +1,16 @@
---
title: Get the provisioned apps on Windows client operating system | Microsoft Docs
-ms.reviewer:
+description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.date: 12/07/2017
-description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
-ms.prod: windows-client
-ms.localizationpriority: medium
+ms.date: 01/12/2023
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier1
+ms.reviewer:
---
# Provisioned apps installed with the Windows client OS
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 57b52fce28..195ee09977 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -1,17 +1,22 @@
---
title: How to keep apps removed from Windows 10 from returning during an update
description: How to keep provisioned apps that were removed from your machine from returning during an update.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 05/25/2018
-ms.reviewer:
+ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier1
+ms.reviewer:
---
# How to keep apps removed from Windows 10 from returning during an update
-> Applies to: Windows 10 (General Availability Channel)
+**Applies to**:
+
+- Windows 10
When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed post-update. This can happen if the computer was offline when you removed the apps. Windows 10, version 1803 has fixed this issue.
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index f4ab632036..30203efdaf 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -1,15 +1,16 @@
---
title: Sideload LOB apps in Windows client OS | Microsoft Docs
description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device.
-ms.reviewer:
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 12/07/2017
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.technology: itpro-apps
ms.topic: article
+ms.prod: windows-client
+ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Sideload line of business (LOB) apps in Windows client devices
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 692bae2fe3..f5c9589209 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -1,18 +1,23 @@
---
title: Service Host service refactoring in Windows 10 version 1703
description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 07/20/2017
-ms.reviewer:
+ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.colletion: tier1
+ms.reviewer:
---
# Changes to Service Host grouping in Windows 10
-> Applies to: Windows 10
+**Applies to**:
+
+- Windows 10
The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance doesn't affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example:
diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md
index 6cfbbac63c..efc4c311ec 100644
--- a/windows/application-management/system-apps-windows-client-os.md
+++ b/windows/application-management/system-apps-windows-client-os.md
@@ -1,15 +1,16 @@
---
title: Get the system apps on Windows client operating system | Microsoft Docs
-ms.reviewer:
+description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.date: 12/07/2017
-description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
-ms.prod: windows-client
-ms.localizationpriority: medium
+ms.date: 2/14/2023
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier1
+ms.reviewer:
---
# System apps installed with the Windows client OS
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index af610cec3c..cc058826be 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -11,12 +11,12 @@ ms.reviewer:
manager: aaroncz
---
-# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Endpoint Manager admin center
+# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center
Microsoft Intune can be accessed directly using its own admin center. For more information, go to:
-- [Tutorial: Walkthrough Intune in Microsoft Endpoint Manager admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
-- Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
+- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
If you use the Azure portal, then you can access Intune using the following steps:
diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md
index 5b7f08ac50..36449cf15b 100644
--- a/windows/client-management/change-history-for-mdm-documentation.md
+++ b/windows/client-management/change-history-for-mdm-documentation.md
@@ -308,7 +308,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
|[CM_CellularEntries CSP](mdm/cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
|[EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:
0 (default) – Off / No protection (decrypts previously protected data).
1 – Silent mode (encrypt and audit only).
2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
3 – Hides overrides (encrypt, prompt but hide overrides, and audit).|
-|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allow-list-examples).|
+|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allowlist-examples).|
|[DeviceManageability CSP](mdm/devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:
Provider/ProviderID/ConfigInfo
Provider/ProviderID/EnrollmentInfo|
|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:
Installation/CurrentStatus|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index 04d9be81f2..56b72cdf0a 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -41,7 +41,7 @@ Config lock isn't enabled by default, or turned on by the OS during boot. Rather
The steps to turn on config lock using Microsoft Intune are as follows:
1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 88a544e7d9..2abfcd2135 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -1,94 +1,124 @@
---
-title: Connect to remote Azure Active Directory-joined PC (Windows)
-description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
+title: Connect to remote Azure Active Directory joined device (Windows)
+description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: vinpa
ms.date: 01/18/2022
-ms.reviewer:
manager: aaroncz
ms.topic: article
+appliesto:
+ - ✅ Windows 10 and later
+ - ✅ Windows 11 and later
ms.collection:
- highpri
- tier2
ms.technology: itpro-manage
---
-# Connect to remote Azure Active Directory-joined PC
+# Connect to remote Azure Active Directory joined device
+From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP.
-**Applies to**
+- Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
+- Starting in Windows 10/11, with 2022-09 preview update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication).
-- Windows 10
-- Windows 11
+## Prerequisites
+- Both devices (local and remote) must be running a supported version of Windows.
+- Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**.
+ - It's recommended to select **Require devices to use Network Level Authentication to connect** option.
+- If the user who joined the device to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device.
+- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device.
-From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
+## Connect with Azure AD Authentication
-
+Azure AD Authentication can be used on the following operating systems:
-## Set up
+- Windows 11 with [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed.
+- Windows 10, version 20H2 or later with [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed.
+- Windows Server 2022 with [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed.
-- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported.
-- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported.
-- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
+There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from:
-Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC.
+- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
+- Active Directory joined device.
+- Workgroup device.
-- On the PC you want to connect to:
+To connect to the remote computer:
- 1. Open system properties for the remote PC.
+- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
+- Specify the name of the remote computer.
+- Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files).
+- When prompted for credentials, specify your user name in `user@domain.com` format.
+- You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.
- 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
+> [!IMPORTANT]
+> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer.
- 
+### Disconnection when the session is locked
- 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
+The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.
- - Adding users manually
+Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies.
- You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet:
- ```powershell
- net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
- ```
- where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
+## Connect without Azure AD Authentication
- In order to execute this PowerShell command, you must be a member of the local Administrators group. Otherwise, you'll get an error like this example:
- - for cloud only user: "There is no such global user or group : *name*"
- - for synced user: "There is no such global user or group : *name*"
-
- > [!NOTE]
- > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
- >
- > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
-
- - Adding users using policy
-
- Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
-
- > [!TIP]
- > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
-
- > [!NOTE]
- > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials).
-
-## Supported configurations
-
-The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC:
-
-| Criteria | RDP from Azure AD registered device| RDP from Azure AD joined device| RDP from hybrid Azure AD joined device |
-| - | - | - | - |
-| **Client operating systems**| Windows 10, version 2004 and above| Windows 10, version 1607 and above | Windows 10, version 1607 and above |
-| **Supported credentials**| Password, smartcard| Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust |
+By default, RDP doesn't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from:
+- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later.
+- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later.
> [!NOTE]
-> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
+> Both the local and remote device must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
+
+To connect to the remote computer:
+
+- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
+- Specify the name of the remote computer.
+- When prompted for credentials, specify your user name in either `user@domain.com` or `AzureAD\user@domain.com` format.
+
+> [!TIP]
+> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is AAD joined. If you are signing in to your work account, try using your work email address**.
> [!NOTE]
-> When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). In this scenario, Network Level Authentication should be disabled to run the connection.
+> For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
-## Related topics
+### Supported configurations
+
+This table lists the supported configurations for remotely connecting to an Azure AD joined device:
+
+| **Criteria** | **Client operating system** | **Supported credentials** |
+|--------------------------------------------|-----------------------------------|--------------------------------------------------------------------|
+| RDP from **Azure AD registered device** | Windows 10, version 2004 or later | Password, smart card |
+| RDP from **Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
+| RDP from **hybrid Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
+
+> [!NOTE]
+> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
+
+> [!NOTE]
+> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through RDP resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection.
+
+## Add users to Remote Desktop Users group
+
+Remote Desktop Users group is used to grant users and groups permissions to remotely connect to the device. Users can be added either manually or through MDM policies:
+
+- **Adding users manually**:
+
+ You can specify individual Azure AD accounts for remote connections by running the following command, where `` is the UPN of the user, for example `user@domain.com`:
+
+ ```cmd
+ net localgroup "Remote Desktop Users" /add "AzureAD\"
+ ```
+
+ In order to execute this command, you must be a member of the local Administrators group. Otherwise, you may see an error similar to `There is no such global user or group: `.
+
+- **Adding users using policy**:
+
+ Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
+
+## Related articles
[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)
diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md
index 1f8a9dd881..246e8babc9 100644
--- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md
@@ -48,9 +48,9 @@ The zip file will have logs according to the areas that were used in the command
- DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls
- DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider)
-- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies.
+- MDMDiagHtmlReport.html: Summary snapshot of MDM configurations and policies. Includes, management url, MDM server device ID, certificates, policies.
- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool
-- MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables
+- MDMDiagReport.xml: contains a more detailed view into the MDM configurations, such as enrollment variables, provisioning packages, multivariant conditions, and others. For more information about diagnosing provisioning packages, see [Diagnose provisioning packages](/windows/configuration/provisioning-packages/diagnose-provisioning-packages).
- MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations
- MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command
- *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events.
diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md
index 88f302cdce..91645ea1af 100644
--- a/windows/client-management/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/implement-server-side-mobile-application-management.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 08/03/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,44 +18,45 @@ The Windows version of mobile application management (MAM) is a lightweight solu
## Integration with Azure AD
-MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
+MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
-Regular non-admin users can enroll to MAM.
+Regular non-admin users can enroll to MAM.
## Integration with Windows Information Protection
-MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
+MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
To make applications WIP-aware, app developers need to include the following data in the app resource file.
``` syntax
-// Mark this binary as Allowed for WIP (EDP) purpose
+// Mark this binary as Allowed for WIP (EDP) purpose
MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID
BEGIN
0x0001
- END
+ END
```
## Configuring an Azure AD tenant for MAM enrollment
-MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
+MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
:::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM.
> [!NOTE]
-> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
+> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
## MAM enrollment
-MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.
+MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.
+
+Below are protocol changes for MAM enrollment:
-Below are protocol changes for MAM enrollment:
- MDM discovery isn't supported.
- APPAUTH node in [DMAcc CSP](mdm/dmacc-csp.md) is optional.
- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
@@ -74,7 +75,7 @@ Here's an example provisioning XML for MAM enrollment.
```
-Since the [Poll](mdm/dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours.
+Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't provided above, the device would default to once every 24 hours.
## Supported CSPs
@@ -95,7 +96,6 @@ MAM on Windows supports the following configuration service providers (CSPs). Al
- [VPNv2 CSP](mdm/vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
- [WiFi CSP](mdm/wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
-
## Device lock policies and EAS
MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP.
@@ -120,7 +120,7 @@ Windows doesn't support applying both MAM and MDM policies to the same devices.
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
-In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
+In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the user's access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
- Both MAM and MDM policies for the organization support Windows Information Protection.
- EDP CSP Enterprise ID is the same for both MAM and MDM.
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index f50369aa36..5c3c9714b8 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -1,30 +1,580 @@
---
-title: Language Pack Management CSP
-description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10.
-ms.reviewer:
+title: LanguagePackManagement CSP
+description: Learn more about the LanguagePackManagement CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/22/2021
+ms.topic: reference
---
-# Language Pack Management CSP
+
-The table below shows the applicability of Windows:
+
+# LanguagePackManagement CSP
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+
+
The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](/powershell/module/languagepackmanagement) PowerShell module.
+
+
+
+The following list shows the LanguagePackManagement configuration service provider nodes:
+
+- ./Device/Vendor/MSFT/LanguagePackManagement
+ - [Install](#install)
+ - [{Language ID}](#installlanguage-id)
+ - [CopyToDeviceInternationalSettings](#installlanguage-idcopytodeviceinternationalsettings)
+ - [EnableLanguageFeatureInstallations](#installlanguage-idenablelanguagefeatureinstallations)
+ - [ErrorCode](#installlanguage-iderrorcode)
+ - [StartInstallation](#installlanguage-idstartinstallation)
+ - [Status](#installlanguage-idstatus)
+ - [InstalledLanguages](#installedlanguages)
+ - [{Language ID}](#installedlanguageslanguage-id)
+ - [LanguageFeatures](#installedlanguageslanguage-idlanguagefeatures)
+ - [Providers](#installedlanguageslanguage-idproviders)
+ - [LanguageSettings](#languagesettings)
+ - [SystemPreferredUILanguages](#languagesettingssystempreferreduilanguages)
+
+
+
+## Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/Install
+```
+
+
+
+
+Language to be installed or being installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Install/{Language ID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}
+```
+
+
+
+
+Language tag of the language to be installed or being installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: Language tag of the language to be installed or being installed. |
+
+
+
+
+
+
+
+
+
+#### Install/{Language ID}/CopyToDeviceInternationalSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/CopyToDeviceInternationalSettings
+```
+
+
+
+
+Copies the language to the international settings (i.e., locale, input layout, speech recognizer, preferred UI language) of the device immediately after installation if the value is true. Default value is false.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Don't copy the language to the international settings immediately after installation. |
+| true | Copy the language to the international settings immediately after installation. |
+
+
+
+
+
+
+
+
+
+#### Install/{Language ID}/EnableLanguageFeatureInstallations
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/EnableLanguageFeatureInstallations
+```
+
+
+
+
+Enables installations of all available language features when the value is true. Default value is true.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true (Default) | Install all available language features. |
+| false | Install only the required language features. |
+
+
+
+
+
+
+
+
+
+#### Install/{Language ID}/ErrorCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/ErrorCode
+```
+
+
+
+
+Error code of queued language installation. 0 if there is no error.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Install/{Language ID}/StartInstallation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/StartInstallation
+```
+
+
+
+
+Execution node to queue a language for installation on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+#### Install/{Language ID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/Status
+```
+
+
+
+
+Status of the language queued for install. 0 - not started; 1 - in progress; 2 - succeeded; 3 - failed; 4 - partially succeeded.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## InstalledLanguages
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages
+```
+
+
+
+
+Languages currently installed on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### InstalledLanguages/{Language ID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/{Language ID}
+```
+
+
+
+
+Language tag of an installed language on the device. Delete to uninstall.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+#### InstalledLanguages/{Language ID}/LanguageFeatures
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/{Language ID}/LanguageFeatures
+```
+
+
+
+
+Numeric representation of the language features installed. Basic Typing - 1 (0x1), Fonts - 2 (0x2), Handwriting - 4 (0x4), Speech - 8 (0x8), TextToSpeech - 16 (0x10), OCR - 32 (0x20), LocaleData - 64 (0x40), SupplementFonts - 128 (0x80).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### InstalledLanguages/{Language ID}/Providers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/{Language ID}/Providers
+```
+
+
+
+
+Numeric representation of how a language is installed. 1 - The system language pack is installed; 2 - The Local Experience Pack is installed; 3 - Both are installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## LanguageSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings
+```
+
+
+
+
+Language settings of the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### LanguageSettings/SystemPreferredUILanguages
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
+
+
+```Device
+./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages
+```
+
+
+
+
+System Preferred UI Language of the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+
+## Examples
1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
@@ -60,10 +610,10 @@ The Language Pack Management CSP allows a way to easily add languages and relate
- System Preferred UI Language
- System Locale
- Default settings for new users
- - Input Method (keyboard)
- - Locale
- - Speech Recognizer
- - User Preferred Language List
+ - Input Method (keyboard)
+ - Locale
+ - Speech Recognizer
+ - User Preferred Language List
- Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. false- will install only required features; true (default)- will install all available features.
Here are the sample commands to install French language with required features and copy to the device's international settings:
@@ -79,7 +629,6 @@ The Language Pack Management CSP allows a way to easily add languages and relate
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**
Status: 0 – not started; 1 – in progress; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates not all the provisioning operations succeeded, for example, there was an error installing the language pack or features).
-
ErrorCode: An HRESULT that could help diagnosis if the installation failed or partially failed.
3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. Below is a sample command to delete the zh-CN language.
@@ -92,7 +641,10 @@ The Language Pack Management CSP allows a way to easily add languages and relate
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index 5fe3530eca..beefa0c052 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -1,99 +1,143 @@
---
title: ActiveSync CSP
-description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
-ms.reviewer:
+description: Learn more about the ActiveSync CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.topic: reference
---
+
+
+
# ActiveSync CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported.
> [!NOTE]
-> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
+> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path. The `./Vendor/MSFT/ActiveSync` path is deprecated.
+
-On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in.
+
+The following list shows the ActiveSync configuration service provider nodes:
-The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term.
+- ./User/Vendor/MSFT/ActiveSync
+ - [Accounts](#accounts)
+ - [{Account GUID}](#accountsaccount-guid)
+ - [AccountIcon](#accountsaccount-guidaccounticon)
+ - [AccountName](#accountsaccount-guidaccountname)
+ - [AccountType](#accountsaccount-guidaccounttype)
+ - [Domain](#accountsaccount-guiddomain)
+ - [EmailAddress](#accountsaccount-guidemailaddress)
+ - [Options](#accountsaccount-guidoptions)
+ - [CalendarAgeFilter](#accountsaccount-guidoptionscalendaragefilter)
+ - [ContentTypes](#accountsaccount-guidoptionscontenttypes)
+ - [{Content Type GUID}](#accountsaccount-guidoptionscontenttypescontent-type-guid)
+ - [Enabled](#accountsaccount-guidoptionscontenttypescontent-type-guidenabled)
+ - [Name](#accountsaccount-guidoptionscontenttypescontent-type-guidname)
+ - [Logging](#accountsaccount-guidoptionslogging)
+ - [MailAgeFilter](#accountsaccount-guidoptionsmailagefilter)
+ - [MailBodyType](#accountsaccount-guidoptionsmailbodytype)
+ - [MailHTMLTruncation](#accountsaccount-guidoptionsmailhtmltruncation)
+ - [MailPlainTextTruncation](#accountsaccount-guidoptionsmailplaintexttruncation)
+ - [Schedule](#accountsaccount-guidoptionsschedule)
+ - [UseSSL](#accountsaccount-guidoptionsusessl)
+ - [Password](#accountsaccount-guidpassword)
+ - [Policies](#accountsaccount-guidpolicies)
+ - [MailBodyType](#accountsaccount-guidpoliciesmailbodytype)
+ - [MaxMailAgeFilter](#accountsaccount-guidpoliciesmaxmailagefilter)
+ - [ServerName](#accountsaccount-guidservername)
+ - [UserName](#accountsaccount-guidusername)
+
-The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+
+## Accounts
-```console
-./Vendor/MSFT
-ActiveSync
-----Accounts
---------Account GUID
-------------EmailAddress
-------------Domain
-------------AccountIcon
-------------AccountType
-------------AccountName
-------------Password
-------------ServerName
-------------UserName
-------------Options
-----------------CalendarAgeFilter
-----------------Logging
-----------------MailBodyType
-----------------MailHTMLTruncation
-----------------MailPlainTextTruncation
-----------------Schedule
-----------------UseSSL
-----------------MailAgeFilter
-----------------ContentTypes
---------------------Content Type GUID
-------------------------Enabled
-------------------------Name
-------------Policies
-----------------MailBodyType
-----------------MaxMailAgeFilter
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts
```
+
-**./User/Vendor/MSFT/ActiveSync**
-The root node for the ActiveSync configuration service provider.
+
+
+The parent node group all active sync accounts.
+
-> [!NOTE]
-> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
+
+
+
-On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
+
+**Description framework properties**:
-The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-The supported operation is Get.
+
+
+
-**Accounts**
-The root node for all ActiveSync accounts.
+
-The supported operation is Get.
+
+### Accounts/{Account GUID}
-***Account GUID***
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}
+```
+
+
+
+
Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device.
+
-Supported operations are Get, Add, and Delete.
-
+
+
When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and doesn't create the new account.
+
-Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example:
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+**Example**:
+
+Braces `{}` are required around the GUID. In OMA Client Provisioning, you can type the braces. For example:
```xml
@@ -108,196 +152,1024 @@ For OMA DM, you must use the ASCII values of %7B and %7D for the opening and clo
```
+
+
+
+
+
+#### Accounts/{Account GUID}/AccountIcon
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/AccountIcon
+```
+
+
+
+
+Specify the location of the icon associated with the account.
+
+
+
+
+The account icon can be used as a tile in the Start list or an icon in the applications list under **Settings** > **Email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.genericmail.png`. The suggested icon for Exchange Accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.office.outlook.png`. Custom icons can be added if desired.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Accounts/{Account GUID}/AccountName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/AccountName
+```
+
+
+
+
+The name that refers to the account on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Accounts/{Account GUID}/AccountType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/AccountType
+```
+
+
+
+
+Specify the account type. This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Accounts/{Account GUID}/Domain
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Domain
+```
+
+
+
+
+Domain name of the Exchange server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Accounts/{Account GUID}/EmailAddress
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/EmailAddress
+```
+
+
+
+
+The email address the user entered during setup. This is the email address that is associated with the Exchange ActiveSync account and it is required.
+
+
+
+
+This email address is entered by the user during setup and must be in the fully qualified email address format, for example, `someone@example.com`.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Accounts/{Account GUID}/Options
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options
+```
+
+
+
+
+Specifies whether email, contacts, and calendar need to synchronize by default, and sets preference such as sync schedule, truncation sizes, and logging.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/CalendarAgeFilter
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/CalendarAgeFilter
+```
+
+
+
+
+Specifies the time window used for syncing calendar items to the phone.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/ContentTypes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/ContentTypes
+```
+
+
+
+
+Interior node for Content Types.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}
+```
+
+
+
+
+Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID. Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}. Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: The GUID values allowed are one of the following: Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}". Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}". Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}". Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}". |
+
+
+
+
+
+
+
+
+
+###### Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}/Enabled
+```
+
+
+
+
+Enables or disables Sync for Email, contacts, calendar, and Tasks.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Sync for email, contacts, calendar, or tasks is disabled. |
+| 1 (Default) | Sync is enabled. |
+
+
+
+
+
+
+
+
+
+###### Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}/Name
+```
+
+
+
+
+The name of the content type.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/Logging
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/Logging
+```
+
+
+
+
+Specifies whether diagnostic logging is enabled and at what level.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Logging is off. |
+| 1 | Basic logging is enabled. |
+| 2 | Advanced logging is enabled. |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/MailAgeFilter
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/MailAgeFilter
+```
+
+
+
+
+Specifies the time window used for syncing email items to the phone.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 3 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | No age filter is used, and all email items are synced to the device. |
+| 1 | Only email up to one day old is synced to the device. |
+| 2 | Only email up to three days old is synced to the device. |
+| 3 (Default) | Email up to a week old is synced to the device. |
+| 4 | Email up to two weeks old is synced to the device. |
+| 5 | Email up to a month old is synced to the device. |
+| 6 | Email up to three months old is synced to the device. |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/MailBodyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/MailBodyType
+```
+
+
+
+
+Indicates format type of the Email. Supported values are 0 (none), 1 (text), 2 (HTML), 3 (RTF), and 4 (MIME).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | None. |
+| 1 | Text. |
+| 2 | HTML. |
+| 3 | RTF. |
+| 4 | MIME. |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/MailHTMLTruncation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/MailHTMLTruncation
+```
+
+
+
+
+This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/MailPlainTextTruncation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/MailPlainTextTruncation
+```
+
+
+
+
+This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/Schedule
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/Schedule
+```
+
+
+
+
+Specifies the time until the next sync is performed in minutes. If -1 is chosen, a sync will occur as items are received. If a 0 is chosen, all syncs must be performed manually.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[(-1)-4294967295]` |
+| Default Value | -1 |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Options/UseSSL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/UseSSL
+```
+
+
+
+
+Specifies whether SSL is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | SSL is not used. |
+| 1 (Default) | SSL is used. |
+
+
+
+
+
+
+
+
+
+#### Accounts/{Account GUID}/Password
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Password
+```
+
+
+
+
+A character string that specifies the password for the account. For the Get command, only asterisks are returned.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Accounts/{Account GUID}/Policies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Policies
+```
+
+
+
+
+Specifies the mail body type and email age filter.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Policies/MailBodyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Policies/MailBodyType
+```
+
+
+
+
+Specifies the email body type. HTML or plain.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| HTML | HTML. |
+| plain | Plain. |
+
+
+
+
+
+
+
+
+
+##### Accounts/{Account GUID}/Policies/MaxMailAgeFilter
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Policies/MaxMailAgeFilter
+```
+
+
+
+
+Specifies the time window used for syncing mail items to the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Accounts/{Account GUID}/ServerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/ServerName
+```
+
+
+
+
+Specifies the server name used by the account.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-***Account GUID*/EmailAddress**
-Required. A character string that specifies the email address associated with the Exchange ActiveSync account.
-
-Supported operations are Get, Replace, and Add (can't Add after the account is created).
-
-This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com".
-
-***Account GUID*/Domain**
-Optional for Exchange. Specifies the domain name of the Exchange server.
-
-Supported operations are Get, Replace, Add, and Delete.
-
-***Account GUID*/AccountIcon**
-Required. A character string that specifies the location of the icon associated with the account.
-
-Supported operations are Get, Replace, and Add (can't Add after the account is created).
-
-The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
-
-***Account GUID*/AccountType**
-Required. A character string that specifies the account type.
-
-Supported operations are Get and Add (can't Add after the account is created).
-
-This value is entered during setup and can't be modified once entered. An Exchange account is indicated by the string value "Exchange".
-
-***Account GUID*/AccountName**
-Required. A character string that specifies the name that refers to the account on the device.
-
-Supported operations are Get, Replace, and Add (can't Add after the account is created).
-
-***Account GUID*/Password**
-Required. A character string that specifies the password for the account.
-
-Supported operations are Get, Replace, Add, and Delete.
-
-For the Get command, only asterisks are returned.
-
-***Account GUID*/ServerName**
-Required. A character string that specifies the server name used by the account.
-
-Supported operations are Get, Replace, and Add (can't Add after the account is created).
-
-***Account GUID*/UserName**
-Required. A character string that specifies the user name for the account.
-
-Supported operations are Get, and Add (can't Add after the account is created).
-
-The user name can't be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
-
-**Options**
-Node for other parameters.
-
-**Options/CalendarAgeFilter**
-Specifies the time window used for syncing calendar items to the device. Value type is chr.
-
-**Options/Logging**
-Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled).
-
-Supported operations are Get, Replace, and Add (can't Add after the account is created).
-
-Valid values are any of the following values:
-
-- 0 (default) - Logging is off.
-
-- 1 - Basic logging is enabled.
-
-- 2 - Advanced logging is enabled.
-
-Logging is set to off by default. The user might be asked to set this logging to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
-
-**Options/MailBodyType**
-Indicates the email format. Valid values:
-
-- 0 - none
-- 1 - text
-- 2 - HTML
-- 3 - RTF
-- 4 - MIME
-
-**Options/MailHTMLTruncation**
-Specifies the size beyond which HTML-formatted email messages are truncated when they're synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
-
-**Options/MailPlainTextTruncation**
-This setting specifies the size beyond which text-formatted e-mail messages are truncated when they're synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
-
-**Options/UseSSL**
-Optional. A character string that specifies whether SSL is used.
-
-Supported operations are Get, Replace, and Add (can't Add after the account is created).
-
-Valid values are:
-
-- 0 - SSL isn't used.
-
-- 1 (default) - SSL is used.
-
-**Options/Schedule**
-Required. A character string that specifies the time until the next sync is performed, in minutes. The default value is -1.
-
-Supported operations are Get and Replace.
-
-Valid values are any of the following values:
-
-- -1 (default) - A sync will occur as items are received
-
-- 0 - All syncs must be performed manually
-
-- 15 - Sync every 15 minutes
-
-- 30 - Sync every 30 minutes
-
-- 60 - Sync every 60 minutes
-
-**Options/MailAgeFilter**
-Required. A character string that specifies the time window used for syncing email items to the device. The default value is 3.
-
-Supported operations are Get and Replace.
-
-Valid values are any of the following values:
-
-- 0 – No age filter is used, and all email items are synced to the device.
-
-- 2 – Only email up to three days old is synced to the device.
-
-- 3 (default) – Email up to a week old is synced to the device.
-
-- 4 – Email up to two weeks old is synced to the device.
-
-- 5 – Email up to a month old is synced to the device.
-
-**Options/ContentTypes/***Content Type GUID*
-Defines the type of content to be individually enabled/disabled for sync.
-
-The *GUID* values allowed are any of the following values:
-
-- Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}"
-
-- Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}"
-
-- Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}"
-
-- Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}"
-
-**Options/ContentTypes/*Content Type GUID*/Enabled**
-Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled).
-
-Supported operations are Get, Replace, and Add (can't Add after the account is created).
-
-Valid values are any of the following values:
-
-- 0 - Sync for email, contacts, calendar, or tasks are disabled.
-- 1 (default) - Sync is enabled.
-
-**Options/ContentTypes/*Content Type GUID*/Name**
-Required. A character string that specifies the name of the content type.
-
-> [!NOTE]
-> In Windows 10, this node is currently not working.
-
-Supported operations are Get, Replace, and Add (can't Add after the account is created).
-
-When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
-
-**Policies**
-Node for mail body type and email age filter.
-
-**Policies/MailBodyType**
-Required. Specifies the email body type: HTML or plain.
-
-Value type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-**Policies/MaxMailAgeFilter**
-Required. Specifies the time window used for syncing mail items to the device.
-
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
-
-
+
+
+
+
+
+
+#### Accounts/{Account GUID}/UserName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/UserName
+```
+
+
+
+Specifies the user name for the account. The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "`someone@example.com`", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "`someone@example.com`".
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+
+## Related articles
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index 0bf7e5329b..5128680488 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -1,36 +1,32 @@
---
title: ActiveSync DDF file
-description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/16/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# ActiveSync DDF file
-This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the ActiveSync configuration service provider.
```xml
-
-]>
+]>
1.2
+
+ ActiveSync
- ./Vendor/MSFT
+ ./User/Vendor/MSFT
@@ -46,8 +42,13 @@ The XML below is the current version for this CSP.
- com.microsoft/1.0/MDM/ActiveSync
+
+
+ 10.0.10240
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+ Accounts
@@ -66,17 +67,18 @@ The XML below is the current version for this CSP.
-
+
-
+
+
-
-
+
+ Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device.
@@ -90,17 +92,23 @@ The XML below is the current version for this CSP.
Account GUID
-
+
+
+
+
+
+ \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+ EmailAddress
-
-
+
+ The email address the user entered during setup. This is the email address that is associated with the Exchange ActiveSync account and it is required.
@@ -113,18 +121,20 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ Domain
-
-
+
+ Domain name of the Exchange server
@@ -137,18 +147,20 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ AccountIcon
-
-
+
+ Specify the location of the icon associated with the account.
@@ -161,20 +173,22 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ AccountType
-
-
+
+
- Specify the account type.
+ Specify the account type. This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange".
@@ -185,20 +199,22 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ AccountName
-
-
+
+
- The name that refers to the account on the phone.
+ The name that refers to the account on the device.
@@ -209,20 +225,22 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ Password
-
-
+
+
- A character string that specifies the password for the account.
+ A character string that specifies the password for the account. For the Get command, only asterisks are returned.
@@ -233,18 +251,20 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ ServerName
-
-
+
+ Specifies the server name used by the account.
@@ -257,20 +277,22 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ UserName
-
-
+
+
- Specifies the user name for the account.
+ Specifies the user name for the account. The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
@@ -281,18 +303,20 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ Options
-
-
+
+ Specifies whether email, contacts, and calendar need to synchronize by default, and sets preference such as sync schedule, truncation sizes, and logging.
@@ -305,17 +329,17 @@ The XML below is the current version for this CSP.
-
+ CalendarAgeFilter
-
-
+
+ Specifies the time window used for syncing calendar items to the phone.
@@ -328,19 +352,22 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ Logging
-
-
+
+
+ 0Specifies whether diagnostic logging is enabled and at what level.
@@ -352,18 +379,32 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+ 0
+ Logging is off.
+
+
+ 1
+ Basic logging is enabled.
+
+
+ 2
+ Advanced logging is enabled.
+
+ MailBodyType
-
-
+
+ Indicates format type of the Email. Supported values are 0 (none), 1 (text), 2 (HTML), 3 (RTF), and 4 (MIME).
@@ -376,18 +417,40 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+ 0
+ none
+
+
+ 1
+ text
+
+
+ 2
+ HTML
+
+
+ 3
+ RTF
+
+
+ 4
+ MIME
+
+ MailHTMLTruncation
-
-
+
+ This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
@@ -400,18 +463,20 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ MailPlainTextTruncation
-
-
+
+ This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
@@ -424,20 +489,23 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ Schedule
-
-
+
+
- Specifies the time until the next sync is performed in minutes.
+ -1
+ Specifies the time until the next sync is performed in minutes. If -1 is chosen, a sync will occur as items are received. If a 0 is chosen, all syncs must be performed manually.
@@ -448,19 +516,23 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ [(-1)-4294967295]
+ UseSSL
-
-
+
+
+ 1Specifies whether SSL is used.
@@ -472,19 +544,30 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+ 0
+ SSL is not used.
+
+
+ 1
+ SSL is used.
+
+ MailAgeFilter
-
-
+
+
+ 3Specifies the time window used for syncing email items to the phone.
@@ -496,19 +579,50 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+ 0
+ No age filter is used, and all email items are synced to the device.
+
+
+ 1
+ Only email up to one day old is synced to the device
+
+
+ 2
+ Only email up to three days old is synced to the device.
+
+
+ 3
+ Email up to a week old is synced to the device.
+
+
+ 4
+ Email up to two weeks old is synced to the device.
+
+
+ 5
+ Email up to a month old is synced to the device.
+
+
+ 6
+ Email up to three months old is synced to the device.
+
+ ContentTypes
-
-
+
+
+ Interior node for Content Types
@@ -519,42 +633,47 @@ The XML below is the current version for this CSP.
-
+
-
+
+
-
-
+
+
- Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}
+ Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}
- 1
+ Content Type GUID
-
+
+
+ The GUID values allowed are one of the following: Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}". Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}". Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}". Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}".
+ Enabled
-
-
+
+
+ 1Enables or disables Sync for Email, contacts, calendar, and Tasks.
@@ -566,18 +685,28 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+ 0
+ Sync for email, contacts, calendar, or tasks is disabled.
+
+
+ 1
+ Sync is enabled.
+
+ Name
-
-
+
+ The name of the content type.
@@ -590,25 +719,50 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
-
+
- Policies
+ Policies
+
+
+
+
+
+
+
+ Specifies the mail body type and email age filter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MailBodyType
-
-
+
+
- Specifies the mail body type and email age filter.
+ Specifies the email body type. HTML or plain
-
+
@@ -617,57 +771,46 @@ The XML below is the current version for this CSP.
-
+
+
+
+ HTML
+ HTML
+
+
+ plain
+ plain
+
+
-
- MailBodyType
-
-
-
-
-
-
-
- Specifies the email body type. HTML or plain
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MaxMailAgeFilter
-
-
-
-
-
-
-
- Specifies the time window used for syncing mail items to the device.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+ MaxMailAgeFilter
+
+
+
+
+
+
+
+ Specifies the time window used for syncing mail items to the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -675,6 +818,6 @@ The XML below is the current version for this CSP.
```
-## Related topics
+## Related articles
-[ActiveSync configuration service provider](activesync-csp.md)
+[ActiveSync configuration service provider reference](activesync-csp.md)
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index 749f34bf9b..27821afa03 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -1,55 +1,135 @@
---
-title: ApplicationControl CSP DDF
-description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML.
+title: ApplicationControl DDF file
+description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/16/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/10/2019
+ms.topic: reference
---
-# ApplicationControl CSP DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# ApplicationControl DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
+The following XML file contains the device description framework (DDF) for the ApplicationControl configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ ApplicationControl
+ ./Vendor/MSFT
+
+
+
+
+ Root Node of the ApplicationControl CSP
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Policies
+
+
+
+
+ Beginning of a Subtree that contains all policies.
+
+
+
+
+
+
+
+
+
+ Policies
+
+
+
+
- ApplicationControl
- ./Vendor/MSFT
+
+
- Root Node of the ApplicationControl CSP.
+ The GUID of the Policy
-
+
-
+
+ Policy GUID
-
+
+
+ The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob.
+
- Policies
+ Policy
+
+
+
+
+
+
+
+ The policy binary encoded as base64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet.
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+
+ PolicyInfo
- Beginning of a Subtree that contains all policies.
+ Information Describing the Policy indicated by the GUID
@@ -57,219 +137,337 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
-
+
- Policies
+ PolicyInfo
-
+
-
+ Version
- The GUID of the Policy.
+ Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type
-
+
-
+
- Policy GUID
+ Version
-
+
+
+
+
+
+ IsBasePolicy
+
+
+
+
+ TRUE/FALSE if the Policy is a Base Policy versus a Supplemental Policy
+
+
+
+
+
+
+
+
+
+ IsBasePolicy
+
+
+
+
+
+
+ IsSystemPolicy
+
+
+
+
+ TRUE/FALSE if the Policy is a System Policy, that is a policy managed by Microsoft as part of the OS
+
+
+
+
+
+
+
+
+
+ IsSystemPolicy
+
+
+
+
+
+
+ IsEffective
+
+
+
+
+ Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)
+
+
+
+
+
+
+
+
+
+ IsEffective
+
+
+
+
+
+
+ IsDeployed
+
+
+
+
+ Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)
+
+
+
+
+
+
+
+
+
+ IsDeployed
+
+
+
+
+
+
+ IsAuthorized
+
+
+
+
+ Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system
+
+
+
+
+
+
+
+
+
+ IsAuthorized
+
+
+
+
+
+
+ Status
+
+
+
+
+ The Current Status of the Policy Indicated by the Policy GUID
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+
+
+ FriendlyName
+
+
+
+
+ The FriendlyName of the Policy Indicated by the Policy GUID
+
+
+
+
+
+
+
+
+
+ FriendlyName
+
+
-
- Policy
-
-
-
-
-
-
-
- The policy binary encoded as base64.
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
- PolicyInfo
-
-
-
-
- Information Describing the Policy indicated by the GUID.
-
-
-
-
-
-
-
-
-
- PolicyInfo
-
-
-
-
-
- Version
-
-
-
-
- Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type.
-
-
-
-
-
-
-
-
-
- Version
-
- text/plain
-
-
-
-
- IsEffective
-
-
-
-
- Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect).
-
-
-
-
-
-
-
-
-
- IsEffective
-
- text/plain
-
-
-
-
- IsDeployed
-
-
-
-
- Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).
-
-
-
-
-
-
-
-
-
- IsDeployed
-
- text/plain
-
-
-
-
- IsAuthorized
-
-
-
-
- Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system.
-
-
-
-
-
-
-
-
-
- IsAuthorized
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- The Current Status of the Policy Indicated by the Policy GUID.
-
-
-
-
-
-
-
-
-
- Status
-
- text/plain
-
-
-
-
- FriendlyName
-
-
-
-
- The FriendlyName of the Policy Indicated by the Policy GUID.
-
-
-
-
-
-
-
-
-
- FriendlyName
-
- text/plain
-
-
-
-
+
+
+ Tokens
+
+
+
+
+ Beginning of a Subtree that contains all tokens.
+
+
+
+
+
+
+
+
+
+ Tokens
+
+
+
+
+
+
+
+
+
+
+
+ Arbitrary ID used to differentiate tokens
+
+
+
+
+
+
+
+
+
+ ID
+
+
+
+
+ The ApplicationControl CSP enforces that the "ID" segment of a given token URI is unique.
+
+
+
+ Token
+
+
+
+
+
+
+
+ The token binary encoded as base64. Supported value is a binary file, obtained from the OneCoreDeviceUnlockService.
+
+
+
+
+
+
+
+
+
+ Token
+
+
+
+
+
+
+
+
+ TokenInfo
+
+
+
+
+ Information Describing the Token indicated by the corresponding ID.
+
+
+
+
+
+
+
+
+
+ TokenInfo
+
+
+
+
+
+ Status
+
+
+
+
+ The Current Status of the Token Indicated by the Token ID
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+
+
+ Type
+
+
+
+
+ The Type of Token Indicated by the Token ID
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[ApplicationControl configuration service provider](applicationcontrol-csp.md)
\ No newline at end of file
+[ApplicationControl configuration service provider reference](applicationcontrol-csp.md)
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 58e6ece757..8e4b0ab2da 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -1,155 +1,791 @@
---
title: ApplicationControl CSP
-description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server.
+description: Learn more about the ApplicationControl CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.reviewer: jsuther1974
-ms.date: 09/10/2020
+ms.topic: reference
---
+
+
+
# ApplicationControl CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
+
+
+Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
+
-The following example shows the ApplicationControl CSP in tree format.
+
+The following list shows the ApplicationControl configuration service provider nodes:
-```console
-./Vendor/MSFT
-ApplicationControl
-----Policies
---------Policy GUID
-------------Policy
-------------PolicyInfo
-----------------Version
-----------------IsEffective
-----------------IsDeployed
-----------------IsAuthorized
-----------------Status
-----------------FriendlyName
-------------Token
-----------------TokenID
-----Tokens
---------ID
-------------Token
-------------TokenInfo
-----------------Status
-------------PolicyIDs
-----------------Policy GUID
-----TenantID
-----DeviceID
+- ./Vendor/MSFT/ApplicationControl
+ - [Policies](#policies)
+ - [{Policy GUID}](#policiespolicy-guid)
+ - [Policy](#policiespolicy-guidpolicy)
+ - [PolicyInfo](#policiespolicy-guidpolicyinfo)
+ - [FriendlyName](#policiespolicy-guidpolicyinfofriendlyname)
+ - [IsAuthorized](#policiespolicy-guidpolicyinfoisauthorized)
+ - [IsBasePolicy](#policiespolicy-guidpolicyinfoisbasepolicy)
+ - [IsDeployed](#policiespolicy-guidpolicyinfoisdeployed)
+ - [IsEffective](#policiespolicy-guidpolicyinfoiseffective)
+ - [IsSystemPolicy](#policiespolicy-guidpolicyinfoissystempolicy)
+ - [Status](#policiespolicy-guidpolicyinfostatus)
+ - [Version](#policiespolicy-guidpolicyinfoversion)
+ - [Tokens](#tokens)
+ - [{ID}](#tokensid)
+ - [Token](#tokensidtoken)
+ - [TokenInfo](#tokensidtokeninfo)
+ - [Status](#tokensidtokeninfostatus)
+ - [Type](#tokensidtokeninfotype)
+
+
+
+## Policies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies
```
+
-**./Vendor/MSFT/ApplicationControl**
-Defines the root node for the ApplicationControl CSP.
+
+
+Beginning of a Subtree that contains all policies.
+
-Scope is permanent. Supported operation is Get.
+
+
+Each policy is identified by their globally unique identifier (GUID).
+
-**ApplicationControl/Policies**
-An interior node that contains all the policies, each identified by their globally unique identifier (GUID).
+
+**Description framework properties**:
-Scope is permanent. Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**ApplicationControl/Policies/_Policy GUID_**
-The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node.
+
+
+
-Scope is dynamic. Supported operation is Get.
+
-**ApplicationControl/Policies/_Policy GUID_/Policy**
-This node is the policy binary itself, which is encoded as base64.
+
+### Policies/{Policy GUID}
-Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-Value type is b64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet.
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}
+```
+
+
+
+The GUID of the Policy.
+
+
+
+
+Each Policy GUID node contains a Policy node and a corresponding PolicyInfo node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | UniqueName: The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. |
+
+
+
+
+
+
+
+
+
+#### Policies/{Policy GUID}/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/Policy
+```
+
+
+
+
+The policy binary encoded as base64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet.
+
+
+
+
Default value is empty.
+
-**ApplicationControl/Policies/_Policy GUID_/PolicyInfo**
-An interior node that contains the nodes that describe the policy indicated by the GUID.
+
+**Description framework properties**:
-Scope is dynamic. Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Delete, Get, Replace |
+
-**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version**
-This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type.
+
+
+
-Scope is dynamic. Supported operation is Get.
+
-Value type is char.
+
+#### Policies/{Policy GUID}/PolicyInfo
-**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective**
-This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-Scope is dynamic. Supported operation is Get.
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo
+```
+
-Value type is bool. Supported values are as follows:
+
+
+Information Describing the Policy indicated by the GUID.
+
-- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system.
-- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value.
+
+
+
-**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed**
-This node specifies whether a policy is deployed on the system and is present on the physical machine.
+
+**Description framework properties**:
-Scope is dynamic. Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Value type is bool. Supported values are as follows:
+
+
+
-- True—Indicates that the policy is deployed on the system and is present on the physical machine.
-- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value.
+
-**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized**
-This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system.
+
+##### Policies/{Policy GUID}/PolicyInfo/FriendlyName
-Scope is dynamic. Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-Value type is bool. Supported values are as follows:
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/FriendlyName
+```
+
-- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
-- False—Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value.
+
+
+The FriendlyName of the Policy Indicated by the Policy GUID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Policies/{Policy GUID}/PolicyInfo/IsAuthorized
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsAuthorized
+```
+
+
+
+
+Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system.
+
+
+
+
+Supported values are as follows:
+
+- True: Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
+- False: Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Policies/{Policy GUID}/PolicyInfo/IsBasePolicy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsBasePolicy
+```
+
+
+
+
+TRUE/FALSE if the Policy is a Base Policy versus a Supplemental Policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Policies/{Policy GUID}/PolicyInfo/IsDeployed
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsDeployed
+```
+
+
+
+
+Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)
+
+
+
+
+Supported values are as follows:
+
+- True: Indicates that the policy is deployed on the system and is present on the physical machine.
+- False: Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Policies/{Policy GUID}/PolicyInfo/IsEffective
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsEffective
+```
+
+
+
+
+Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)
+
+
+
+
+Supported values are as follows:
+
+- True: Indicates that the policy is loaded by the enforcement engine and is in effect on a system.
+- False: Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Policies/{Policy GUID}/PolicyInfo/IsSystemPolicy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsSystemPolicy
+```
+
+
+
+
+TRUE/FALSE if the Policy is a System Policy, that is a policy managed by Microsoft as part of the OS.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Policies/{Policy GUID}/PolicyInfo/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/Status
+```
+
+
+
+
+The Current Status of the Policy Indicated by the Policy GUID.
+
+
+
+
+Default value is 0, which indicates that the policy status is `OK`.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Policies/{Policy GUID}/PolicyInfo/Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/Version
+```
+
+
+
+
+Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Tokens
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Tokens
+```
+
+
+
+
+Beginning of a Subtree that contains all tokens.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Tokens/{ID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Tokens/{ID}
+```
+
+
+
+
+Arbitrary ID used to differentiate tokens.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | UniqueName: The ApplicationControl CSP enforces that the "ID" segment of a given token URI is unique. |
+
+
+
+
+
+
+
+
+
+#### Tokens/{ID}/Token
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Tokens/{ID}/Token
+```
+
+
+
+
+The token binary encoded as base64. Supported value is a binary file, obtained from the OneCoreDeviceUnlockService.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Tokens/{ID}/TokenInfo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo
+```
+
+
+
+
+Information Describing the Token indicated by the corresponding ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Tokens/{ID}/TokenInfo/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo/Status
+```
+
+
+
+
+The Current Status of the Token Indicated by the Token ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Tokens/{ID}/TokenInfo/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo/Type
+```
+
+
+
+
+The Type of Token Indicated by the Token ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+## IsAuthorized, IsDeployed, and IsEffective values
The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes:
-|IsAuthorized | IsDeployed | IsEffective | Resultant |
-|------------ | ---------- | ----------- | --------- |
-|True|True|True|Policy is currently running and is in effect.|
-|True|True|False|Policy requires a reboot to take effect.|
-|True|False|True|Policy requires a reboot to unload from CI.|
-|False|True|True|Not Reachable.|
-|True|False|False|*Not Reachable.|
-|False|True|False|*Not Reachable.|
-|False|False|True|Not Reachable.|
-|False|False|False|*Not Reachable.|
+| IsAuthorized | IsDeployed | IsEffective | Resultant |
+|--------------|------------|-------------|-----------------------------------------------|
+| True | True | True | Policy is currently running and is in effect. |
+| True | True | False | Policy requires a reboot to take effect. |
+| True | False | True | Policy requires a reboot to unload from CI. |
+| False | True | True | Not Reachable. |
+| True | False | False | *Not Reachable. |
+| False | True | False | *Not Reachable. |
+| False | False | True | Not Reachable. |
+| False | False | False | *Not Reachable. |
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail.
-**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
-This node specifies whether the deployment of the policy indicated by the GUID was successful.
-
-Scope is dynamic. Supported operation is Get.
-
-Value type is integer. Default value is 0 = OK.
-
-**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName**
-This node provides the friendly name of the policy indicated by the policy GUID.
-
-Scope is dynamic. Supported operation is Get.
-
-Value type is char.
-
## Microsoft Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
@@ -164,7 +800,7 @@ In order to use the ApplicationControl CSP without using Intune, you must:
Below is a sample certutil invocation:
-```console
+```cmd
certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
```
@@ -242,15 +878,15 @@ Perform a GET using a deployed policy's GUID to interrogate/inspect the policy i
The following table displays the result of Get operation on different nodes:
-|Nodes | Get Results|
-|------------- | ------|
-|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy|raw p7b|
-|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version|Policy version|
-|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective|Is the policy in effect|
-|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed|Is the policy on the system|
-|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized|Is the policy authorized on the system|
-|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
-|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|
+| Nodes | Get Results |
+|---------------------------------------------------------------------------------|----------------------------------------|
+| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy | raw p7b |
+| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version | Policy version |
+| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective | Is the policy in effect |
+| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed | Is the policy on the system |
+| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized | Is the policy authorized on the system |
+| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status | Was the deployment successful |
+| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName | Friendly name per the policy |
An example of Get command is:
@@ -328,7 +964,10 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa
```powershell
Get-CimInstance -Namespace $namespace -ClassName $policyClassName
```
+
+
+
## Related articles
-[Configuration service provider reference](index.yml)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index a21b6f8223..bfc85fbfa9 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -1,223 +1,934 @@
---
title: AppLocker CSP
-description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
-ms.reviewer:
+description: Learn more about the AppLocker CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 11/19/2019
+ms.topic: reference
---
+
+
+
# AppLocker CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.
+
-The following example shows the AppLocker configuration service provider in tree format.
+
+The following list shows the AppLocker configuration service provider nodes:
-```console
-./Vendor/MSFT
-AppLocker
-----ApplicationLaunchRestrictions
---------Grouping
-------------EXE
-----------------Policy
-----------------EnforcementMode
-----------------NonInteractiveProcessEnforcement
-------------MSI
-----------------Policy
-----------------EnforcementMode
-------------Script
-----------------Policy
-----------------EnforcementMode
-------------StoreApps
-----------------Policy
-----------------EnforcementMode
-------------DLL
-----------------Policy
-----------------EnforcementMode
-----------------NonInteractiveProcessEnforcement
-------------CodeIntegrity
-----------------Policy
-----EnterpriseDataProtection
---------Grouping
-------------EXE
-----------------Policy
-------------StoreApps
-----------------Policy
-----LaunchControl
---------Grouping
-------------EXE
-----------------Policy
-----------------EnforcementMode
-------------StoreApps
-----------------Policy
-----------------EnforcementMode
-----FamilySafety
---------Grouping
-------------EXE
-----------------Policy
-----------------EnforcementMode
-------------StoreApps
-----------------Policy
-----------------EnforcementMode
+- ./Vendor/MSFT/AppLocker
+ - [ApplicationLaunchRestrictions](#applicationlaunchrestrictions)
+ - [{Grouping}](#applicationlaunchrestrictionsgrouping)
+ - [CodeIntegrity](#applicationlaunchrestrictionsgroupingcodeintegrity)
+ - [Policy](#applicationlaunchrestrictionsgroupingcodeintegritypolicy)
+ - [DLL](#applicationlaunchrestrictionsgroupingdll)
+ - [EnforcementMode](#applicationlaunchrestrictionsgroupingdllenforcementmode)
+ - [NonInteractiveProcessEnforcement](#applicationlaunchrestrictionsgroupingdllnoninteractiveprocessenforcement)
+ - [Policy](#applicationlaunchrestrictionsgroupingdllpolicy)
+ - [EXE](#applicationlaunchrestrictionsgroupingexe)
+ - [EnforcementMode](#applicationlaunchrestrictionsgroupingexeenforcementmode)
+ - [NonInteractiveProcessEnforcement](#applicationlaunchrestrictionsgroupingexenoninteractiveprocessenforcement)
+ - [Policy](#applicationlaunchrestrictionsgroupingexepolicy)
+ - [MSI](#applicationlaunchrestrictionsgroupingmsi)
+ - [EnforcementMode](#applicationlaunchrestrictionsgroupingmsienforcementmode)
+ - [Policy](#applicationlaunchrestrictionsgroupingmsipolicy)
+ - [Script](#applicationlaunchrestrictionsgroupingscript)
+ - [EnforcementMode](#applicationlaunchrestrictionsgroupingscriptenforcementmode)
+ - [Policy](#applicationlaunchrestrictionsgroupingscriptpolicy)
+ - [StoreApps](#applicationlaunchrestrictionsgroupingstoreapps)
+ - [EnforcementMode](#applicationlaunchrestrictionsgroupingstoreappsenforcementmode)
+ - [Policy](#applicationlaunchrestrictionsgroupingstoreappspolicy)
+ - [EnterpriseDataProtection](#enterprisedataprotection)
+ - [{Grouping}](#enterprisedataprotectiongrouping)
+ - [EXE](#enterprisedataprotectiongroupingexe)
+ - [Policy](#enterprisedataprotectiongroupingexepolicy)
+ - [StoreApps](#enterprisedataprotectiongroupingstoreapps)
+ - [Policy](#enterprisedataprotectiongroupingstoreappspolicy)
+ - [FamilySafety](#familysafety)
+ - [{Grouping}](#familysafetygrouping)
+ - [EXE](#familysafetygroupingexe)
+ - [EnforcementMode](#familysafetygroupingexeenforcementmode)
+ - [Policy](#familysafetygroupingexepolicy)
+ - [StoreApps](#familysafetygroupingstoreapps)
+ - [EnforcementMode](#familysafetygroupingstoreappsenforcementmode)
+ - [Policy](#familysafetygroupingstoreappspolicy)
+ - [LaunchControl](#launchcontrol)
+ - [{Grouping}](#launchcontrolgrouping)
+ - [EXE](#launchcontrolgroupingexe)
+ - [EnforcementMode](#launchcontrolgroupingexeenforcementmode)
+ - [Policy](#launchcontrolgroupingexepolicy)
+ - [StoreApps](#launchcontrolgroupingstoreapps)
+ - [EnforcementMode](#launchcontrolgroupingstoreappsenforcementmode)
+ - [Policy](#launchcontrolgroupingstoreappspolicy)
+
+
+
+## ApplicationLaunchRestrictions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions
```
-**./Vendor/MSFT/AppLocker**
-Defines the root node for the AppLocker configuration service provider.
+
-**AppLocker/ApplicationLaunchRestrictions**
+
+
Defines restrictions for applications.
+
+
+
> [!NOTE]
-> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
+> When you create a list of allowed apps, all [inbox apps](#inbox-apps-and-components) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
> [!NOTE]
-> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
+> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the `AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy` URI.
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
-Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
-Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+
+**Description framework properties**:
-Supported operations are Get, Add, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE**
-Defines restrictions for launching executable applications.
+
+
+
-Supported operations are Get, Add, Delete, and Replace.
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+### ApplicationLaunchRestrictions/{Grouping}
-Data type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}
+```
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+
-The data type is a string.
+
+
+
-Supported operations are Get, Add, Delete, and Replace.
+
+**Description framework properties**:
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/NonInteractiveProcessEnforcement**
-The data type is a string.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
-Supported operations are Add, Delete, Get, and Replace.
+
+
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI**
-Defines restrictions for executing Windows Installer files.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+#### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Data type is string.
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity
+```
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
-The data type is a string.
+
+**Description framework properties**:
-Supported operations are Get, Add, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script**
-Defines restrictions for running scripts.
+
+
+
-Supported operations are Get, Add, Delete, and Replace.
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+##### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy
-Data type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy
+```
+
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
-
-The data type is a string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps**
-Defines restrictions for running apps from the Microsoft Store.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
-
-Data type is string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
-
-The data type is a string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL**
-Defines restrictions for processing DLL files.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
-
-Data type is string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
-
-The data type is a string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/NonInteractiveProcessEnforcement**
-The data type is a string.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity**
-This node is only supported on the desktop.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
-
-Data type is Base64.
-
-Supported operations are Get, Add, Delete, and Replace.
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. This will need to be Base64 encoded.
+
+
+
> [!NOTE]
-> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
+> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker CSP.
+
-**AppLocker/EnterpriseDataProtection**
-Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+
+
+
+
+
+
+
+
+
+#### ApplicationLaunchRestrictions/{Grouping}/DLL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL
+```
+
+
+
+
+Defines restrictions for processing DLL files.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/DLL/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+#### ApplicationLaunchRestrictions/{Grouping}/EXE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE
+```
+
+
+
+
+Defines restrictions for launching executable applications.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/EXE/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+#### ApplicationLaunchRestrictions/{Grouping}/MSI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI
+```
+
+
+
+
+Defines restrictions for executing Windows Installer files.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/MSI/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+#### ApplicationLaunchRestrictions/{Grouping}/Script
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script
+```
+
+
+
+
+Defines restrictions for running scripts.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/Script/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+#### ApplicationLaunchRestrictions/{Grouping}/StoreApps
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps
+```
+
+
+
+
+Defines restrictions for running apps from the Microsoft Store.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+## EnterpriseDataProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection
+```
+
+
+
+
+Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP.
+
+
+
+
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
You can set the allowed list using the following URI:
@@ -238,52 +949,1316 @@ Exempt examples:
Additional information:
- [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
+
-**AppLocker/EnterpriseDataProtection/_Grouping_**
-Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
-Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+
+**Description framework properties**:
-Supported operations are Get, Add, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**AppLocker/EnterpriseDataProtection/_Grouping_/EXE**
+
+
+
+
+
+
+
+### EnterpriseDataProtection/{Grouping}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}
+```
+
+
+
+
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### EnterpriseDataProtection/{Grouping}/EXE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE
+```
+
+
+
+
Defines restrictions for launching executable applications.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy**
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### EnterpriseDataProtection/{Grouping}/EXE/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE/Policy
+```
+
+
+
+
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
-Data type is string.
+
+
+
-Supported operations are Get, Add, Delete, and Replace.
+
+**Description framework properties**:
-**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+#### EnterpriseDataProtection/{Grouping}/StoreApps
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps
+```
+
+
+
+
Defines restrictions for running apps from the Microsoft Store.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy**
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### EnterpriseDataProtection/{Grouping}/StoreApps/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps/Policy
+```
+
+
+
+
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
-Data type is string.
+
+
+
-Supported operations are Get, Add, Delete, and Replace.
+
+**Description framework properties**:
-1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
-2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
- The **Device Portal** page opens on your browser.
+
+
+
- 
+
-3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
-4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
+
+## FamilySafety
- 
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
+
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety
+```
+
- 
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### FamilySafety/{Grouping}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### FamilySafety/{Grouping}/EXE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### FamilySafety/{Grouping}/EXE/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### FamilySafety/{Grouping}/EXE/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+#### FamilySafety/{Grouping}/StoreApps
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### FamilySafety/{Grouping}/StoreApps/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### FamilySafety/{Grouping}/StoreApps/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+## LaunchControl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### LaunchControl/{Grouping}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### LaunchControl/{Grouping}/EXE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### LaunchControl/{Grouping}/EXE/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### LaunchControl/{Grouping}/EXE/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+#### LaunchControl/{Grouping}/StoreApps
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### LaunchControl/{Grouping}/StoreApps/EnforcementMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/EnforcementMode
+```
+
+
+
+
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### LaunchControl/{Grouping}/StoreApps/Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/Policy
+```
+
+
+
+
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+
+
+
+
+
+
+
+
+
+
+## Policy XSD Schema
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## File Publisher Rules
The following table shows the mapping of information to the AppLocker publisher rule field.
@@ -301,50 +2276,9 @@ Here's an example AppLocker publisher rule:
```
-You can get the publisher name and product name of apps using a web API.
-
-**To find publisher and product name for Microsoft apps in Microsoft Store for Business:**
-
-1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**.
-
-3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
-
-Request URI:
-
-```http
-https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
-```
-
-Here's the example for Microsoft OneNote:
-
-Request
-
-```http
-https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata
-```
-
-Result
-
-```json
-{
- "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
- "packageIdentityName": "Microsoft.Office.OneNote",
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
-}
-```
-
-|Result data|AppLocker publisher rule field|
-|--- |--- |
-|packageIdentityName|ProductName|
-|publisherCertificateName|Publisher|
-|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.
This value will only be present if there's a XAP package associated with the app in the Store.
If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
-
-
-## Settings apps that rely on splash apps
+You can get the publisher name and product name of apps using either `Get-AppxPackage` PowerShell cmdlet or [Windows Device Portal](/windows/uwp/debug-test-perf/device-portal-desktop).
+## Settings apps that rely on splash apps
These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
@@ -368,8 +2302,7 @@ The product name is first part of the PackageFullName followed by the version nu
| SettingsPageAppsCorner | 5b04b775-356b-4aa0-aaf8-6491ffea580a\_1.0.0.0\_neutral\_\_4vefaa8deck74 | 5b04b775-356b-4aa0-aaf8-6491ffea580a |
| SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 |
-
-## Inbox apps and components
+## Inbox apps and components
The following list shows the apps that may be included in the inbox.
@@ -467,7 +2400,7 @@ The following list shows the apps that may be included in the inbox.
|Xbox|b806836f-eebe-41c9-8669-19e243b81b83|Microsoft.XboxApp|
|Xbox identity provider|ba88225b-059a-45a2-a8eb-d3580283e49d|Microsoft.XboxIdentityProvider|
-## Allowlist examples
+## Allowlist examples
The following example disables the calendar application.
@@ -1028,7 +2961,8 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
```
## Example for Windows 10 Holographic for Business
-The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings.
+
+The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inbox-apps-and-components) to enable a working device, and Settings.
```xml
@@ -1464,7 +3398,10 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
```
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index d0e4446e1c..af3f58ccbe 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,673 +1,1149 @@
---
title: AppLocker DDF file
-description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/23/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# AppLocker DDF file
-This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
+The following XML file contains the device description framework (DDF) for the AppLocker configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ AppLocker
+ ./Vendor/MSFT
+
+
+
+
+ Root node for the AppLocker configuration service provider
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- AppLocker
- ./Vendor/MSFT
+ ApplicationLaunchRestrictions
+
+
+
+
+ Defines restrictions for applications.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+ Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+
+
+
+
+
+
+
+
+
+ Grouping
+
+
+
+
+
+
+
+
- ApplicationLaunchRestrictions
+ EXE
+
+
+
+
+
+
+
+ Defines restrictions for launching executable applications.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Grouping
-
-
-
-
-
- EXE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnforcementMode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NonInteractiveProcessEnforcement
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- MSI
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnforcementMode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Script
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnforcementMode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- StoreApps
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnforcementMode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DLL
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnforcementMode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NonInteractiveProcessEnforcement
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CodeIntegrity
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+
+
+ EnforcementMode
+
+
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NonInteractiveProcessEnforcement
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- EnterpriseDataProtection
+ MSI
+
+
+
+
+
+
+
+ Defines restrictions for executing Windows Installer files.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Grouping
-
-
-
-
-
- EXE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- StoreApps
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+
+
+ EnforcementMode
+
+
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Script
+
+
+
+
+
+
+
+ Defines restrictions for running scripts.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+ EnforcementMode
+
+
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ StoreApps
+
+
+
+
+
+
+
+ Defines restrictions for running apps from the Microsoft Store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+ EnforcementMode
+
+
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DLL
+
+
+
+
+
+
+
+ Defines restrictions for processing DLL files.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+ EnforcementMode
+
+
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NonInteractiveProcessEnforcement
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CodeIntegrity
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. This will need to be Base64 encoded.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Automatic
+
+
+
+
+
+ EnterpriseDataProtection
+
+
+
+
+ Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+
+
+
+
+
+
+
+
+
+ Grouping
+
+
+
+
+
+
+
+
+
+
+ EXE
+
+
+
+
+
+
+
+ Defines restrictions for launching executable applications.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+
+ StoreApps
+
+
+
+
+
+
+
+ Defines restrictions for running apps from the Microsoft Store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+
+
+
+ LaunchControl
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+ Grouping
+
+
+
+
+
+
+
+
+
+
+ EXE
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+ EnforcementMode
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ StoreApps
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+ EnforcementMode
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FamilySafety
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+ Grouping
+
+
+
+
+
+
+
+
+
+
+ EXE
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+ EnforcementMode
+
+
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ StoreApps
+
+
+
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+
+
+
+ Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ Automatic
+
+
+
+ EnforcementMode
+
+
+
+
+
+
+
+ The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[AppLocker configuration service provider](applocker-csp.md)
\ No newline at end of file
+[AppLocker configuration service provider reference](applocker-csp.md)
diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md
deleted file mode 100644
index 9daa087800..0000000000
--- a/windows/client-management/mdm/applocker-xsd.md
+++ /dev/null
@@ -1,1292 +0,0 @@
----
-title: AppLocker XSD
-description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
----
-
-# AppLocker XSD
-
-Here's the XSD for the AppLocker CSP.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index cc8530ec85..5042ee9974 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -1,230 +1,103 @@
---
title: AssignedAccess CSP
-description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode.
-ms.reviewer:
+description: Learn more about the AssignedAccess CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 05/03/2022
+ms.topic: reference
---
+
+
+
# AssignedAccess CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
-For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
+- For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a single-app kiosk on Windows 10/11](/windows/configuration/kiosk-single-app).
+- For a step-by-step guide for configuring multi-app kiosks, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
-In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
+> [!IMPORTANT]
+> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
-> [!Warning]
+> [!WARNING]
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
-> [!Note]
+> [!NOTE]
> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
+
-> [!Note]
-> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
+
+The following list shows the AssignedAccess configuration service provider nodes:
-The following example shows the AssignedAccess configuration service provider in tree format
+- ./Vendor/MSFT/AssignedAccess
+ - [Configuration](#configuration)
+ - [KioskModeApp](#kioskmodeapp)
+ - [ShellLauncher](#shelllauncher)
+ - [Status](#status)
+ - [StatusConfiguration](#statusconfiguration)
+
-```console
-./Vendor/MSFT
-AssignedAccess
-----KioskModeApp
-----Configuration (Added in Windows 10, version 1709)
-----Status (Added in Windows 10, version 1803)
-----ShellLauncher (Added in Windows 10, version 1803)
-----StatusConfiguration (Added in Windows 10, version 1803)
+
+## Configuration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/AssignedAccess/Configuration
```
+
-**./Device/Vendor/MSFT/AssignedAccess**
-Root node for the CSP.
+
+
+This node accepts an AssignedAccessConfiguration xml as input.
+
-**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
-A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app).
+
+
+The input XML specifies the settings that you can configure in the kiosk or device.
-For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
+In **Windows 10, version 1803** the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
-> [!Note]
-> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
->
-> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
+In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like `shift+alt+a`, where `shift` and `alt` are the modifiers and `a` is the key.
-> [!Note]
-> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
-
-Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](../enterprise-app-management.md).
-
-Here's an example:
-
-```json
-{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
-```
-
-> [!Tip]
-> In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\.
->
-> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string.
-
-When the kiosk mode app is being configured, the account name will be used to find the target user. The account name includes domain name and user name.
-
-> [!Note]
-> The domain name can be optional, if the user name is unique across the system.
-
-For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
-
-The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
-
-**./Device/Vendor/MSFT/AssignedAccess/Configuration**
-Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
-
-Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key.
-
-> [!Note]
-> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
->
-> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
-
-Enterprises can use this to easily configure and manage the curated lockdown experience.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies back (for example, Start Layout).
-
-**./Device/Vendor/MSFT/AssignedAccess/Status**
-Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload.
-
-In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible statuses available for single app kiosk mode.
-
-|Status |Description |
-|---------|---------|---------|
-| KioskModeAppRunning | This status means the kiosk app is running normally. |
-| KioskModeAppNotFound | This state occurs when the kiosk app isn't deployed to the machine. |
-| KioskModeAppActivationFailure | This state occurs when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
+- For more information about setting up a multi-app kiosk, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
+- For more information on the schema, see [AssignedAccessConfiguration XSD](#assignedaccessconfiguration-xsd).
+- For examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples).
> [!NOTE]
-> Status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
+> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).
+
-|Status code | KioskModeAppRuntimeStatus |
-|---------|---------|
-| 1 | KioskModeAppRunning |
-| 2 | KioskModeAppNotFound |
-| 3 | KioskModeAppActivationFailure |
+
+**Description framework properties**:
-Additionally, the status payload includes a profileId that can be used by the MDM server to correlate as to which kiosk app caused the error.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-In Windows 10, version 1809, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes.
+
+
+**Examples**:
-|Status|Description|
-|---|---|
-|Running|The AssignedAccess account (kiosk or multi-app) is running normally.|
-|AppNotFound|The kiosk app isn't deployed to the machine.|
-|ActivationFailed|The AssignedAccess account (kiosk or multi-app) failed to sign in.|
-|AppNoResponse|The kiosk app launched successfully but is now unresponsive.|
+For more examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples).
-> [!NOTE]
-> Status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus.
-
-|Status code|AssignedAccessRuntimeStatus|
-|---|---|
-|1|Running|
-|2|AppNotFound|
-|3|ActivationFailed|
-|4|AppNoResponse|
-
-Additionally, the Status payload includes the following fields:
-
-- profileId: It can be used by the MDM server to correlate which account caused the error.
-- OperationList: It gives the list of failed operations that occurred while applying the assigned access CSP, if any exist.
-
-Supported operation is Get.
-
-**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**
-Added in Windows 10, version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
-
-> [!Note]
-> You can't set both ShellLauncher and KioskModeApp at the same time on the device.
->
-> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature, if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
->
->The ShellLauncher node is not supported in Windows 10 Pro.
-
-**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
-Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
-
-By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
-
-Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
-
-This MDM alert header is defined as follows:
-
-- MDMAlertMark: Critical
-- MDMAlertType: "com.microsoft.mdm.assignedaccess.status"
-- MDMAlertDataType: String
-- Source: "./Vendor/MSFT/AssignedAccess"
-- Target: N/A
-
-> [!Note]
-> MDM alert will only be sent for errors.
-
-
-## KioskModeApp examples
-
-KioskModeApp Add
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
-
-
- chr
-
- {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
-
-
-
-
-
-```
-
-KioskModeApp Delete
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
-
-
-
-
-
-
-```
-
-KioskModeApp Get
+
+
+ Get Configuration
```xml
@@ -233,7 +106,7 @@ KioskModeApp Get
2
- ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
@@ -242,31 +115,1002 @@ KioskModeApp Get
```
-KioskModeApp Replace
+
+
+
+
+ Delete Configuration
```xml
-
+ 2
- ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
-
- chr
-
- {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}
-
+
```
+
+
+
+
+
+
+## KioskModeApp
+
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT/AssignedAccess/KioskModeApp
+```
+
+
+
+
+This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
+
+Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`.
+
+When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
+
+This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same.
+
+
+
+
+> [!TIP]
+> In the above example the double `\\` is required because it's in JSON and JSON escapes `\\` into `\`. If an MDM server uses JSON parser\composer, they should ask customers to type only one `\`, which will be `\\` in the JSON. If user types `\\`, it'll become `\\\\` in JSON, which will cause erroneous results. For the same reason, `domain\user` used in Configuration xml does not need `\\` but only one `\`, because xml does not (need to) escape `\`.
+>
+> This applies to both `domain\user`, `AzureAD\someone@contoso.onmicrosoft.com`, as long as a `\` is used in JSON string.
+
+- For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app).
+- For more information about single-app kiosk, see [Set up a single-app kiosk on Windows 10/11.](/windows/configuration/kiosk-single-app)
+
+> [!IMPORTANT]
+>
+> - In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
+> - Additionally, starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. Add/Replace/Delete commands on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it's not effective.
+> - You can't set both KioskModeApp and ShellLauncher at the same time on the device.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+**Examples**:
+
+
+
+ Add KioskModeApp
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+
+
+ chr
+
+ {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
+
+
+
+
+
+```
+
+
+
+
+
+ Delete KioskModeApp
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+
+
+
+
+
+
+```
+
+
+
+
+
+ Get KioskModeApp
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+
+
+
+
+
+
+```
+
+
+
+
+
+ Replace KioskModeApp
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
+
+
+ chr
+
+ {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}
+
+
+
+
+
+```
+
+
+
+
+
+
+
+## ShellLauncher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :x: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/AssignedAccess/ShellLauncher
+```
+
+
+
+
+This node accepts a ShellLauncherConfiguration xml as input.
+
+
+
+
+In **Windows 10, version 1903**, Shell Launcher V2 was introduced to support both UWP and Win32 apps as the custom shell.
+
+For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
+
+> [!IMPORTANT]
+> You can't set both ShellLauncher and KioskModeApp at the same time on the device.
+
+> [!NOTE]
+> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature, if it is available within the SKU.
+>
+> Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function. The ShellLauncher node is not supported in Windows 10 Pro.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+**ShellLauncherConfiguration XSD**:
+
+> [!NOTE]
+> Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD.
+
+
+
+ Shell Launcher V1 XSD
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+
+
+
+ Shell Launcher V2 XSD
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+
+**Examples**:
+
+
+
+ Add
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+```
+
+
+
+
+
+ Add AutoLogon
+
+This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed.
+
+> [!NOTE]
+> The auto-logon function is designed to be used after OOBE with provisioning packages.
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+```
+
+
+
+
+
+ V2 Add
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+
+```
+
+
+
+
+
+ Get
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+
+
+
+
+```
+
+
+
+
+
+
+
+## Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/AssignedAccess/Status
+```
+
+
+
+
+This read only node contains kiosk health event xml.
+
+
+
+
+This allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to "On" or "OnWithAlerts". If the StatusConfiguration is "Off", a "node not found" error will be reported to the MDM server.
+
+Starting in **Windows 10, version 1809**, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes:
+
+| Status Code | Status | Description |
+|--|--|--|
+| 0 | Unknown | Unknown status. |
+| 1 | Running | The AssignedAccess account (kiosk or multi-app) is running normally. |
+| 2 | AppNotFound | The kiosk app isn't deployed to the machine. |
+| 3 | ActivationFailed | The AssignedAccess account (kiosk or multi-app) failed to sign in. |
+| 4 | AppNoResponse | The kiosk app launched successfully but is now unresponsive. |
+
+Additionally, the Status payload includes the following fields:
+
+- profileId: It can be used by the MDM server to correlate which account caused the error.
+- OperationList: It gives the list of failed operations that occurred while applying the assigned access CSP, if any exist.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+**AssignedAccessAlert XSD**:
+
+
+
+ Expand this section to see the schema XML
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+
+**Example**:
+
+```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/Status
+
+
+
+
+
+
+```
+
+
+
+
+
+## StatusConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/AssignedAccess/StatusConfiguration
+```
+
+
+
+
+This node accepts a StatusConfiguration xml as input.
+
+
+
+
+There are three possible values for StatusEnabled node inside StatusConfiguration xml:
+
+- On
+- OnWithAlerts
+- Off
+
+By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node. Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node. This MDM alert header is defined as follows:
+
+- MDMAlertMark: `Critical`
+- MDMAlertType: `com.microsoft.mdm.assignedaccess.status`
+- MDMAlertDataType: `string`
+- Source: `./Vendor/MSFT/AssignedAccess`
+- Target: `N/A`
+
+> [!NOTE]
+> MDM alert are only sent for errors.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+**StatusConfiguration XSD**:
+
+
+
+ Expand this section to see the schema XML
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+
+**Examples**:
+
+
+
+ Add StatusConfiguration with StatusEnabled set to OnWithAlerts
+
+ ```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+ chr
+
+
+
+
+ OnWithAlerts
+
+ ]]>
+
+
+
+
+
+
+ ```
+
+
+
+
+
+ Delete StatusConfiguration
+
+ ```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+
+
+
+
+ ```
+
+
+
+
+
+ Get StatusConfiguration
+
+ ```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+
+
+
+
+ ```
+
+
+
+
+
+ Replace StatusEnabled value with On
+
+ ```xml
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+ chr
+
+
+
+
+ On
+
+ ]]>
+
+
+
+
+
+
+ ```
+
+
+
+
+
+
+
+
## AssignedAccessConfiguration XSD
-The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release.
+
+
+ Schema for AssignedAccessConfiguration.
```xml
@@ -306,7 +1150,7 @@ The schema below is for AssignedAccess Configuration up to Windows 10 20H2 relea
-
+
@@ -464,7 +1308,41 @@ The schema below is for AssignedAccess Configuration up to Windows 10 20H2 relea
);
```
-Here's the schema for new features introduced in Windows 10 1809 release:
+
+
+
+
+ Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+
+
+
+ Schema for new features introduced in Windows 10 1809 release.
```xml
@@ -510,7 +1388,11 @@ Here's the schema for new features introduced in Windows 10 1809 release:
```
-Schema for Windows 10 prerelease
+
+
+
+
+ Schema for Windows 10 prerelease.
```xml
@@ -541,48 +1423,31 @@ Schema for Windows 10 prerelease
```
-The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization.
-```xml
-
-
+
-
-
+## AssignedAccessConfiguration examples
-
-
-
-
-
-
-
-```
-
-To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
-
-```xml
- [!NOTE]
+> To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that was added in the 1809 release, use the below sample. Notice an alias `r1809` is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
>
-
-
-
-
-
-```
+> ```xml
+> xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+> xmlns:r1809="http://schemas.microsoft.com/AssignedAccess/201810/config"
+> >
+>
+>
+>
+>
+>
+> ...
+>
+> ```
-## Example AssignedAccessConfiguration XML
+
+
+ Example XML configuration for a multi-app kiosk for Windows 10.
-Example XML configuration for a multi-app kiosk:
```xml
@@ -634,7 +1499,12 @@ Example XML configuration for a multi-app kiosk:
```
-Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
+
+
+
+
+ Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
+
```xml
```
-Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
+
+
+
+
+ Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
+
> [!NOTE]
> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
+
```xml
```
-## Configuration examples
+
+
+## Windows Holographic for Business edition example
+
+This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning).
+
+
+
+ Expand this section to see the example.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+
+
+ AzureAD\multiusertest@analogfre.onmicrosoft.com
+
+
+
+
+```
+
+
+
+## Handling XML in Configuration
XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
-Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you’ll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
+Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you'll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
-Escape and CDATA are mechanisms used when handling xml in xml. Consider that it’s a transportation channel to send the configuration xml as payload from server to client. It’s transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
+Escape and CDATA are mechanisms used when handling xml in xml. Consider that it's a transportation channel to send the configuration xml as payload from server to client. It's transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
-This example shows escaped XML of the Data node.
+
+
+ This example shows escaped XML of the Data node.
```xml
@@ -761,79 +1707,11 @@ This example shows escaped XML of the Data node.
```
-This example shows escaped XML of the Data node.
+
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/Configuration
-
-
- chr
-
-
- <?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
- <Profiles>
- <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
- <AllAppsList>
- <AllowedApps>
- <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- <App DesktopAppPath="%windir%\system32\mspaint.exe" />
- <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
- </AllowedApps>
- </AllAppsList>
- <StartLayout>
- <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
- <LayoutOptions StartTileGroupCellWidth="6" />
- <DefaultLayoutOverride>
- <StartLayoutCollection>
- <defaultlayout:StartLayout GroupCellWidth="6">
- <start:Group Name="Group1">
- <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- </start:Group>
- <start:Group Name="Group2">
- <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
- <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
- </start:Group>
- </defaultlayout:StartLayout>
- </StartLayoutCollection>
- </DefaultLayoutOverride>
- </LayoutModificationTemplate>
- ]]>
- </StartLayout>
- <Taskbar ShowTaskbar="true"/>
- </Profile>
- </Profiles>
- <Configs>
- <Config>
- <Account>MultiAppKioskUser</Account>
- <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
- </Config>
- </Configs>
-</AssignedAccessConfiguration>
-
-
-
-
-
-
-
-```
-
-This example uses CData for the XML.
+
+
+ This example shows CData for the XML.
```xml
@@ -905,696 +1783,11 @@ This example uses CData for the XML.
```
-Example of Get command that returns the configuration in the device.
+
+
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/Configuration
-
-
-
-
-
-
-```
+
-Example of the Delete command.
+## Related articles
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/Configuration
-
-
-
-
-
-
-```
-
-## StatusConfiguration XSD
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## StatusConfiguration example
-
-StatusConfiguration Add OnWithAlerts
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
-
-
- chr
-
-
-
-
- OnWithAlerts
-
- ]]>
-
-
-
-
-
-
-```
-
-StatusConfiguration Delete
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
-
-
-
-
-
-
-```
-
-StatusConfiguration Get
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
-
-
-
-
-
-
-```
-
-StatusConfiguration Replace On
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
-
-
- chr
-
-
-
-
- On
-
- ]]>
-
-
-
-
-
-
-```
-
-## Status example
-
-Status Get
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/Status
-
-
-
-
-
-
-```
-
-## ShellLauncherConfiguration XSD
-
-Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-### Shell Launcher V2 XSD
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## ShellLauncherConfiguration examples
-
-ShellLauncherConfiguration Add
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
-
-
- chr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
-```
-
-ShellLauncherConfiguration Add AutoLogon
-
-This function creates an autologon account on your behalf. It's a standard user with no password. The autologon account is managed by AssignedAccessCSP, so the account name isn't exposed.
-
-> [!Note]
-> The autologon function is designed to be used after OOBE with provisioning packages.
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
-
-
- chr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
-```
-
-ShellLauncher V2 Add
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
-
-
- chr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
-
-```
-
-ShellLauncherConfiguration Get
-
-```xml
-
-
-
- 2
-
-
- ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
-
-
-
-
-
-
-```
-
-## AssignedAccessAlert XSD
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Windows Holographic for Business edition example
-
-This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning).
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-
-
-
-
-
-
-
- AzureAD\multiusertest@analogfre.onmicrosoft.com
-
-
-
-
-```
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index 4e49481095..f91d0c0381 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,198 +1,223 @@
---
-title: AssignedAccess DDF
-description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
-ms.reviewer:
+title: AssignedAccess DDF file
+description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/27/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 02/22/2018
+ms.topic: reference
---
-# AssignedAccess DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# AssignedAccess DDF file
-You can download the DDF files from the links below:
-
-- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
-- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-
-The XML below is for Windows 10, version 1803 and later.
+The following XML file contains the device description framework (DDF) for the AssignedAccess configuration service provider.
```xml
-
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ AssignedAccess
+ ./Vendor/MSFT
+
+
+
+
+ Root node for the CSP
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10240
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- AssignedAccess
- ./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/4.0/MDM/AssignedAccess
-
-
-
- KioskModeApp
-
-
-
-
-
-
-
- This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
+ KioskModeApp
+
+
+
+
+
+
+
+ This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
-Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
+Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
-When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional, if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
+When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Configuration
-
-
-
-
-
-
-
- This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- This read only node contains kiosk health event in xml.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ShellLauncher
-
-
-
-
-
-
-
- This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- StatusConfiguration
-
-
-
-
-
-
-
- This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Configuration
+
+
+
+
+
+
+
+ This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.1
+
+
+
+
+
+
+ Status
+
+
+
+
+ This read only node contains kiosk health event xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 2.0
+
+
+
+
+ ShellLauncher
+
+
+
+
+
+
+
+ This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 2.0
+ 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0xAB;0xAC;0xAF;0xBC;0xBF
+
+
+
+
+
+
+ StatusConfiguration
+
+
+
+
+
+
+
+ This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 2.0
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[AssignedAccess configuration service provider](assignedaccess-csp.md)
+[AssignedAccess configuration service provider reference](assignedaccess-csp.md)
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 7974e3a245..b3bbbac0bc 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -1,89 +1,1083 @@
---
title: BitLocker CSP
-description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices.
+description: Learn more about the BitLocker CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 02/04/2022
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# BitLocker CSP
+> [!TIP]
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
> [!NOTE]
-> Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes.
>
-> You must send all the settings together in a single SyncML to be effective.
+> - Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes.
+> - You must send all the settings together in a single SyncML to be effective.
A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
+
-The following example shows the BitLocker configuration service provider in tree format.
+
+The following list shows the BitLocker configuration service provider nodes:
-```console
-./Device/Vendor/MSFT
-BitLocker
-----RequireStorageCardEncryption
-----RequireDeviceEncryption
-----EncryptionMethodByDriveType
-----IdentificationField
-----SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
-----SystemDrivesEnhancedPIN
-----SystemDrivesDisallowStandardUsersCanChangePIN
-----SystemDrivesEnablePrebootInputProtectorsOnSlates
-----SystemDrivesEncryptionType
-----SystemDrivesRequireStartupAuthentication
-----SystemDrivesMinimumPINLength
-----SystemDrivesRecoveryMessage
-----SystemDrivesRecoveryOptions
-----FixedDrivesRecoveryOptions
-----FixedDrivesRequireEncryption
-----FixedDrivesEncryptionType
-----RemovableDrivesRequireEncryption
-----RemovableDrivesEncryptionType
-----RemovableDrivesConfigureBDE
-----AllowWarningForOtherDiskEncryption
-----AllowStandardUserEncryption
-----ConfigureRecoveryPasswordRotation
-----RotateRecoveryPasswords
-----Status
---------DeviceEncryptionStatus
---------RotateRecoveryPasswordsStatus
---------RotateRecoveryPasswordsRequestID
+- ./Device/Vendor/MSFT/BitLocker
+ - [AllowStandardUserEncryption](#allowstandarduserencryption)
+ - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption)
+ - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation)
+ - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype)
+ - [FixedDrivesEncryptionType](#fixeddrivesencryptiontype)
+ - [FixedDrivesRecoveryOptions](#fixeddrivesrecoveryoptions)
+ - [FixedDrivesRequireEncryption](#fixeddrivesrequireencryption)
+ - [IdentificationField](#identificationfield)
+ - [RemovableDrivesConfigureBDE](#removabledrivesconfigurebde)
+ - [RemovableDrivesEncryptionType](#removabledrivesencryptiontype)
+ - [RemovableDrivesExcludedFromEncryption](#removabledrivesexcludedfromencryption)
+ - [RemovableDrivesRequireEncryption](#removabledrivesrequireencryption)
+ - [RequireDeviceEncryption](#requiredeviceencryption)
+ - [RequireStorageCardEncryption](#requirestoragecardencryption)
+ - [RotateRecoveryPasswords](#rotaterecoverypasswords)
+ - [Status](#status)
+ - [DeviceEncryptionStatus](#statusdeviceencryptionstatus)
+ - [RemovableDrivesEncryptionStatus](#statusremovabledrivesencryptionstatus)
+ - [RotateRecoveryPasswordsRequestID](#statusrotaterecoverypasswordsrequestid)
+ - [RotateRecoveryPasswordsStatus](#statusrotaterecoverypasswordsstatus)
+ - [SystemDrivesDisallowStandardUsersCanChangePIN](#systemdrivesdisallowstandarduserscanchangepin)
+ - [SystemDrivesEnablePrebootInputProtectorsOnSlates](#systemdrivesenableprebootinputprotectorsonslates)
+ - [SystemDrivesEnablePreBootPinExceptionOnDECapableDevice](#systemdrivesenableprebootpinexceptionondecapabledevice)
+ - [SystemDrivesEncryptionType](#systemdrivesencryptiontype)
+ - [SystemDrivesEnhancedPIN](#systemdrivesenhancedpin)
+ - [SystemDrivesMinimumPINLength](#systemdrivesminimumpinlength)
+ - [SystemDrivesRecoveryMessage](#systemdrivesrecoverymessage)
+ - [SystemDrivesRecoveryOptions](#systemdrivesrecoveryoptions)
+ - [SystemDrivesRequireStartupAuthentication](#systemdrivesrequirestartupauthentication)
+
+
+
+## AllowStandardUserEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
+```
+
+
+
+
+Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user.
+"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced.
+If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user
+is the current logged on user in the system.
+
+The expected values for this policy are:
+
+1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
+0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy
+will not try to enable encryption on any drive.
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+| Dependency [AllowWarningForOtherDiskEncryptionDependency] | Dependency Type: `DependsOn` Dependency URI: `Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption` Dependency Allowed Value: `[0]` Dependency Allowed Value Type: `Range` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. |
+| 1 | "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. |
+
+
+
+
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+
+ 111
+
+
+ ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
+
+
+ int
+
+ 0
+
+
+```
+
+
+
+
+
+## AllowWarningForOtherDiskEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption
+```
+
+
+
+
+Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption)
+and turn on encryption on the user machines silently.
+
+> [!WARNING]
+> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will
+require reinstallation of Windows.
+
+> [!NOTE]
+> This policy takes effect only if "RequireDeviceEncryption" policy is set to 1.
+
+The expected values for this policy are
+
+1 = This is the default, when the policy is not set. **Warning** prompt and encryption notification is allowed.
+0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
+the value 0 only takes affect on Azure Active Directory joined devices.
+Windows will attempt to silently enable BitLocker for value 0.
+
+
+
+
+
+
+> [!NOTE]
+> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+>
+> The endpoint for a fixed data drive's backup is chosen in the following order:
+>
+> 1. The user's Windows Server Active Directory Domain Services account.
+> 2. The user's Azure Active Directory account.
+> 3. The user's personal OneDrive (MDM/MAM only).
+>
+> Encryption will wait until one of these three locations backs up successfully.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. |
+| 1 (Default) | Warning prompt allowed. |
+
+
+
+
+**Example**:
+
+```xml
+
+ 110
+
+
+ ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption
+
+
+ int
+ 0
+
+
+```
+
+
+
+
+
+## ConfigureRecoveryPasswordRotation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation
+```
+
+
+
+
+Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
+When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when
+Active Directory back up for recovery password is configured to required.
+For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
+For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
+
+Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
+1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
+2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Refresh off (default). |
+| 1 | Refresh on for Azure AD-joined devices. |
+| 2 | Refresh on for both Azure AD-joined and hybrid-joined devices. |
+
+
+
+
+
+
+
+
+
+## EncryptionMethodByDriveType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType
+```
+
+
+
+
+This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
+
+- If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
+
+- If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script."
+
+
+
+
+> [!NOTE]
+> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encryption method for the OS and removable drives, you will get a 500 return status.
+
+Data ID elements:
+
+- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
+- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
+- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
+
+Sample value for this node to enable this policy and set the encryption methods is:
+
+```xml
+
+
+
+
```
+ The possible values for 'xx' are:
+
+- 3 = AES-CBC 128
+- 4 = AES-CBC 256
+- 6 = XTS-AES 128
+- 7 = XTS-AES 256
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
> [!TIP]
-> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](../enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-**./Device/Vendor/MSFT/BitLocker**
-Defines the root node for the BitLocker configuration service provider.
-
+**ADMX mapping**:
-**RequireDeviceEncryption**
-
-Allows the administrator to require encryption that needs to be turned on by using BitLocker\Device Encryption.
-
-
+| Name | Value |
+|:--|:--|
+| Name | EncryptionMethodWithXts_Name |
+| Friendly Name | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| ADMX File Name | VolumeEncryption.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+**Example**:
-
-Data type is integer. Sample value for this node to enable this policy: 1.
-Supported operations are Add, Get, Replace, and Delete.
+To disable this policy, use the following SyncML:
+
+```xml
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType
+
+
+ chr
+
+
+
+
+```
+
+
+
+
+
+## FixedDrivesEncryptionType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/FixedDrivesEncryptionType
+```
+
+
+
+
+This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+
+- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+
+
+
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+Possible values:
+
+- 0: Allow user to choose.
+- 1: Full encryption.
+- 2: Used space only encryption.
+
+> [!NOTE]
+> This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+>
+> For more information about the tool to manage BitLocker, see [manage-bde](/windows-server/administration/windows-commands/manage-bde).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | FDVEncryptionType_Name |
+| Friendly Name | Enforce drive encryption type on fixed data drives |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | FDVEncryptionType |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## FixedDrivesRecoveryOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions
+```
+
+
+
+
+This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
+
+The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+
+In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+
+Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+
+In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.
+
+Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+> [!NOTE]
+> If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.
+
+- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
+
+- If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+
+
+
+
+Data ID elements:
+
+- FDVAllowDRA_Name: Allow data recovery agent
+- FDVRecoveryPasswordUsageDropDown_Name and FDVRecoveryKeyUsageDropDown_Name: Configure user storage of BitLocker recovery information
+- FDVHideRecoveryPage_Name: Omit recovery options from the BitLocker setup wizard
+- FDVActiveDirectoryBackup_Name: Save BitLocker recovery information to Active Directory Domain Services
+- FDVActiveDirectoryBackupDropDown_Name: Configure storage of BitLocker recovery information to AD DS
+- FDVRequireActiveDirectoryBackup_Name: Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+
+
+
+
+
+
+
+```
+
+The possible values for 'xx' are:
+
+- true = Explicitly allow
+- false = Policy not set
+
+The possible values for 'yy' are:
+
+- 0 = Disallowed
+- 1 = Required
+- 2 = Allowed
+
+The possible values for 'zz' are:
+
+- 1 = Store recovery passwords and key packages
+- 2 = Store recovery passwords only
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | FDVRecoveryUsage_Name |
+| Friendly Name | Choose how BitLocker-protected fixed drives can be recovered |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | FDVRecovery |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions
+
+
+ chr
+
+
+
+
+```
+
+
+
+
+
+## FixedDrivesRequireEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption
+```
+
+
+
+
+This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
+
+- If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+
+- If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
+
+
+
+
+Sample value for this node to enable this policy is: ``
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | FDVDenyWriteAccess_Name |
+| Friendly Name | Deny write access to fixed drives not protected by BitLocker |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives |
+| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE |
+| Registry Value Name | FDVDenyWriteAccess |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+**Example**:
+
+To disable this policy, use hte following SyncML:
+
+```xml
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption
+
+
+ chr
+
+
+
+
+```
+
+
+
+
+
+## IdentificationField
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/IdentificationField
+```
+
+
+
+
+This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field.
+
+The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.
+
+You can configure the identification fields on existing drives by using [manage-bde](/windows-server/administration/windows-commands/manage-bde).exe.
+
+- If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization.
+
+When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.
+
+- If you disable or do not configure this policy setting, the identification field is not required.
+
+> [!NOTE]
+> Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
+
+
+
+
+Data ID elements:
+
+- IdentificationField: This is a BitLocker identification field.
+- SecIdentificationField: This is an allowed BitLocker identification field.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+
+
+```
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IdentificationField_Name |
+| Friendly Name | Provide the unique identifiers for your organization |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | IdentificationField |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## RemovableDrivesConfigureBDE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/RemovableDrivesConfigureBDE
+```
+
+
+
+
+This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.
+
+When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or suspend the encryption while maintenance is performed. For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment).
+
+- If you do not configure this policy setting, users can use BitLocker on removable disk drives.
+
+- If you disable this policy setting, users cannot use BitLocker on removable disk drives.
+
+
+
+
+Data ID elements:
+
+- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives.
+- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+
+
+```
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RDVConfigureBDE |
+| Friendly Name | Control use of BitLocker on removable drives |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | RDVConfigureBDE |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## RemovableDrivesEncryptionType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/RemovableDrivesEncryptionType
+```
+
+
+
+
+This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+
+- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+
+
+
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+Possible values:
+
+- 0: Allow user to choose.
+- 1: Full encryption.
+- 2: Used space only encryption.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [BDEAllowed] | Dependency Type: `DependsOn` Dependency URI: `Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE` Dependency Allowed Value Type: `ADMX` |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RDVEncryptionType_Name |
+| Friendly Name | Enforce drive encryption type on removable data drives |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | RDVEncryptionType |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## RemovableDrivesExcludedFromEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/RemovableDrivesExcludedFromEncryption
+```
+
+
+
+
+When enabled, allows you to exclude removable drives and devices connected over USB interface from [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption). Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+## RemovableDrivesRequireEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
+```
+
+
+
+
+This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
+
+- If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+
+If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.
+
+- If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
+
+> [!NOTE]
+> This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
+
+
+
+
+Data ID elements:
+
+- RDVCrossOrg: Deny write access to devices configured in another organization
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+The possible values for 'xx' are:
+
+- true = Explicitly allow
+- false = Policy not set
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RDVDenyWriteAccess_Name |
+| Friendly Name | Deny write access to removable drives not protected by BitLocker |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives |
+| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE |
+| Registry Value Name | RDVDenyWriteAccess |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
+
+
+ chr
+
+
+
+
+```
+
+
+
+
+
+## RequireDeviceEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
+```
+
+
+
+
+Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
+
+Sample value for this node to enable this policy:
+1
+
+Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
+
+
+
+
+
+> [!NOTE]
+> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.
The status of OS volumes and encryptable fixed data volumes is checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
@@ -95,13 +1089,32 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
- It must not be a system partition.
- It must not be backed by virtual storage.
- It must not have a reference in the BCD store.
-
-The following list shows the supported values:
+
-- 0 (default): Disable. If the policy setting isn't set or is set to 0, the device's enforcement status isn't checked. The policy doesn't enforce encryption and it doesn't decrypt encrypted volumes.
-- 1: Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
-
-If you want to disable this policy, use the following SyncML:
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. |
+| 1 | Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy). |
+
+
+
+
+**Example**:
+
+To disable RequireDeviceEncryption:
```xml
@@ -121,1283 +1134,201 @@ If you want to disable this policy, use the following SyncML:
```
+
+
+
+
+
+## RequireStorageCardEncryption
> [!NOTE]
-> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.
+> This policy is deprecated and may be removed in a future release.
-
-
-**EncryptionMethodByDriveType**
-
-Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)*
-- GP name: *EncryptionMethodWithXts_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
-
-If you enable this setting, you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511.
-
-If you disable or don't configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
-
- Sample value for this node to enable this policy and set the encryption methods is:
-
-```xml
-
+
+```Device
+./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption
```
+
-- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
-- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
-- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
-
- The possible values for 'xx' are:
+
+
+Allows the Admin to require storage card encryption on the device.
-- 3 = AES-CBC 128
-- 4 = AES-CBC 256
-- 6 = XTS-AES 128
-- 7 = XTS-AES 256
-
-> [!NOTE]
-> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
+This policy is only valid for mobile SKU.
+Sample value for this node to enable this policy:
+1
- If you want to disable this policy, use the following SyncML:
+Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on.
-```xml
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType
-
-
- chr
-
-
-
-
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Storage cards do not need to be encrypted. |
+| 1 | Require storage cards to be encrypted. |
+
+
+
+
+
+
+
+
+
+## RotateRecoveryPasswords
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords
```
+
-Data type is string.
+
+
+Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
-Supported operations are Add, Get, Replace, and Delete.
-
-
-**IdentificationField**
-
-Allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker.
-
-
+The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."
+- For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives."
+- For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives."
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+Client returns status DM_S_ACCEPTED_FOR_PROCESSING to indicate the rotation has started. Server can query status with the following status nodes:
-
-
-ADMX Info:
+- status\RotateRecoveryPasswordsStatus
+- status\RotateRecoveryPasswordsRequestID
-- GP Friendly name: *Provide the unique identifiers for your organization*
-- GP name: *IdentificationField_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption*
-- GP ADMX file name: *VolumeEncryption.admx*
+Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\
-
-
-This setting is used to establish an identifier that is applied to all encrypted drives in your organization.
-
-Identifiers are stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde):
-
-- **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
-
-- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations.
-
->[!Note]
->When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
-
-If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-Data ID:
-
-- IdentificationField: This is a BitLocker identification field.
-- SecIdentificationField: This is an allowed BitLocker identification field.
-
-If you disable or don't configure this setting, the identification field isn't required.
-
->[!Note]
->Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
-
-
-
-
-**SystemDrivesEnablePreBootPinExceptionOnDECapableDevice**
-
-Allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN*
-- GP name: *EnablePreBootPinExceptionOnDECapableDevice_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This setting overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware.
-
-If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-If this policy is disabled, the options of "Require additional authentication at startup" policy apply.
-
-
-
-**SystemDrivesEnhancedPIN**
-
-Allows users to configure whether or not enhanced startup PINs are used with BitLocker.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Allow enhanced PINs for startup*
-- GP name: *EnhancedPIN_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
-
->[!Note]
->Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
-
-If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-If you disable or don't configure this policy setting, enhanced PINs won't be used.
-
-
-
-**SystemDrivesDisallowStandardUsersCanChangePIN**
-
-Allows you to configure whether standard users are allowed to change BitLocker PIN or password that is used to protect the operating system drive.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Disallow standard users from changing the PIN or password*
-- GP name: *DisallowStandardUsersCanChangePIN_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This policy setting allows you to configure whether or not standard users are allowed to change the PIN or password, that is used to protect the operating system drive.
-
->[!Note]
->To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.
-
-If you enable this policy setting, standard users won't be allowed to change BitLocker PINs or passwords.
-
-If you disable or don't configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords.
-
-Sample value for this node to disable this policy is:
-
-```xml
-
-```
-
-
-
-**SystemDrivesEnablePrebootInputProtectorsOnSlates**
-
-Allows users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Enable use of BitLocker authentication requiring preboot keyboard input on slates*
-- GP name: *EnablePrebootInputProtectorsOnSlates_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
-
-It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.
-
-When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
-
->[!Note]
->If you don't enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available:
->
->- Configure TPM startup PIN: Required and Allowed
->- Configure TPM startup key and PIN: Required and Allowed
->- Configure use of passwords for operating system drives
-
-
-
-
-**SystemDrivesEncryptionType**
-
-Allows you to configure the encryption type that is used by BitLocker.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Enforce drive encryption type on operating system drives*
-- GP name: *OSEncryptionType_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This policy setting is applied when you turn on BitLocker. Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress.
-
-Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
-
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
->[!Note]
->This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method.
->For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-
-
-**SystemDrivesRequireStartupAuthentication**
-
-This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup".
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Require additional authentication at startup*
-- GP name: *ConfigureAdvancedStartup_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting allows you to configure whether BitLocker requires more authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
-
-> [!NOTE]
-> Only one of the additional authentication options is required at startup, otherwise an error occurs.
-
-If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
-
-On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
-
-> [!NOTE]
-> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
-
-If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
-
-If you disable or don't configure this setting, users can configure only basic options on computers with a TPM.
-
-> [!NOTE]
-> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
-
-> [!NOTE]
-> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-Data ID:
-
-- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
-- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
-- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.
-- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
-- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
-
-
-The possible values for 'xx' are:
-
-- true = Explicitly allow
-- false = Policy not set
-
-The possible values for 'yy' are:
-
-- 2 = Optional
-- 1 = Required
-- 0 = Disallowed
-
-
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication
-
-
- chr
-
-
-
-
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-**SystemDrivesMinimumPINLength**
-
-This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup".
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Configure minimum PIN length for startup*
-- GP name: *MinimumPINLength_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of six digits and can have a maximum length of 20 digits.
-
-> [!NOTE]
-> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
->
->In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This doesn't apply to TPM 1.2.
-
-If you enable this setting, you will require a minimum number of digits to set the startup PIN.
-
-If you disable or don't configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength
-
-
- chr
-
-
-
-
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-**SystemDrivesRecoveryMessage**
-
-This setting is a direct mapping to the BitLocker Group Policy "Configure pre-boot recovery message and URL"
-(PrebootRecoveryInfo_Name).
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Configure pre-boot recovery message and URL*
-- GP name: *PrebootRecoveryInfo_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked.
-
-If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you've previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
-
-If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
-
-If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-The possible values for 'xx' are:
-
-- 0 = Empty
-- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
-- 2 = Custom recovery message is set.
-- 3 = Custom recovery URL is set.
-- 'yy' = string of max length 900.
-- 'zz' = string of max length 500.
-
-> [!NOTE]
-> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
-
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage
-
-
- chr
-
-
-
-
-```
-
-> [!NOTE]
-> Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-**SystemDrivesRecoveryOptions**
-
-This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Choose how BitLocker-protected operating system drives can be recovered*
-- GP name: *OSRecoveryUsage_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker.
-
-The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).
-
-In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-
-Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-
-Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
-
-Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-
-> [!NOTE]
-> If the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
-
-If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
-
-If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-The possible values for 'xx' are:
-
-- true = Explicitly allow
-- false = Policy not set
-
-The possible values for 'yy' are:
-
-- 2 = Allowed
-- 1 = Required
-- 0 = Disallowed
-
-The possible values for 'zz' are:
-
-- 2 = Store recovery passwords only.
-- 1 = Store recovery passwords and key packages.
-
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions
-
-
- chr
-
-
-
-
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-**FixedDrivesRecoveryOptions**
-
-This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Choose how BitLocker-protected fixed drives can be recovered*
-- GP name: *FDVRecoveryUsage_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
-
-The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).
-
-In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-
-Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-
-Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
-
-Set the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-
-Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
-
-> [!NOTE]
-> If the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
-
-If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
-
-If this setting isn't configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-The possible values for 'xx' are:
-
-- true = Explicitly allow
-- false = Policy not set
-
-The possible values for 'yy' are:
-
-- 2 = Allowed
-- 1 = Required
-- 0 = Disallowed
-
-The possible values for 'zz' are:
-
-- 2 = Store recovery passwords only
-- 1 = Store recovery passwords and key packages
-
-
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions
-
-
- chr
-
-
-
-
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-**FixedDrivesRequireEncryption**
-
-This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Deny write access to fixed drives not protected by BitLocker*
-- GP name: *FDVDenyWriteAccess_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
-
-If you enable this setting, all fixed data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy, use the following SyncML:
-
-```xml
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption
-
-
- chr
-
-
-
-
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-**FixedDrivesEncryptionType**
-
-Allows you to configure the encryption type on fixed data drives that is used by BitLocker.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Enforce drive encryption type on fixed data drives*
-- GP name: *FDVEncryptionType_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Data Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This policy setting is applied when you turn on BitLocker and controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection is displayed to the user.
-
-Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only a portion of the drive that is used to store data is encrypted when BitLocker is turned on.
-
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
->[!Note]
->This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method.
->For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-
-
-**RemovableDrivesRequireEncryption**
-
-This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Deny write access to removable drives not protected by BitLocker*
-- GP name: *RDVDenyWriteAccess_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Removeable Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
-
-If you enable this setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-
-If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
-
-If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
-
-> [!NOTE]
-> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-The possible values for 'xx' are:
-
-- true = Explicitly allow
-- false = Policy not set
-
-
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
-
-
- chr
-
-
-
-
-```
-
-
-**RemovableDrivesEncryptionType**
-
-Allows you to configure the encryption type that is used by BitLocker.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Enforce drive encryption type on removable data drives*
-- GP name: *RDVEncryptionType_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Removable Data Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-
-This policy controls whether removed data drives utilize Full encryption or Used Space Only encryption, and is applied when you turn on BitLocker. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-
-Changing the encryption type will no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
-
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-
-If this policy is disabled or not configured, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
-
-
-**RemovableDrivesConfigureBDE**
-
-Allows you to control the use of BitLocker on removable data drives.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-ADMX Info:
-
-- GP Friendly name: *Control use of BitLocker on removable drives*
-- GP name: *RDVConfigureBDE_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Removable Data Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-
-This policy setting is used to prevent users from turning BitLocker on or off on removable data drives, and is applied when you turn on BitLocker.
-
-For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment) .
-
-The options for choosing property settings that control how users can configure BitLocker are:
-
-- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on removable data drives.
-- **Allow users to suspend and decrypt BitLocker on removable data drives**: Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
-
-If you enable this policy setting, you can select property settings that control how users can configure BitLocker.
-
-Sample value for this node to enable this policy is:
-
-```xml
-
-```
-Data ID:
-
-- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives
-- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives
-
-If this policy is disabled, users can't use BitLocker on removable disk drives.
-
-If you don't configure this policy setting, users can use BitLocker on removable disk drives.
-
-
-
-**AllowWarningForOtherDiskEncryption**
-
-Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is set to 1.
-
-> [!IMPORTANT]
-> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](/windows/device-security/bitlocker/bitlocker-overview).
-
-> [!Warning]
-> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-The following list shows the supported values:
-
-- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. Windows will attempt to silently enable BitLocker for value 0.
-- 1 (default) – Warning prompt allowed.
-
-```xml
-
- 110
-
-
- ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption
-
-
- int
- 0
-
-
-```
-
-> [!NOTE]
->When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
->
->The endpoint for a fixed data drive's backup is chosen in the following order:
->
- >1. The user's Windows Server Active Directory Domain Services account.
- >2. The user's Azure Active Directory account.
- >3. The user's personal OneDrive (MDM/MAM only).
->
->Encryption will wait until one of these three locations backs up successfully.
-
-
-**AllowStandardUserEncryption**
-
-Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user of Azure AD account.
-
-
-> [!NOTE]
-> This policy is only supported in Azure AD accounts.
-
-"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
-
-If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system.
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-The expected values for this policy are:
-
-- 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
-- 0 = This value is the default value, when the policy isn't set. If the current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive.
-
-If you want to disable this policy, use the following SyncML:
-
-```xml
-
- 111
-
-
- ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
-
-
- int
-
- 0
-
-
-```
-
-
-
-
-**ConfigureRecoveryPasswordRotation**
-
-
-This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys.
-
-
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-Value type is int.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-
-
-Supported values are:
-
-- 0 – Refresh off (default).
-- 1 – Refresh on for Azure AD-joined devices.
-- 2 – Refresh on for both Azure AD-joined and hybrid-joined devices.
-
-
-
-
-
-
-**RotateRecoveryPasswords**
-
-
-
-This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. If errors occur, an error code will be returned so that server can take appropriate action to remediate.
-
-
-The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.
-
-Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client won't retry, but if needed, the server can reissue the execute request.
-
-Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh.
-
-Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can't refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
-
-Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
-- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
-- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-Value type is string.
-
-Supported operation is Execute. Request ID is expected as a parameter.
+
+
+
> [!NOTE]
> Key rotation is supported only on these enrollment types. For more information, see [deviceEnrollmentType enum](/graph/api/resources/intune-devices-deviceenrollmenttype).
-> - windowsAzureADJoin.
-> - windowsBulkAzureDomainJoin.
-> - windowsAzureADJoinUsingDeviceAuth.
-> - windowsCoManagement.
+>
+> - windowsAzureADJoin.
+> - windowsBulkAzureDomainJoin.
+> - windowsAzureADJoinUsingDeviceAuth.
+> - windowsCoManagement.
> [!TIP]
> Key rotation feature will only work when:
>
> - For Operating system drives:
-> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required").
-> - OSActiveDirectoryBackup_Name is set to true.
+> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required").
+> - OSActiveDirectoryBackup_Name is set to true.
+>
> - For Fixed data drives:
-> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required").
-> - FDVActiveDirectoryBackup_Name is set to true.
+> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required").
+> - FDVActiveDirectoryBackup_Name is set to true.
+
-**Status**
-Interior node.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
-
+
+
+
-
-**Status/DeviceEncryptionStatus**
-
+
+
+
+## Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/Status
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Status/DeviceEncryptionStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/Status/DeviceEncryptionStatus
+```
+
+
+
+
This node reports compliance state of device encryption on the system.
-
-
+Value '0' means the device is compliant. Any other value represents a non-compliant device.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-Value type is int.
-
-Supported operation is Get.
-
-Supported values:
-
-- 0 - Indicates that the device is compliant.
-- Any non-zero value - Indicates that the device isn't compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
+
+
+This value represents a bitmask with each bit and the corresponding error code described in the following table:
| Bit | Error Code |
|-----|------------|
@@ -1418,70 +1349,931 @@ Supported values:
| 14 |The TPM isn't ready for BitLocker.|
| 15 |The network isn't available, which is required for recovery key backup. |
| 16-31 |For future use.|
+
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-
+
+
+
-**Status/RotateRecoveryPasswordsStatus**
-
+
-This node reports the status of RotateRecoveryPasswords request.
-
+
+### Status/RemovableDrivesEncryptionStatus
-Status code can be one of the following values:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-- 2 – Not started
-- 1 - Pending
-- 0 - Pass
-- Any other code - Failure HRESULT
-
+
+```Device
+./Device/Vendor/MSFT/BitLocker/Status/RemovableDrivesEncryptionStatus
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+This node reports compliance state of removal drive encryption. "0" Value means the removal drive is encrypted following all set removal drive settings.
+
-
+
+
+
-Value type is int.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-
+
+
+
-
+
-**Status/RotateRecoveryPasswordsRequestID**
+
+### Status/RotateRecoveryPasswordsRequestID
-
-This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
-This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/BitLocker/Status/RotateRecoveryPasswordsRequestID
+```
+
-
+
+
+This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
+This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
+To ensure the status is correctly matched to the request ID.
+
-Value type is string.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-### SyncML example
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Status/RotateRecoveryPasswordsStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/Status/RotateRecoveryPasswordsStatus
+```
+
+
+
+
+This Node reports the status of RotateRecoveryPasswords request.
+Status code can be one of the following:
+NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## SystemDrivesDisallowStandardUsersCanChangePIN
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesDisallowStandardUsersCanChangePIN
+```
+
+
+
+
+This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.
+
+This policy setting is applied when you turn on BitLocker.
+
+- If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
+
+- If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
+
+
+
+
+> [!NOTE]
+> To change the PIN or password, the user must be able to provide the current PIN or password.
+
+Sample value for this node to disable this policy is: ``
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisallowStandardUsersCanChangePIN_Name |
+| Friendly Name | Disallow standard users from changing the PIN or password |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | DisallowStandardUserPINReset |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## SystemDrivesEnablePrebootInputProtectorsOnSlates
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesEnablePrebootInputProtectorsOnSlates
+```
+
+
+
+
+This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability.
+
+The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password.
+
+- If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard).
+
+- If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
+
+**Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include
+- Configure TPM startup PIN Required/Allowed
+- Configure TPM startup key and PIN Required/Allowed
+- Configure use of passwords for operating system drives.
+
+
+
+
+Sample value for this node to enable this policy is: ``
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnablePrebootInputProtectorsOnSlates_Name |
+| Friendly Name | Enable use of BitLocker authentication requiring preboot keyboard input on slates |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | OSEnablePrebootInputProtectorsOnSlates |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
+```
+
+
+
+
+This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware.
+
+- If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
+
+- If this policy is not enabled, the options of "Require additional authentication at startup" policy apply.
+
+
+
+
+Sample value for this node to enable this policy is: ``
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnablePreBootPinExceptionOnDECapableDevice_Name |
+| Friendly Name | Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | OSEnablePreBootPinExceptionOnDECapableDevice |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## SystemDrivesEncryptionType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesEncryptionType
+```
+
+
+
+
+This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+
+- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+
+
+
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+Possible values:
+
+- 0: Allow user to choose.
+- 1: Full encryption.
+- 2: Used space only encryption.
+
+>[!NOTE]
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method.
+> For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+>
+> For more information about the tool to manage BitLocker, see [manage-bde](/windows-server/administration/windows-commands/manage-bde).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | OSEncryptionType_Name |
+| Friendly Name | Enforce drive encryption type on operating system drives |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | OSEncryptionType |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## SystemDrivesEnhancedPIN
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesEnhancedPIN
+```
+
+
+
+
+This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.
+
+Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.
+
+- If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.
+
+> [!NOTE]
+> Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.
+
+- If you disable or do not configure this policy setting, enhanced PINs will not be used.
+
+
+
+
+Sample value for this node to enable this policy is: ``
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnhancedPIN_Name |
+| Friendly Name | Allow enhanced PINs for startup |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | UseEnhancedPin |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+
+
+
+
+
+## SystemDrivesMinimumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength
+```
+
+
+
+
+This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+
+- If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
+
+- If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
+
+> [!NOTE]
+> If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
+
+
+
+
+> [!NOTE]
+> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | MinimumPINLength_Name |
+| Friendly Name | Configure minimum PIN length for startup |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength
+
+
+ chr
+
+
+
+
+```
+
+
+
+
+
+## SystemDrivesRecoveryMessage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage
+```
+
+
+
+
+This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
+
+If you select the "Use default recovery message and URL" option, the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and select the "Use default recovery message and URL" option.
+
+If you select the "Use custom recovery message" option, the message you type in the "Custom recovery message option" text box will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
+
+If you select the "Use custom recovery URL" option, the URL you type in the "Custom recovery URL option" text box will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
+
+> [!NOTE]
+> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
+
+
+
+
+Data ID elements:
+
+- PrebootRecoveryInfoDropDown_Name: Select an option for the pre-boot recovery message.
+- RecoveryMessage_Input: Custom recovery message
+- RecoveryUrl_Input: Custom recovery URL
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+
+
+
+```
+
+The possible values for 'xx' are:
+
+- 0 = Empty
+- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
+- 2 = Custom recovery message is set.
+- 3 = Custom recovery URL is set.
+
+The possible value for 'yy' and 'zz' is a string of max length 900 and 500 respectively.
+
+> [!NOTE]
+>
+> - When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
+> - Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PrebootRecoveryInfo_Name |
+| Friendly Name | Configure pre-boot recovery message and URL |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage
+
+
+ chr
+
+
+
+
+```
+
+
+
+
+
+## SystemDrivesRecoveryOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions
+```
+
+
+
+
+This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
+
+The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+
+In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+
+Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+
+In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.
+
+Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+> [!NOTE]
+> If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated.
+
+- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
+
+- If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+
+
+
+
+Data ID elements:
+
+- OSAllowDRA_Name: Allow certificate-based data recovery agent
+- OSRecoveryPasswordUsageDropDown_Name and OSRecoveryKeyUsageDropDown_Name: Configure user storage of BitLocker recovery information
+- OSHideRecoveryPage_Name: Omit recovery options from the BitLocker setup wizard
+- OSActiveDirectoryBackup_Name and OSActiveDirectoryBackupDropDown_Name: Save BitLocker recovery information to Active Directory Domain Services
+- OSRequireActiveDirectoryBackup_Name: Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+
+
+
+
+
+
+
+```
+
+The possible values for 'xx' are:
+
+- true = Explicitly allow
+- false = Policy not set
+
+The possible values for 'yy' are:
+
+- 0 = Disallowed
+- 1 = Required
+- 2 = Allowed
+
+The possible values for 'zz' are:
+
+- 1 = Store recovery passwords and key packages.
+- 2 = Store recovery passwords only.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | OSRecoveryUsage_Name |
+| Friendly Name | Choose how BitLocker-protected operating system drives can be recovered |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | OSRecovery |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions
+
+
+ chr
+
+
+
+
+```
+
+
+
+
+
+## SystemDrivesRequireStartupAuthentication
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication
+```
+
+
+
+
+This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
+
+> [!NOTE]
+> Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
+
+If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
+
+On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
+
+- If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
+
+- If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.
+
+> [!NOTE]
+> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool [manage-bde](/windows-server/administration/windows-commands/manage-bde) instead of the BitLocker Drive Encryption setup wizard.
+
+
+
+
+> [!NOTE]
+>
+> - In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
+> - Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
+Data ID elements:
+
+- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
+- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
+- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.
+- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
+- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+
+
+
+
+
+```
+
+The possible values for 'xx' are:
+
+- true = Explicitly allow
+- false = Policy not set
+
+The possible values for 'yy' are:
+
+- 2 = Optional
+- 1 = Required
+- 0 = Disallowed
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfigureAdvancedStartup_Name |
+| Friendly Name | Require additional authentication at startup |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | UseAdvancedStartup |
+| ADMX File Name | VolumeEncryption.admx |
+
+
+
+
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication
+
+
+ chr
+
+
+
+
+```
+
+
+
+
+
+
+## SyncML example
The following example is provided to show proper format and shouldn't be taken as a recommendation.
@@ -1644,9 +2436,10 @@ The following example is provided to show proper format and shouldn't be taken a
```
+
-
+
-## Related topics
+## Related articles
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index 5c397b3bce..081ef8b6f2 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -1,63 +1,65 @@
---
title: BitLocker DDF file
-description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider.
+description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/22/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/30/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
# BitLocker DDF file
-This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the BitLocker configuration service provider.
```xml
-]>
+]>
1.2
-
- BitLocker
- ./Device/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/5.0/MDM/BitLocker
-
-
-
-
- RequireStorageCardEncryption
-
-
-
-
-
-
-
- Allows the Admin to require storage card encryption on the device.
+
+
+
+ BitLocker
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ RequireStorageCardEncryption
+
+
+
+
+
+
+
+ 0
+ Allows the Admin to require storage card encryption on the device.
The format is integer.
This policy is only valid for mobile SKU.
Sample value for this node to enable this policy:
@@ -65,99 +67,89 @@ The XML below is the current version for this CSP.
Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on.
If you want to disable this policy use the following SyncML:
-
- 100
-
-
- ./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption
-
-
- int
-
- 0
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
- RequireDeviceEncryption
-
-
-
-
-
-
-
- Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
+ 100./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryptionint0
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Storage cards do not need to be encrypted.
+
+
+ 1
+ Require storage cards to be encrypted.
+
+
+
+
+
+
+ RequireDeviceEncryption
+
+
+
+
+
+
+
+ 0
+ Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
The format is integer.
Sample value for this node to enable this policy:
1
Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
If you want to disable this policy use the following SyncML:
-
- 101
-
-
- ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
-
-
- int
-
- 0
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
- EncryptionMethodByDriveType
-
-
-
-
-
-
-
- This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
+ 101./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryptionint0
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
+
+
+ 1
+ Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy).
+
+
+
+
+
+ EncryptionMethodByDriveType
+
+
+
+
+
+
+
+ This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.”
The format is string.
Sample value for this node to enable this policy and set the encryption methods is:
- <enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>
+
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
@@ -170,48 +162,37 @@ The XML below is the current version for this CSP.
7 = XTS-AES 256
If you want to disable this policy use the following SyncML:
-
- 102
-
-
- ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType
-
-
- chr
-
- <disabled/>
-
-
+ 102./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveTypechr
Note: Maps to GP EncryptionMethodWithXts_Name policy.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- VolumeEncryption.admx
- VolumeEncryption~AT~WindowsComponents~FVECategory
- EncryptionMethodWithXts_Name
-
-
-
- SystemDrivesRequireStartupAuthentication
-
-
-
-
-
-
-
- This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesRequireStartupAuthentication
+
+
+
+
+
+
+
+ This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.
@@ -220,7 +201,7 @@ The XML below is the current version for this CSP.
Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
The format is string.
Sample value for this node to enable this policy is:
- <enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
+
ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
All of the below settings are for computers with a TPM.
@@ -240,106 +221,84 @@ The XML below is the current version for this CSP.
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
-
- 103
-
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication
-
-
- chr
-
- <disabled/>
-
-
+ 103./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthenticationchr
Note: Maps to GP ConfigureAdvancedStartup_Name policy.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- VolumeEncryption.admx
- VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory
- ConfigureAdvancedStartup_Name
-
-
-
- SystemDrivesMinimumPINLength
-
-
-
-
-
-
-
- This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesMinimumPINLength
+
+
+
+
+
+
+
+ This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
The format is string.
Sample value for this node to enable this policy is:
- <enabled/><data id="MinPINLength" value="xx"/>
+
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
-
- 104
-
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength
-
-
- chr
-
- <disabled/>
-
-
+ 104./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLengthchr
Note: Maps to GP MinimumPINLength_Name policy.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- VolumeEncryption.admx
- VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory
- MinimumPINLength_Name
-
-
-
- SystemDrivesRecoveryMessage
-
-
-
-
-
-
-
- This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesRecoveryMessage
+
+
+
+
+
+
+
+ This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
If you set the "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
If you set the "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
If you set the "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
The format is string.
Sample value for this node to enable this policy is:
- <enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
+
The possible values for 'xx' are:
0 = Empty
@@ -351,48 +310,37 @@ The XML below is the current version for this CSP.
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
-
- 105
-
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage
-
-
- chr
-
- <disabled/>
-
-
+ 105./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessagechr
Note: Maps to GP PrebootRecoveryInfo_Name policy.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- VolumeEncryption.admx
- VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory
- PrebootRecoveryInfo_Name
-
-
-
- SystemDrivesRecoveryOptions
-
-
-
-
-
-
-
- This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesRecoveryOptions
+
+
+
+
+
+
+
+ This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
@@ -403,7 +351,7 @@ The XML below is the current version for this CSP.
If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
The format is string.
Sample value for this node to enable this policy is:
- <enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
+
The possible values for 'xx' are:
true = Explicitly allow
@@ -420,48 +368,37 @@ The XML below is the current version for this CSP.
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
-
- 106
-
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions
-
-
- chr
-
- <disabled/>
-
-
+ 106./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptionschr
Note: Maps to GP OSRecoveryUsage_Name policy.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- VolumeEncryption.admx
- VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory
- OSRecoveryUsage_Name
-
-
-
- FixedDrivesRecoveryOptions
-
-
-
-
-
-
-
- This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FixedDrivesRecoveryOptions
+
+
+
+
+
+
+
+ This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
@@ -472,7 +409,7 @@ The XML below is the current version for this CSP.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
The format is string.
Sample value for this node to enable this policy is:
- <enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
+
The possible values for 'xx' are:
true = Explicitly allow
@@ -489,105 +426,83 @@ The XML below is the current version for this CSP.
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
-
- 107
-
-
- ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions
-
-
- chr
-
- <disabled/>
-
-
+ 107./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptionschr
Note: Maps to GP FDVRecoveryUsage_Name policy.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- VolumeEncryption.admx
- VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory
- FDVRecoveryUsage_Name
-
-
-
- FixedDrivesRequireEncryption
-
-
-
-
-
-
-
- This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FixedDrivesRequireEncryption
+
+
+
+
+
+
+
+ This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
The format is string.
Sample value for this node to enable this policy is:
- <enabled/>
+
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
-
- 108
-
-
- ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption
-
-
- chr
-
- <disabled/>
-
-
+ 108./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryptionchr
Note: Maps to GP FDVDenyWriteAccess_Name policy.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- VolumeEncryption.admx
- VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory
- FDVDenyWriteAccess_Name
-
-
-
- RemovableDrivesRequireEncryption
-
-
-
-
-
-
-
- This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemovableDrivesRequireEncryption
+
+
+
+
+
+
+
+ This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
The format is string.
Sample value for this node to enable this policy is:
- <enabled/><data id="RDVCrossOrg" value="xx"/>
+
The possible values for 'xx' are:
true = Explicitly allow
@@ -595,48 +510,73 @@ The XML below is the current version for this CSP.
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
-
- 109
-
-
- ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
-
-
- chr
-
- <disabled/>
-
-
+ 109./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryptionchr
Note: Maps to GP RDVDenyWriteAccess_Name policy.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- VolumeEncryption.admx
- VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory
- RDVDenyWriteAccess_Name
-
-
-
- AllowWarningForOtherDiskEncryption
-
-
-
-
-
-
-
- Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemovableDrivesExcludedFromEncryption
+
+
+
+
+
+
+
+ When enabled, allows you to exclude removable drives and devices connected over USB interface from BitLocker Device Encryption. Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 5.0
+
+
+
+
+ LastWrite
+
+
+
+ AllowWarningForOtherDiskEncryption
+
+
+
+
+
+
+
+ 1
+ Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption)
and turn on encryption on the user machines silently.
Warning: When you enable BitLocker on a device with third party encryption, it may render the device unusable and will
require reinstallation of Windows.
@@ -646,51 +586,46 @@ The XML below is the current version for this CSP.
1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
- the value 0 only takes affect on Azure Active Directory-joined devices.
+ the value 0 only takes affect on Azure Active Directory joined devices.
Windows will attempt to silently enable BitLocker for value 0.
If you want to disable this policy use the following SyncML:
-
- 110
-
-
- ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption
-
-
- int
-
- 0
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
- AllowStandardUserEncryption
-
-
-
-
-
-
-
- Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user.
+ 110./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryptionint0
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
+
+
+ 1
+ Warning prompt allowed.
+
+
+
+
+
+ AllowStandardUserEncryption
+
+
+
+
+
+
+
+ 0
+ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user.
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced.
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user
is the current logged on user in the system.
@@ -702,100 +637,107 @@ The XML below is the current version for this CSP.
will not try to enable encryption on any drive.
If you want to disable this policy use the following SyncML:
-
- 111
-
-
- ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
-
-
- int
-
- 0
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
-
- ConfigureRecoveryPasswordRotation
-
-
-
-
-
-
-
- Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Azure Active Directory and Hybrid domain joined devices.
- When not configured, Rotation is turned on by default for Azure AD only and off on Hybrid. The Policy will be effective only when
+ 111./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryptionint0
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 3.0
+
+
+
+ 0
+ This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.
+
+
+ 1
+ "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
+
+
+
+
+
+ Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption
+
+ [0]
+
+
+
+
+
+
+
+ ConfigureRecoveryPasswordRotation
+
+
+
+
+
+
+
+ 0
+ Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
+ When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when
Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
- 1 - Numeric Recovery Passwords Rotation upon use ON for Azure Active Directory-joined devices. Default value
- 2 - Numeric Recovery Passwords Rotation upon use ON for both Azure AD and Hybrid devices
+ 1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
+ 2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
If you want to disable this policy use the following SyncML:
-
- 112
-
-
- ./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation
-
-
- int
-
- 0
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
-
-
- RotateRecoveryPasswords
-
-
-
-
- Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+ 112./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotationint0
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18363
+ 5.0
+
+
+
+ 0
+ Refresh off (default)
+
+
+ 1
+ Refresh on for Azure AD-joined devices
+
+
+ 2
+ Refresh on for both Azure AD-joined and hybrid-joined devices
+
+
+
+
+
+ RotateRecoveryPasswords
+
+
+
+
+ Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."
@@ -811,133 +753,522 @@ The policy only comes into effect when Active Directory backup for a recovery pa
Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\
-
- 113
-
-
- ./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords
-
-
- chr
-
- <RequestID/>
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+ 113./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswordschr
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18363
+ 5.0
+
+
+
+
+ Status
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 4.0
+
+
+
+ DeviceEncryptionStatus
+
+
+
+
+ This node reports compliance state of device encryption on the system.
+ Value '0' means the device is compliant. Any other value represents a non-compliant device.
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DeviceEncryptionStatus
-
-
-
-
- This node reports compliance state of device encryption on the system.
- Value '0' means the device is compliant. Any other value represents a non-compliant device.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- RotateRecoveryPasswordsStatus
-
-
-
-
- This Node reports the status of RotateRecoveryPasswords request.
- Status code can be one of the following:
- NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- RotateRecoveryPasswordsRequestID
-
-
-
-
- This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
- This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
- To ensure the status is correctly matched to the request ID.
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+ RotateRecoveryPasswordsStatus
+
+
+
+
+ This Node reports the status of RotateRecoveryPasswords request.
+ Status code can be one of the following:
+ NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18363
+ 5.0
+
+
+
+
+ RotateRecoveryPasswordsRequestID
+
+
+
+
+ This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
+ This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
+ To ensure the status is correctly matched to the request ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18363
+ 5.0
+
+
+
+
+ RemovableDrivesEncryptionStatus
+
+
+
+
+ This node reports compliance state of removal drive encryption. "0" Value means the removal drive is encrypted following all set removal drive settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ IdentificationField
+
+
+
+
+
+
+
+
+ This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field.
+ The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.
+ You can configure the identification fields on existing drives by using manage-bde.exe.
+ If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization.
+ When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.
+ If you disable or do not configure this policy setting, the identification field is not required.
+
+ Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
+
+
+
+
+
+
+
+
+
+
+
+ IdentificationField
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ LastWrite
+
+
+
+ FixedDrivesEncryptionType
+
+
+
+
+
+
+
+
+ This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+ If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+ If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+
+
+
+
+
+
+
+
+
+
+ FixedDrivesEncryptionType
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ LastWrite
+
+
+
+ SystemDrivesEnhancedPIN
+
+
+
+
+
+
+
+
+ This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.
+ Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.
+ If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.
+ Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.
+ If you disable or do not configure this policy setting, enhanced PINs will not be used.
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesEnhancedPIN
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ LastWrite
+
+
+
+ SystemDrivesDisallowStandardUsersCanChangePIN
+
+
+
+
+
+
+
+
+ This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.
+ This policy setting is applied when you turn on BitLocker.
+ If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
+ If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesDisallowStandardUsersCanChangePIN
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ LastWrite
+
+
+
+ SystemDrivesEnablePrebootInputProtectorsOnSlates
+
+
+
+
+
+
+
+
+ This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability.
+
+ The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password.
+ If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard).
+ If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
+
+ Note that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include:
+ - Configure TPM startup PIN: Required/Allowed
+ - Configure TPM startup key and PIN: Required/Allowed
+ - Configure use of passwords for operating system drives.
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesEnablePrebootInputProtectorsOnSlates
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ LastWrite
+
+
+
+ SystemDrivesEncryptionType
+
+
+
+
+
+
+
+
+ This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+ If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+ If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesEncryptionType
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ LastWrite
+
+
+
+ SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
+
+
+
+
+
+
+
+
+ This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware.
+ If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
+ If this policy is not enabled, the options of "Require additional authentication at startup" policy apply.
+
+
+
+
+
+
+
+
+
+
+ SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ LastWrite
+
+
+
+ RemovableDrivesConfigureBDE
+
+
+
+
+
+
+
+ This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.
+
+
+
+
+
+
+
+
+
+ RemovableDrivesConfigureBDE
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+ LastWrite
+
+
+
+ RemovableDrivesEncryptionType
+
+
+
+
+
+
+
+ This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+
+
+
+
+
+
+
+
+
+ RemovableDrivesEncryptionType
+
+
+
+
+ 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202
+ 5.0
+
+
+
+
+
+
+
+
+
+
+
+ Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE
+
+
+
+
+
+
+ LastWrite
+
+
+
```
-## Related topics
+## Related articles
-[BitLocker configuration service provider](bitlocker-csp.md)
+[BitLocker configuration service provider reference](bitlocker-csp.md)
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 7f9a4ba349..2ea3f57533 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -1,441 +1,3114 @@
---
title: CertificateStore CSP
-description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
-ms.reviewer:
+description: Learn more about the CertificateStore CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 02/28/2020
+ms.topic: reference
---
+
+
+
# CertificateStore CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
-> [!Note]
-> The CertificateStore configuration service provider does not support installing client certificates.
-> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
+> [!NOTE]
+> The CertificateStore configuration service provider does not support installing client certificates. The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
For the CertificateStore CSP, you can't use the Replace command unless the node already exists.
+
-The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
+
+The following list shows the CertificateStore configuration service provider nodes:
-```console
-./Vendor/MSFT
-CertificateStore
-----ROOT
---------*
-------------EncodedCertificate
-------------IssuedBy
-------------IssuedTo
-------------ValidFrom
-------------ValidTo
-------------TemplateName
---------System
-------------*
-----------------EncodedCertificate
-----------------IssuedBy
-----------------IssuedTo
-----------------ValidFrom
-----------------ValidTo
-----------------TemplateName
-----MY
---------User
-------------*
-----------------EncodedCertificate
-----------------IssuedBy
-----------------IssuedTo
-----------------ValidFrom
-----------------ValidTo
-----------------TemplateName
---------SCEP
-------------*
-----------------Install
---------------------ServerURL
---------------------Challenge
---------------------EKUMapping
---------------------KeyUsage
---------------------SubjectName
---------------------KeyProtection
---------------------RetryDelay
---------------------RetryCount
---------------------TemplateName
---------------------KeyLength
---------------------HashAlgrithm
---------------------CAThumbPrint
---------------------SubjectAlternativeNames
---------------------ValidPeriod
---------------------ValidPeriodUnit
---------------------Enroll
-----------------CertThumbPrint
-----------------Status
-----------------ErrorCode
---------WSTEP
-------------CertThumprint
-------------Renew
-----------------RenewPeriod
-----------------ServerURL
-----------------RetryInterval
-----------------ROBOSupport
-----------------Status
-----------------ErrorCode
-----------------LastRenewalAttemptTime (Added in Windows 10, version 1607)
-----------------RenewNow (Added in Windows 10, version 1607)
-----------------RetryAfterExpiryInterval (Added in Windows 10, version 1703)
-----CA
---------*
-------------EncodedCertificate
-------------IssuedBy
-------------IssuedTo
-------------ValidFrom
-------------ValidTo
-------------TemplateName
---------System
-------------*
-----------------EncodedCertificate
-----------------IssuedBy
-----------------IssuedTo
-----------------ValidFrom
-----------------ValidTo
-----------------TemplateName
+- ./Device/Vendor/MSFT/CertificateStore
+ - [CA](#ca)
+ - [{CertHash}](#cacerthash)
+ - [EncodedCertificate](#cacerthashencodedcertificate)
+ - [IssuedBy](#cacerthashissuedby)
+ - [IssuedTo](#cacerthashissuedto)
+ - [TemplateName](#cacerthashtemplatename)
+ - [ValidFrom](#cacerthashvalidfrom)
+ - [ValidTo](#cacerthashvalidto)
+ - [System](#casystem)
+ - [{CertHash}](#casystemcerthash)
+ - [EncodedCertificate](#casystemcerthashencodedcertificate)
+ - [IssuedBy](#casystemcerthashissuedby)
+ - [IssuedTo](#casystemcerthashissuedto)
+ - [TemplateName](#casystemcerthashtemplatename)
+ - [ValidFrom](#casystemcerthashvalidfrom)
+ - [ValidTo](#casystemcerthashvalidto)
+ - [MY](#my)
+ - [SCEP](#myscep)
+ - [{UniqueID}](#myscepuniqueid)
+ - [CertThumbPrint](#myscepuniqueidcertthumbprint)
+ - [ErrorCode](#myscepuniqueiderrorcode)
+ - [Install](#myscepuniqueidinstall)
+ - [CAThumbPrint](#myscepuniqueidinstallcathumbprint)
+ - [Challenge](#myscepuniqueidinstallchallenge)
+ - [EKUMapping](#myscepuniqueidinstallekumapping)
+ - [Enroll](#myscepuniqueidinstallenroll)
+ - [HashAlgrithm](#myscepuniqueidinstallhashalgrithm)
+ - [KeyLength](#myscepuniqueidinstallkeylength)
+ - [KeyProtection](#myscepuniqueidinstallkeyprotection)
+ - [KeyUsage](#myscepuniqueidinstallkeyusage)
+ - [RetryCount](#myscepuniqueidinstallretrycount)
+ - [RetryDelay](#myscepuniqueidinstallretrydelay)
+ - [ServerURL](#myscepuniqueidinstallserverurl)
+ - [SubjectAlternativeNames](#myscepuniqueidinstallsubjectalternativenames)
+ - [SubjectName](#myscepuniqueidinstallsubjectname)
+ - [TemplateName](#myscepuniqueidinstalltemplatename)
+ - [ValidPeriod](#myscepuniqueidinstallvalidperiod)
+ - [ValidPeriodUnit](#myscepuniqueidinstallvalidperiodunit)
+ - [Status](#myscepuniqueidstatus)
+ - [User](#myuser)
+ - [{CertHash}](#myusercerthash)
+ - [EncodedCertificate](#myusercerthashencodedcertificate)
+ - [IssuedBy](#myusercerthashissuedby)
+ - [IssuedTo](#myusercerthashissuedto)
+ - [TemplateName](#myusercerthashtemplatename)
+ - [ValidFrom](#myusercerthashvalidfrom)
+ - [ValidTo](#myusercerthashvalidto)
+ - [WSTEP](#mywstep)
+ - [CertThumprint](#mywstepcertthumprint)
+ - [Renew](#mywsteprenew)
+ - [ErrorCode](#mywsteprenewerrorcode)
+ - [LastRenewalAttemptTime](#mywsteprenewlastrenewalattempttime)
+ - [RenewNow](#mywsteprenewrenewnow)
+ - [RenewPeriod](#mywsteprenewrenewperiod)
+ - [RetryAfterExpiryInterval](#mywsteprenewretryafterexpiryinterval)
+ - [RetryInterval](#mywsteprenewretryinterval)
+ - [ROBOSupport](#mywsteprenewrobosupport)
+ - [ServerURL](#mywsteprenewserverurl)
+ - [Status](#mywsteprenewstatus)
+ - [ROOT](#root)
+ - [{CertHash}](#rootcerthash)
+ - [EncodedCertificate](#rootcerthashencodedcertificate)
+ - [IssuedBy](#rootcerthashissuedby)
+ - [IssuedTo](#rootcerthashissuedto)
+ - [TemplateName](#rootcerthashtemplatename)
+ - [ValidFrom](#rootcerthashvalidfrom)
+ - [ValidTo](#rootcerthashvalidto)
+ - [System](#rootsystem)
+ - [{CertHash}](#rootsystemcerthash)
+ - [EncodedCertificate](#rootsystemcerthashencodedcertificate)
+ - [IssuedBy](#rootsystemcerthashissuedby)
+ - [IssuedTo](#rootsystemcerthashissuedto)
+ - [TemplateName](#rootsystemcerthashtemplatename)
+ - [ValidFrom](#rootsystemcerthashvalidfrom)
+ - [ValidTo](#rootsystemcerthashvalidto)
+
+
+
+## CA
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA
```
+
-**Root/System**
-Defines the certificate store that contains root, or self-signed, certificates.
+
+
+This cryptographic store contains intermediary certification authorities.
+
-Supported operation is Get.
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### CA/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}
+```
+
+
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### CA/System
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System
+```
+
+
+
+
+This store holds the System portion of the CA store.
+
+
+
+
+> [!NOTE]
+> Use [RootCATrustedCertificates CSP](rootcacertificates-csp.md) moving forward for installing CA certificates.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/System/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}
+```
+
+
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## MY
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY
+```
+
+
+
+
+This store keeps all end-user personal certificates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### MY/SCEP
> [!NOTE]
-> Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates.
+> This policy is deprecated and may be removed in a future release.
-**CA/System**
-Defines the certificate store that contains cryptographic information, including intermediary certification authorities.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP
+```
+
+
+
+This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment.
+
+
+
+
> [!NOTE]
-> CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
+> Use [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) to install SCEP certificates moving forward.
+
-**My/User**
-Defines the certificate store that contains public keys for client certificates. This certificate store is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-> [!NOTE]
-> My/User is case sensitive.
+
+
+
-**My/System**
-Defines the certificate store that contains public key for client certificate. This certificate store is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
+
-Supported operation is Get.
+
+#### MY/SCEP/{UniqueID}
-> [!NOTE]
-> My/System is case sensitive.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-***CertHash***
-Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}
+```
+
-Supported operations are Get, Delete, and Replace.
+
+
+The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID.
+
-***CertHash*/EncodedCertificate**
-Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc.
+
+
+
-Supported operations are Get, Add, Delete, and Replace.
+
+**Description framework properties**:
-***CertHash*/IssuedBy**
-Required. Returns the name of the certificate issuer. This name is equivalent to the *Issuer* member in the CERT\_INFO data structure.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
-Supported operation is Get.
+
+
+
-***CertHash*/IssuedTo**
-Required. Returns the name of the certificate subject. This name is equivalent to the *Subject* member in the CERT\_INFO data structure.
+
-Supported operation is Get.
+
+##### MY/SCEP/{UniqueID}/CertThumbPrint
-***CertHash*/ValidFrom**
-Required. Returns the starting date of the certificate's validity. This date is equivalent to the *NotBefore* member in the CERT\_INFO structure.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/CertThumbPrint
+```
+
-***CertHash*/ValidTo**
-Required. Returns the expiration date of the certificate. This expiration date is equivalent to the *NotAfter* member in the CERT\_INFO structure.
+
+
+Specify the current cert's thumbprint.
+
-Supported operation is Get.
+
+
+20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
-***CertHash*/TemplateName**
-Required. Returns the certificate template name.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**My/SCEP**
-Required for Simple Certificate Enrollment Protocol (SCEP) certificate enrollment. The parent node grouping the SCEP certificate related settings.
+
+
+
-Supported operation is Get.
+
-> [!NOTE]
-> Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP.
+
+##### MY/SCEP/{UniqueID}/ErrorCode
-**My/SCEP/***UniqueID*
-Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Replace, and Delete.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/ErrorCode
+```
+
-**My/SCEP/*UniqueID*/Install**
-Required for SCEP certificate enrollment. Parent node to group SCEP certificate installs related request. Format is node.
+
+
+Specify the last hresult in case enroll action failed.
+
-Supported operations are Add, Replace, and Delete.
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/SCEP/{UniqueID}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install
+```
+
+
+
+
+The group to represent the install request.
+
+
+
+
> [!NOTE]
> Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
+
-**My/SCEP/*UniqueID*/Install/ServerURL**
-Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string.
+
+**Description framework properties**:
-Supported operations are Get, Add, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**My/SCEP/*UniqueID*/Install/Challenge**
-Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Value type is chr.
+
+
+
-Supported operations are Get, Add, Replace, and Delete.
+
-Challenge will be deleted shortly after the Exec command is accepted.
+
+###### MY/SCEP/{UniqueID}/Install/CAThumbPrint
-**My/SCEP/*UniqueID*/Install/EKUMapping**
-Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs is separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/CAThumbPrint
+```
+
-**My/SCEP/*UniqueID*/Install/KeyUsage**
-Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. Value type is an integer.
+
+
+Specify root CA thumbprint.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails.
+
-**My/SCEP/*UniqueID*/Install/SubjectName**
-Required. Specifies the subject name.
+
+**Description framework properties**:
-The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
-For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+
+
-Value type is chr.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+###### MY/SCEP/{UniqueID}/Install/Challenge
-**My/SCEP/*UniqueID*/Install/KeyProtection**
-Optional. Specifies the location of the private key. Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported values are one of the following values:
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Challenge
+```
+
-- 1 – Private key is protected by device TPM.
+
+
+Enroll requester authentication shared secret.
+
-- 2 – Private key is protected by device TPM if the device supports TPM.
+
+
+The value must be base64 encoded. Challenge is deleted shortly after the Exec command is accepted.
+
-- 3 (default) – Private key is only saved in the software KSP.
+
+**Description framework properties**:
-Value type is an integer.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**My/SCEP/*UniqueID*/Install/RetryDelay**
-Optional. Specifies the device retry waiting time in minutes when the SCEP server sends the pending status. Default value is 5 and the minimum value is 1. Value type is an integer.
+
-Supported operations are Get, Add, and Delete.
+
+###### MY/SCEP/{UniqueID}/Install/EKUMapping
-**My/SCEP/*UniqueID*/Install/RetryCount**
-Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/EKUMapping
+```
+
-**My/SCEP/*UniqueID*/Install/TemplateName**
-Optional. OID of certificate template name.
+
+
+Specify extended key usages. The list of OIDs are separated by plus "+".
+
-> [!Note]
-> Template name is typically ignored by the SCEP server, so the MDM server typically doesn't need to provide it. Value type is `chr`.
+
+
+
-Supported operations are Get, Add, and Delete.
+
+**Description framework properties**:
-**My/SCEP/*UniqueID*/Install/KeyLength**
-Required for enrollment. Specifies private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**My/SCEP/*UniqueID*/Install/HashAlgorithm**
-Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +.
+
-Value type is chr.
+
+###### MY/SCEP/{UniqueID}/Install/Enroll
-Supported operations are Get, Add, Delete, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**My/SCEP/*UniqueID*/Install/CAThumbprint**
-Required. Specifies the root CA thumbprint. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails. Value type is chr.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Enroll
+```
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+Start the cert enrollment.
+
-**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
-Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *\*+*\*;*\*+*\*. Value type is chr.
+
+
+The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+**Description framework properties**:
-**My/SCEP/*UniqueID*/Install/ValidPeriod**
-Optional. Specifies the units for the valid period. Value type is chr.
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-Valid values are one of the following values:
+
+
+
+###### MY/SCEP/{UniqueID}/Install/HashAlgrithm
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/HashAlgrithm
+```
+
+
+
+
+Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter.
+
+
+
+
+Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/KeyLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyLength
+```
+
+
+
+
+Specify private key length (RSA).
+
+
+
+
+Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/KeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyProtection
+```
+
+
+
+
+Specify where to keep the private key.
+
+
+
+
+Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection. Supported values are one of the following values:
+
+- 1: Private key is protected by device TPM.
+- 2: Private key is protected by device TPM if the device supports TPM.
+- 3 (default): Private key is only saved in the software KSP.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/KeyUsage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyUsage
+```
+
+
+
+
+Specify the key usage bits (0x80, 0x20, 0xA0) for the cert.
+
+
+
+
+The value must be specified in decimal format and should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/RetryCount
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryCount
+```
+
+
+
+
+When the SCEP sends pending status, specify device retry times.
+
+
+
+
+Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/RetryDelay
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryDelay
+```
+
+
+
+
+When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+
+
+
+Default value is 5 and the minimum value is 1.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/ServerURL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ServerURL
+```
+
+
+
+
+Specify the cert enrollment server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+```
+
+
+
+
+Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma.
+
+
+
+
+or example, multiple subject alternative names are presented in the format `+;+`.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/SubjectName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectName
+```
+
+
+
+
+Specify the subject name.
+
+
+
+
+The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (`,`, `=`, `+`, `;`). For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/TemplateName
+```
+
+
+
+
+Certificate Template Name OID (As in AD used by PKI infrastructure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/ValidPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriod
+```
+
+
+
+
+Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template.
+
+
+
+
+Valid values are one of the following:
- Days (default)
- Months
- Years
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/ValidPeriodUnit
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriodUnit
+```
+
+
+
+
+Specify valid period unit type.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+Default is 0. The period is defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
+
-**My/SCEP/*UniqueID*/Install/ValidPeriodUnits**
-Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+##### MY/SCEP/{UniqueID}/Status
-> [!NOTE]
-> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**My/SCEP/*UniqueID*/Install/Enroll**
-Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Status
+```
+
-Supported operation is Exec.
-
-**My/WSTEP/CertThumbprint**
-Optional. Returns the current MDM client certificate thumbprint. If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. Value type is chr.
-
-Supported operation is Get.
-
-**My/SCEP/*UniqueID*/Status**
-Required. Specifies the latest status for the certificate due to enrollment request. Value type is chr.
-
-Supported operation is Get.
+
+
+Specify the latest status for the certificate due to enroll request.
+
+
+
Valid values are one of the following values:
-- 1 – Finished successfully.
+- 1: Finished successfully.
+- 2: Pending. The device hasn't finished the action, but has received the SCEP server pending response.
+- 16: Action failed.
+- 32: Unknown.
+
-- 2 – Pending. The device hasn't finished the action, but has received the SCEP server pending response.
+
+**Description framework properties**:
-- 16 - Action failed.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-- 32 – Unknown.
+
+
+
-**My/SCEP/*UniqueID*/ErrorCode**
-Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
-Supported operation is Get.
+
+### MY/User
-**My/SCEP/*UniqueID*/CertThumbprint**
-Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User
+```
+
-**My/SCEP/*UniqueID*/RespondentServerUrl**
-Required. Returns the URL of the SCEP server that responded to the enrollment request. Value type is string.
+
+
+This store holds the User portion of the MY store.
+
-Supported operation is Get.
+
+
+
-**My/WSTEP**
-Required for MDM enrolled device. Specifies the parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**My/WSTEP/Renew**
-Optional. The parent node to group renewal related settings.
+
+
+
-Supported operation is Get.
+
-**My/WSTEP/Renew/ServerURL**
-Optional. Specifies the URL of certificate renewal server. If this node doesn't exist, the client uses the initial certificate enrollment URL.
+
+#### MY/User/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}
+```
+
+
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate. **Note** that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### MY/WSTEP
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP
+```
+
+
+
+
+The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment.
+
+
+
+
+The nodes under WSTEP are mostly for MDM client certificate renew requests.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MY/WSTEP/CertThumprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/CertThumprint
+```
+
+
+
+
+The thumb print of enrolled MDM client certificate.
+
+
+
+
+If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MY/WSTEP/Renew
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew
+```
+
+
+
+
+The parent node to group renewal related settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Atomic Required | True |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/ErrorCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ErrorCode
+```
+
+
+
+
+If certificate renew fails, this node provide the last hresult code during renew process.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/LastRenewalAttemptTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/LastRenewalAttemptTime
+```
+
+
+
+
+Time of last attempted renew.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | time |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/RenewNow
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewNow
+```
+
+
+
+
+Initiate a renew now.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/RenewPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewPeriod
+```
+
+
+
+
+Specify the number of days prior to the enrollment cert expiration to prompt the user to renew.
+
+
+
+
+The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
+
+The default value is 42 and the valid values are 1-1000.
+
+> [!NOTE]
+> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-1000]` |
+| Default Value | 42 |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/RetryAfterExpiryInterval
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryAfterExpiryInterval
+```
+
+
+
+
+How long after the enrollment cert has expiried to keep trying to renew.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | time |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/RetryInterval
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryInterval
+```
+
+
+
+
+Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date. For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries. For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again. The default value is 7 and the valid values are 1 - 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer.
+
+
+
+
+> [!NOTE]
+> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-1000]` |
+| Default Value | 7 |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/ROBOSupport
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ROBOSupport
+```
+
+
+
+
+Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405.
+
+
+
+
+> [!NOTE]
+> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true (Default) | True. |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/ServerURL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ServerURL
+```
+
+
+
+
+Optional. Specifies the cert renewal server URL which is the discovery server.
+
+
+
+
+If this node doesn't exist, the client uses the initial certificate enrollment URL.
> [!NOTE]
> The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-**My/WSTEP/Renew/RenewalPeriod**
-Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-The default value is 42 and the valid values are 1 – 1000. Value type is an integer.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
-> [!NOTE]
-> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+##### MY/WSTEP/Renew/Status
-**My/WSTEP/Renew/RetryInterval**
-Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/Status
+```
+
-For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again.
+
+
+Show the latest action status for this certificate. Supported values are one of the following: 0 - Not started. 1 - Renewal in progress. 2 - Renewal succeeded. 3 - Renewal failed.
+
-The default value is 7 and the valid values are 1 – 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-> [!NOTE]
-> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-**My/WSTEP/Renew/ROBOSupport**
-Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool.
+
+
+
-ROBO is the only supported renewal method for Windows 10. This value is ignored and always considered to be true.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+## ROOT
-> [!NOTE]
-> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**My/WSTEP/Renew/Status**
-Required. Shows the latest action status for this certificate. Value type is an integer.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT
+```
+
-Supported operation is Get.
+
+
+This store holds only root (self-signed) certificates.
+
-Supported values are one of the following values:
+
+
+
-- 0 – Not started.
-- 1 – Renewal in progress.
-- 2 – Renewal succeeded.
-- 3 – Renewal failed.
+
+**Description framework properties**:
-**My/WSTEP/Renew/ErrorCode**
-Optional. If certificate renewal fails, this integer value indicates the HRESULT of the last error code during the renewal process. Value type is an integer.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported operation is Get.
+
+
+
-**My/WSTEP/Renew/LastRenewalAttemptTime**
-Added in Windows 10, version 1607. Specifies the time of the last attempted renewal.
+
-Supported operation is Get.
+
+### ROOT/{CertHash}
-**My/WSTEP/Renew/RenewNow**
-Added in Windows 10, version 1607. Initiates a renewal now.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Execute.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}
+```
+
-**My/WSTEP/Renew/RetryAfterExpiryInterval**
-Added in Windows 10, version 1703. Specifies how long after the enrollment certificate has expired before trying to renew.
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
-Supported operations are Add, Get, and Replace.
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### ROOT/System
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System
+```
+
+
+
+
+This store holds the System portion of the root store.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/System/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}
+```
+
+
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
## Examples
Add a root certificate to the MDM server.
@@ -703,10 +3376,10 @@ Configure the device to automatically renew an MDM client certificate with the s
```
+
-## Related topics
-
-[Configuration service provider reference](index.yml)
-
+
+## Related articles
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md
index 638bdd1748..8cf58152f0 100644
--- a/windows/client-management/mdm/certificatestore-ddf-file.md
+++ b/windows/client-management/mdm/certificatestore-ddf-file.md
@@ -1,1670 +1,1747 @@
---
title: CertificateStore DDF file
-description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/16/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# CertificateStore DDF file
-This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the CertificateStore configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ CertificateStore
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+ This object is used to add or delete a security certificate to the device's certificate store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- CertificateStore
- ./Vendor/MSFT
+ ROOT
+
+
+
+
+ This store holds only root (self-signed) certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
- This object is used to add or delete a security certificate to the device's certificate store.
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
- ROOT
-
-
-
-
- This store holds only root (self-signed) certificates.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- System
-
-
-
-
- This store holds the System portion of the root store.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- MY
-
-
-
-
- This store keeps all end-user personal certificates.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- User
-
-
-
-
- This store holds the User portion of the MY store.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate. Note that during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node and properly enroll a client certificate including private needs a cert enroll protocol to handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- SCEP
-
-
-
-
- This store holds the SCEP portion of the MY store and handles operations related to SCEP certificate enrollment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
-
- The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Install
-
-
-
-
- The group to represent the install request.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ServerURL
-
-
-
-
-
- Specify the cert enrollment server.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Challenge
-
-
-
-
-
- Enroll requester authentication shared secret.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EKUMapping
-
-
-
-
-
- Specify extended key usages. The list of OIDs are separated by plus “+”.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyUsage
-
-
-
-
-
- Specify the key usage bits (0x80, 0x20, 0xA0) for the cert.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SubjectName
-
-
-
-
-
- Specify the subject name.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyProtection
-
-
-
-
-
- Specify where to keep the private key.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryDelay
-
-
-
-
-
- When the SCEP server sends pending status, specify device retry waiting time in minutes.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryCount
-
-
-
-
-
- When the SCEP sends pending status, specify device retry times.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
- Certificate Template Name OID (As in AD used by PKI infrastructure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyLength
-
-
-
-
-
- Specify private key length (RSA).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HashAlgrithm
-
-
-
-
-
- Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CAThumbPrint
-
-
-
-
-
- Specify root CA thumbprint.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SubjectAlternativeNames
-
-
-
-
-
- Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidPeriod
-
-
-
-
- Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidPeriodUnit
-
-
-
-
-
- Specify valid period unit type.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Enroll
-
-
-
-
- Start the cert enrollment.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CertThumbPrint
-
-
-
-
- Specify the current cert’s thumbprint.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Specify the latest status for the certificate due to enroll request.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ErrorCode
-
-
-
-
- Specify the last hresult in case enroll action failed.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- WSTEP
-
-
-
-
- The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- CertThumprint
-
-
-
-
- The thumb print of enrolled MDM client certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Renew
-
-
-
-
- Under this node are the renew properties.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- RenewPeriod
-
-
-
-
-
-
-
- Specify the number of days prior to the enrollment cert expiration to prompt the user to renew.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ServerURL
-
-
-
-
-
-
-
- Optional. Specifies the cert renewal server URL which is the discovery server.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryInterval
-
-
-
-
-
-
-
- Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ROBOSupport
-
-
-
-
-
-
-
- Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Show the latest action status for this certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ErrorCode
-
-
-
-
- If certificate renew fails, this node provides the last hresult code during renew process.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastRenewalAttemptTime
-
-
-
-
- Time of last attempted renew.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RenewNow
-
-
-
-
- Initiate a renew now.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryAfterExpiryInterval
-
-
-
-
-
- How long after the enrollment cert has expired to keep trying to renew.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- CA
-
-
-
-
- This cryptographic store contains intermediary certification authorities.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- System
-
-
-
-
- This store holds the System portion of the CA store.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ System
+
+
+
+
+ This store holds the System portion of the root store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MY
+
+
+
+
+ This store keeps all end-user personal certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ User
+
+
+
+
+ This store holds the User portion of the MY store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SCEP
+
+
+
+
+ This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID.
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+ Install
+
+
+
+
+ The group to represent the install request
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerURL
+
+
+
+
+
+ Specify the cert enrollment server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Challenge
+
+
+
+
+
+ Enroll requester authentication shared secret.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EKUMapping
+
+
+
+
+
+ Specify extended key usages. The list of OIDs are separated by plus “+”.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyUsage
+
+
+
+
+
+ Specify the key usage bits (0x80, 0x20, 0xA0) for the cert.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectName
+
+
+
+
+
+ Specify the subject name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyProtection
+
+
+
+
+
+ Specify where to keep the private key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RetryDelay
+
+
+
+
+
+ When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RetryCount
+
+
+
+
+
+ When the SCEP sends pending status, specify device retry times.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+
+ Certificate Template Name OID (As in AD used by PKI infrastructure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyLength
+
+
+
+
+
+ Specify private key length (RSA).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HashAlgrithm
+
+
+
+
+
+ Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CAThumbPrint
+
+
+
+
+
+ Specify root CA thumbprint.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectAlternativeNames
+
+
+
+
+
+ Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidPeriod
+
+
+
+
+ Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidPeriodUnit
+
+
+
+
+
+ Specify valid period unit type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enroll
+
+
+
+
+ Start the cert enrollment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CertThumbPrint
+
+
+
+
+ Specify the current cert’s thumbprint.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Specify the latest status for the certificate due to enroll request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ Specify the last hresult in case enroll action failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ WSTEP
+
+
+
+
+ The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CertThumprint
+
+
+
+
+ The thumb print of enrolled MDM client certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Renew
+
+
+
+
+ The parent node to group renewal related settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RenewPeriod
+
+
+
+
+
+
+
+ 42
+ Specify the number of days prior to the enrollment cert expiration to prompt the user to renew.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-1000]
+
+
+
+
+ ServerURL
+
+
+
+
+
+
+
+ Optional. Specifies the cert renewal server URL which is the discovery server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RetryInterval
+
+
+
+
+
+
+
+ 7
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-1000]
+
+
+
+
+ ROBOSupport
+
+
+
+
+
+
+
+ true
+ Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+ True
+
+
+
+
+
+ Status
+
+
+
+
+ Show the latest action status for this certificate. Supported values are one of the following: 0 – Not started. 1 – Renewal in progress. 2 – Renewal succeeded. 3 – Renewal failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ If certificate renew fails, this node provide the last hresult code during renew process.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastRenewalAttemptTime
+
+
+
+
+ Time of last attempted renew
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+
+
+
+
+ RenewNow
+
+
+
+
+ Initiate a renew now
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+
+
+
+
+ RetryAfterExpiryInterval
+
+
+
+
+
+
+ How long after the enrollment cert has expiried to keep trying to renew
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+
+
+
+
+
+
+ CA
+
+
+
+
+ This cryptographic store contains intermediary certification authorities.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ System
+
+
+
+
+ This store holds the System portion of the CA store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[CertificateStore configuration service provider](certificatestore-csp.md)
\ No newline at end of file
+[CertificateStore configuration service provider reference](certificatestore-csp.md)
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index c1574476c9..630acc3431 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -1,717 +1,3527 @@
---
title: ClientCertificateInstall CSP
-description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
-ms.reviewer:
+description: Learn more about the ClientCertificateInstall CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/30/2021
+ms.topic: reference
---
+
+
+
# ClientCertificateInstall CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|---|---|---|
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
-For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
+> [!NOTE]
+> For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
+
-> [!Note]
-> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store, both certificates are sent to the device in the same MDM payload and the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
+
+The following list shows the ClientCertificateInstall configuration service provider nodes:
-You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
+- ./Device/Vendor/MSFT/ClientCertificateInstall
+ - [PFXCertInstall](#devicepfxcertinstall)
+ - [{UniqueID}](#devicepfxcertinstalluniqueid)
+ - [ContainerName](#devicepfxcertinstalluniqueidcontainername)
+ - [KeyLocation](#devicepfxcertinstalluniqueidkeylocation)
+ - [PFXCertBlob](#devicepfxcertinstalluniqueidpfxcertblob)
+ - [PFXCertPassword](#devicepfxcertinstalluniqueidpfxcertpassword)
+ - [PFXCertPasswordEncryptionStore](#devicepfxcertinstalluniqueidpfxcertpasswordencryptionstore)
+ - [PFXCertPasswordEncryptionType](#devicepfxcertinstalluniqueidpfxcertpasswordencryptiontype)
+ - [PFXKeyExportable](#devicepfxcertinstalluniqueidpfxkeyexportable)
+ - [Status](#devicepfxcertinstalluniqueidstatus)
+ - [Thumbprint](#devicepfxcertinstalluniqueidthumbprint)
+ - [SCEP](#devicescep)
+ - [{UniqueID}](#devicescepuniqueid)
+ - [CertThumbprint](#devicescepuniqueidcertthumbprint)
+ - [ErrorCode](#devicescepuniqueiderrorcode)
+ - [Install](#devicescepuniqueidinstall)
+ - [AADKeyIdentifierList](#devicescepuniqueidinstallaadkeyidentifierlist)
+ - [CAThumbprint](#devicescepuniqueidinstallcathumbprint)
+ - [Challenge](#devicescepuniqueidinstallchallenge)
+ - [ContainerName](#devicescepuniqueidinstallcontainername)
+ - [CustomTextToShowInPrompt](#devicescepuniqueidinstallcustomtexttoshowinprompt)
+ - [EKUMapping](#devicescepuniqueidinstallekumapping)
+ - [Enroll](#devicescepuniqueidinstallenroll)
+ - [HashAlgorithm](#devicescepuniqueidinstallhashalgorithm)
+ - [KeyLength](#devicescepuniqueidinstallkeylength)
+ - [KeyProtection](#devicescepuniqueidinstallkeyprotection)
+ - [KeyUsage](#devicescepuniqueidinstallkeyusage)
+ - [RetryCount](#devicescepuniqueidinstallretrycount)
+ - [RetryDelay](#devicescepuniqueidinstallretrydelay)
+ - [ServerURL](#devicescepuniqueidinstallserverurl)
+ - [SubjectAlternativeNames](#devicescepuniqueidinstallsubjectalternativenames)
+ - [SubjectName](#devicescepuniqueidinstallsubjectname)
+ - [TemplateName](#devicescepuniqueidinstalltemplatename)
+ - [ValidPeriod](#devicescepuniqueidinstallvalidperiod)
+ - [ValidPeriodUnits](#devicescepuniqueidinstallvalidperiodunits)
+ - [RespondentServerUrl](#devicescepuniqueidrespondentserverurl)
+ - [Status](#devicescepuniqueidstatus)
+- ./User/Vendor/MSFT/ClientCertificateInstall
+ - [PFXCertInstall](#userpfxcertinstall)
+ - [{UniqueID}](#userpfxcertinstalluniqueid)
+ - [ContainerName](#userpfxcertinstalluniqueidcontainername)
+ - [KeyLocation](#userpfxcertinstalluniqueidkeylocation)
+ - [PFXCertBlob](#userpfxcertinstalluniqueidpfxcertblob)
+ - [PFXCertPassword](#userpfxcertinstalluniqueidpfxcertpassword)
+ - [PFXCertPasswordEncryptionStore](#userpfxcertinstalluniqueidpfxcertpasswordencryptionstore)
+ - [PFXCertPasswordEncryptionType](#userpfxcertinstalluniqueidpfxcertpasswordencryptiontype)
+ - [PFXKeyExportable](#userpfxcertinstalluniqueidpfxkeyexportable)
+ - [Status](#userpfxcertinstalluniqueidstatus)
+ - [Thumbprint](#userpfxcertinstalluniqueidthumbprint)
+ - [SCEP](#userscep)
+ - [{UniqueID}](#userscepuniqueid)
+ - [CertThumbprint](#userscepuniqueidcertthumbprint)
+ - [ErrorCode](#userscepuniqueiderrorcode)
+ - [Install](#userscepuniqueidinstall)
+ - [AADKeyIdentifierList](#userscepuniqueidinstallaadkeyidentifierlist)
+ - [CAThumbprint](#userscepuniqueidinstallcathumbprint)
+ - [Challenge](#userscepuniqueidinstallchallenge)
+ - [ContainerName](#userscepuniqueidinstallcontainername)
+ - [CustomTextToShowInPrompt](#userscepuniqueidinstallcustomtexttoshowinprompt)
+ - [EKUMapping](#userscepuniqueidinstallekumapping)
+ - [Enroll](#userscepuniqueidinstallenroll)
+ - [HashAlgorithm](#userscepuniqueidinstallhashalgorithm)
+ - [KeyLength](#userscepuniqueidinstallkeylength)
+ - [KeyProtection](#userscepuniqueidinstallkeyprotection)
+ - [KeyUsage](#userscepuniqueidinstallkeyusage)
+ - [RetryCount](#userscepuniqueidinstallretrycount)
+ - [RetryDelay](#userscepuniqueidinstallretrydelay)
+ - [ServerURL](#userscepuniqueidinstallserverurl)
+ - [SubjectAlternativeNames](#userscepuniqueidinstallsubjectalternativenames)
+ - [SubjectName](#userscepuniqueidinstallsubjectname)
+ - [TemplateName](#userscepuniqueidinstalltemplatename)
+ - [ValidPeriod](#userscepuniqueidinstallvalidperiod)
+ - [ValidPeriodUnits](#userscepuniqueidinstallvalidperiodunits)
+ - [RespondentServerUrl](#userscepuniqueidrespondentserverurl)
+ - [Status](#userscepuniqueidstatus)
+
-The following example shows the ClientCertificateInstall configuration service provider in tree format.
+
+## Device/PFXCertInstall
-```console
-./Vendor/MSFT
-ClientCertificateInstall
-----PFXCertInstall
---------UniqueID
-------------KeyLocation
-------------ContainerName
-------------PFXCertBlob
-------------PFXCertPassword
-------------PFXCertPasswordEncryptionType
-------------PFXKeyExportable
-------------Thumbprint
-------------Status
-------------PFXCertPasswordEncryptionStore (Added in Windows 10, version 1511)
-----SCEP
---------UniqueID
-------------Install
-----------------ServerURL
-----------------Challenge
-----------------EKUMapping
-----------------KeyUsage
-----------------SubjectName
-----------------KeyProtection
-----------------RetryDelay
-----------------RetryCount
-----------------TemplateName
-----------------KeyLength
-----------------HashAlgorithm
-----------------CAThumbprint
-----------------SubjectAlternativeNames
-----------------ValidPeriod
-----------------ValidPeriodUnits
-----------------ContainerName
-----------------CustomTextToShowInPrompt
-----------------Enroll
-----------------AADKeyIdentifierList (Added in Windows 10, version 1703)
-------------CertThumbprint
-------------Status
-------------ErrorCode
-------------RespondentServerUrl
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall
```
+
-**Device or User**
-For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path.
+
+
+Required for PFX certificate installation. The parent node grouping the PFX cert related settings.
+
-**ClientCertificateInstall**
-The root node for the ClientCertificateInstaller configuration service provider.
+
+
+
-**ClientCertificateInstall/PFXCertInstall**
-Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**ClientCertificateInstall/PFXCertInstall/***UniqueID*
+
+
+
+
+
+
+
+### Device/PFXCertInstall/{UniqueID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}
+```
+
+
+
+
Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
+Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+
-The data type format is node.
+
+
+
-Supported operations are Get, Add, and Replace.
+
+**Description framework properties**:
-Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/ContainerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/ContainerName
+```
+
+
+
+
+Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/KeyLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/KeyLocation
+```
+
+
+
+
Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+
-Supported operations are Get, Add, and Replace.
+
+
+
-The data type is an integer corresponding to one of the following values:
+
+**Description framework properties**:
-| Value | Description |
-|-------|---------------------------------------------------------------------------------------------------------------|
-| 1 | Install to TPM if present, fail if not present. |
-| 2 | Install to TPM if present. If not present, fall back to software. |
-| 3 | Install to software. |
-| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
-Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail.
+
+**Allowed values**:
-Date type is string.
+| Value | Description |
+|:--|:--|
+| 1 | Install to TPM if present, fail if not present. |
+| 2 | Install to TPM if present. If not present, fallback to software. |
+| 3 | Install to software. |
+| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
-CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This Add operation requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before the Add operation is called. This trigger for addition also sets the Status node to the current Status of the operation.
+
-The data type format is binary.
+
+#### Device/PFXCertInstall/{UniqueID}/PFXCertBlob
-Supported operations are Get, Add, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertBlob
+```
+
-If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail.
+
+
+Required.
+[CRYPT_DATA_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)) structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
+If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
+If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
-In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)).
+
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bin |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/PFXCertPassword
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPassword
+```
+
+
+
+
Password that protects the PFX blob. This is required if the PFX is password protected.
-
-Data Type is a string.
-
-Supported operations are Get, Add, and Replace.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
-Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.
-
-The data type is int. Valid values:
-
-- 0 - Password isn't encrypted.
-- 1 - Password is encrypted with the MDM certificate.
-- 2 - Password is encrypted with custom certificate.
-
-When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
-
-Supported operations are Get, Add, and Replace.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
-Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX isn't exportable when it's installed to TPM.
-
-> [!Note]
-> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
-
-The data type bool.
-
-Supported operations are Get, Add, and Replace.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
-Returns the thumbprint of the installed PFX certificate.
-
-The datatype is a string.
-
-Supported operation is Get.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
-Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
-
-Data type is an integer.
-
-Supported operation is Get.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
-Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
-
-Data type is string.
-
-Supported operations are Add, Get, and Replace.
-
-**ClientCertificateInstall/SCEP**
-Node for SCEP.
-
-> [!Note]
-> An alert is sent after the SCEP certificate is installed.
-
-**ClientCertificateInstall/SCEP/***UniqueID*
-A unique ID to differentiate different certificate installation requests.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install**
-A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
-
-Supported operations are Get, Add, Replace, and Delete.
-
-> [!Note]
-> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and ensure the device isn't at an unknown state before changing child node values.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
-Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
-
-Data type is string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
-Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
-Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs is separated by a plus +. For example, OID1+OID2+OID3.
-
-Data type is string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
-Required. Specifies the subject name.
-
-The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
-
-For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
-
-Data type is string.
-
-Supported operations are Add, Get, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
-Optional. Specifies where to keep the private key.
-
-> [!Note]
-> Even if the private key is protected by TPM, it isn't protected with a TPM PIN.
-
-The data type is an integer corresponding to one of the following values:
-
-| Value | Description |
-|---|---|
-| 1 | Private key protected by TPM. |
-| 2 | Private key protected by phone TPM if the device supports TPM. |
-| 3 | (Default) Private key saved in software KSP. |
-| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
-Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
-
-Data type is int.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
-Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
-
-Data type format is an integer.
-
-The default value is 5.
-
-The minimum value is 1.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
-Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
-
-Data type is integer.
-
-Default value is 3.
-
-Maximum value is 30. If the value is larger than 30, the device will use 30.
-
-Minimum value is 0, which indicates no retry.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
-Optional. OID of certificate template name.
-
-> [!Note]
-> This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it.
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
-Required for enrollment. Specify private key length (RSA).
-
-Data type is integer.
-
-Valid values are 1024, 2048, and 4096.
-
-For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
-Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +.
-
-For Windows Hello for Business, only SHA256 is the supported algorithm.
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
-Required. Specifies Root CA thumbprint. This thumbprint is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it isn't a match, the authentication will fail.
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
-Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. For more information, see the name type definitions in MSDN.
-
-Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
-Optional. Specifies the units for the valid certificate period.
-
-Data type is string.
-
-Valid values are:
-
-- Days (Default)
-- Months
-- Years
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore
+```
+
+
+
+
+Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` Dependency Allowed Value: `[2]` Dependency Allowed Value Type: `Range` |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType
+```
+
+
+
+
+Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
+If the value is
+0 - Password is not encrypted
+1- Password is encrypted using the MDM certificate by the MDM server
+2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Password is not encrypted. |
+| 1 | Password is encrypted with the MDM certificate. |
+| 2 | Password is encrypted with custom certificate. |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/PFXKeyExportable
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXKeyExportable
+```
+
+
+
+
+Optional. Used to specify if the private key installed is exportable (can be exported later).
+
+
+
+
+The PFX isn't exportable when it's installed to TPM.
> [!NOTE]
-> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
+> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
-Optional. Specifies the desired number of units used in the validity period. This number is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | true |
+| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` Dependency Allowed Value: `[3]` Dependency Allowed Value Type: `Range` |
+
-> [!Note]
-> The valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+
+**Allowed values**:
-Data type is string.
+| Value | Description |
+|:--|:--|
+| false | False. |
+| true (Default) | True. |
+
-> [!Note]
-> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
-Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node isn't specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
+
+#### Device/PFXCertInstall/{UniqueID}/Status
-Data type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Status
+```
+
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
-Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
+
+
+Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+
-Data type is string.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
-Required. Triggers the device to start the certificate enrollment. The device won't notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-The date type format is Null, meaning this node doesn’t contain a value.
+
+
+
-The only supported operation is Execute.
+
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
-Optional. Specify the Azure Active Directory Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
+
+#### Device/PFXCertInstall/{UniqueID}/Thumbprint
-Data type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Thumbprint
+```
+
-**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
-Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+Returns the thumbprint of the PFX certificate installed.
+
-If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted) then it will return an empty string.
+
+
+
-Data type is string.
+
+**Description framework properties**:
-The only supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**ClientCertificateInstall/SCEP/*UniqueID*/Status**
-Required. Specifies latest status of the certificated during the enrollment request.
+
+
+
-Data type is string. Valid values:
+
-The only supported operation is Get.
+
+## Device/SCEP
-| Value | Description |
-|-------|---------------------------------------------------------------------------------------------------|
-| 1 | Finished successfully |
-| 2 | Pending (the device hasn’t finished the action but has received the SCEP server pending response) |
-| 16 | Action failed |
-| 32 | Unknown |
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
-Optional. An integer value that indicates the HRESULT of the last enrollment error code.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP
+```
+
-The only supported operation is Get.
+
+
+Node for SCEP. An alert is sent after the SCEP certificate is installed.
+
-**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/SCEP/{UniqueID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}
+```
+
+
+
+
+Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+Calling Delete on the this node, should delete the corresponding SCEP certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### Device/SCEP/{UniqueID}/CertThumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/CertThumbprint
+```
+
+
+
+
+Optional. Specify the current cert's thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+
+
+> [!NOTE]
+> If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted, etc.) then it will return an empty string.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/SCEP/{UniqueID}/ErrorCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/ErrorCode
+```
+
+
+
+
+Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/SCEP/{UniqueID}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install
+```
+
+
+
+
+Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/AADKeyIdentifierList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AADKeyIdentifierList
+```
+
+
+
+
+Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/CAThumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CAThumbprint
+```
+
+
+
+
+Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If no match is found, authentication will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/Challenge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Challenge
+```
+
+
+
+
+Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/ContainerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ContainerName
+```
+
+
+
+
+Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt
+```
+
+
+
+
+Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/EKUMapping
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/EKUMapping
+```
+
+
+
+
+Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus "+". Sample format: OID1+OID2+OID3.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/Enroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Enroll
+```
+
+
+
+
+Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/HashAlgorithm
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/HashAlgorithm
+```
+
+
+
+
+Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+
+For NGC, only SHA256 is supported as the supported algorithm.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/KeyLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyLength
+```
+
+
+
+
+Required for enrollment. Specify private key length (RSA).
+Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
+
+
+
+
+> [!NOTE]
+> For Windows Hello for Business (formerly known as Microsoft Passport for Work) , 2048 is the only supported key length.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1024 | 1024. |
+| 2048 | 2048. |
+| 4096 | 4096. |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/KeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyProtection
+```
+
+
+
+
+Optional. Specify where to keep the private key. **Note** that even it is protected by TPM, it is not guarded with TPM PIN.
+SCEP enrolled cert doesn't support TPM PIN protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 3 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Private key protected by TPM. |
+| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
+| 3 (Default) | (Default) Private key saved in software KSP. |
+| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/KeyUsage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyUsage
+```
+
+
+
+
+Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/RetryCount
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryCount
+```
+
+
+
+
+Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
+The min value is 0 which means no retry.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-30]` |
+| Default Value | 3 |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/RetryDelay
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryDelay
+```
+
+
+
+
+Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+Default value is: 5
+The min value is 1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 5 |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/ServerURL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ServerURL
+```
+
+
+
+
+Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+```
+
+
+
+
+Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/SubjectName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectName
+```
+
+
+
+
+Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: ("," "=" "+" ";" ).
+
+
+
+
+For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/TemplateName
+```
+
+
+
+
+Optional. OID of certificate template name. **Note** that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn't need to provide it.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/ValidPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriod
+```
+
+
+
+
+Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | Days |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Days (Default) | Days. |
+| Months | Months. |
+| Years | Years. |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/ValidPeriodUnits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriodUnits
+```
+
+
+
+
+Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. **Note** the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+
+> [!NOTE]
+> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+#### Device/SCEP/{UniqueID}/RespondentServerUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/RespondentServerUrl
+```
+
+
+
+
Required. Returns the URL of the SCEP server that responded to the enrollment request.
+
-Data type is string.
+
+
+
-The only supported operation is Get.
+
+**Description framework properties**:
-## Example
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Enroll a client certificate through SCEP.
+
+
+
-```xml
-
-
-
-
- 301
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/
-
-
- node
-
-
-
-
- 302
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryCount
-
-
- int
-
- 1
-
-
-
- 303
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryDelay
-
-
- int
-
- 1
-
-
-
- 304
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyUsage
-
-
- int
-
- 160
-
-
-
- 305
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyLength
-
-
- int
-
- 1024
-
-
-
- 306
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/HashAlgorithm
-
-
- chr
-
- SHA-1
-
-
-
- 307
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectName
-
-
- chr
-
- CN=ContosoCSP
-
-
-
- 308
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectAlternativeNames
-
-
- chr
-
-
-
-
-
- 309
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriod
-
-
- chr
-
- Years
-
-
-
- 310
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriodUnits
-
-
- int
-
- 1
-
-
-
- 311
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/EKUMapping
-
-
- chr
-
- 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2
-
-
-
- 312
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyProtection
-
-
- int
-
- 3
-
-
-
- 313$
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ServerURL
-
-
- chr
-
- http://constoso.com/certsrv/mscep/mscep.dll
-
-
-
- 314
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Challenge
-
-
- chr
-
- 1234CB055B7EBF384A9486A22B7559A5
-
-
-
- 315
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/CAThumbprint
-
-
- chr
-
- 12345087E648875D1DF5D9F9FF89DD10
-
-
-
- 316
-
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Enroll
-
-
-
-
+
+
+
+#### Device/SCEP/{UniqueID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Status
+```
+
+
+
+
+Required. Specify the latest status for the certificate due to enroll request.
+Valid values are:
+1 - finished successfully
+2 - pending (the device hasn't finished the action but has received the SCEP server pending response)
+32 - unknown
+16 - action failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/PFXCertInstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall
+```
+
+
+
+
+Required for PFX certificate installation. The parent node grouping the PFX cert related settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/PFXCertInstall/{UniqueID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}
+```
+
+
+
+
+Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
+Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/ContainerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/ContainerName
+```
+
+
+
+
+Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/KeyLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/KeyLocation
+```
+
+
+
+
+Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Install to TPM if present, fail if not present. |
+| 2 | Install to TPM if present. If not present, fallback to software. |
+| 3 | Install to software. |
+| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXCertBlob
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertBlob
+```
+
+
+
+
+Required.
+[CRYPT_DATA_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)) structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
+If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
+If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bin |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXCertPassword
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPassword
+```
+
+
+
+
+Password that protects the PFX blob. This is required if the PFX is password protected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore
+```
+
+
+
+
+Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` Dependency Allowed Value: `[2]` Dependency Allowed Value Type: `Range` |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType
+```
+
+
+
+
+Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
+If the value is
+0 - Password is not encrypted
+1- Password is encrypted using the MDM certificate by the MDM server
+2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Password is not encrypted. |
+| 1 | Password is encrypted with the MDM certificate. |
+| 2 | Password is encrypted with custom certificate. |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXKeyExportable
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXKeyExportable
+```
+
+
+
+
+Optional. Used to specify if the private key installed is exportable (can be exported later).
+
+
+
+
+> [!NOTE]
+> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | true |
+| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` Dependency Allowed Value: `[3]` Dependency Allowed Value Type: `Range` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | False. |
+| true (Default) | True. |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Status
+```
+
+
+
+
+Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/Thumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Thumbprint
+```
+
+
+
+
+Returns the thumbprint of the PFX certificate installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/SCEP
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP
+```
+
+
+
+
+Node for SCEP. An alert is sent after the SCEP certificate is installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/SCEP/{UniqueID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}
+```
+
+
+
+
+Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+Calling Delete on the this node, should delete the corresponding SCEP certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/CertThumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/CertThumbprint
+```
+
+
+
+
+Optional. Specify the current cert's thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+
+
+> [!NOTE]
+> If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted, etc.) then it will return an empty string.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/ErrorCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/ErrorCode
+```
+
+
+
+
+Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install
+```
+
+
+
+
+Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/AADKeyIdentifierList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AADKeyIdentifierList
+```
+
+
+
+
+Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/CAThumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CAThumbprint
+```
+
+
+
+
+Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If no match is found, authentication will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/Challenge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Challenge
+```
+
+
+
+
+Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/ContainerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ContainerName
+```
+
+
+
+
+Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt
+```
+
+
+
+
+Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/EKUMapping
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/EKUMapping
+```
+
+
+
+
+Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus "+". Sample format: OID1+OID2+OID3.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/Enroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Enroll
+```
+
+
+
+
+Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/HashAlgorithm
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/HashAlgorithm
+```
+
+
+
+
+Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+
+For NGC, only SHA256 is supported as the supported algorithm.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/KeyLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyLength
+```
+
+
+
+
+Required for enrollment. Specify private key length (RSA).
+Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
+
+
+
+
+> [!NOTE]
+> For Windows Hello for Business (formerly known as Microsoft Passport for Work) , 2048 is the only supported key length.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1024 | 1024. |
+| 2048 | 2048. |
+| 4096 | 4096. |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/KeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyProtection
+```
+
+
+
+
+Optional. Specify where to keep the private key. **Note** that even it is protected by TPM, it is not guarded with TPM PIN.
+SCEP enrolled cert doesn't support TPM PIN protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 3 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Private key protected by TPM. |
+| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
+| 3 (Default) | (Default) Private key saved in software KSP. |
+| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/KeyUsage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyUsage
+```
+
+
+
+
+Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/RetryCount
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryCount
+```
+
+
+
+
+Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
+The min value is 0 which means no retry.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-30]` |
+| Default Value | 3 |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/RetryDelay
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryDelay
+```
+
+
+
+
+Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+Default value is: 5
+The min value is 1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 5 |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/ServerURL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ServerURL
+```
+
+
+
+
+Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+```
+
+
+
+
+Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/SubjectName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectName
+```
+
+
+
+
+Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: ("," "=" "+" ";" ).
+
+
+
+
+For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/TemplateName
+```
+
+
+
+
+Optional. OID of certificate template name. **Note** that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn't need to provide it.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/ValidPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriod
+```
+
+
+
+
+Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | Days |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Days (Default) | Days. |
+| Months | Months. |
+| Years | Years. |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/ValidPeriodUnits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriodUnits
+```
+
+
+
+
+Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. **Note** the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+
+> [!NOTE]
+> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/RespondentServerUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/RespondentServerUrl
+```
+
+
+
+
+Required. Returns the URL of the SCEP server that responded to the enrollment request.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Status
+```
+
+
+
+
+Required. Specify the latest status for the certificate due to enroll request.
+Valid values are:
+1 - finished successfully
+2 - pending (the device hasn't finished the action but has received the SCEP server pending response)
+32 - unknown
+16 - action failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+## Examples
+
+- Enroll a client certificate through SCEP.
+
+ ```xml
+
+
+
+
+ 301
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/
+
+
+ node
+
+
+
+
+ 302
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryCount
+
+
+ int
+
+ 1
+
+
+
+ 303
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryDelay
+
+
+ int
+
+ 1
+
+
+
+ 304
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyUsage
+
+
+ int
+
+ 160
+
+
+
+ 305
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyLength
+
+
+ int
+
+ 1024
+
+
+
+ 306
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/HashAlgorithm
+
+
+ chr
+
+ SHA-1
+
+
+
+ 307
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectName
+
+
+ chr
+
+ CN=ContosoCSP
+
+
+
+ 308
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectAlternativeNames
+
+
+ chr
+
+
+
+
+
+ 309
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriod
+
+
+ chr
+
+ Years
+
+
+
+ 310
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriodUnits
+
+
+ int
+
+ 1
+
+
+
+ 311
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/EKUMapping
+
+
+ chr
+
+ 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2
+
+
+
+ 312
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyProtection
+
+
+ int
+
+ 3
+
+
+
+ 313$
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ServerURL
+
+
+ chr
+
+ http://constoso.com/certsrv/mscep/mscep.dll
+
+
+
+ 314
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Challenge
+
+
+ chr
+
+ 1234CB055B7EBF384A9486A22B7559A5
+
+
+
+ 315
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/CAThumbprint
+
+
+ chr
+
+ 12345087E648875D1DF5D9F9FF89DD10
+
+
+
+ 316
+
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Enroll
+
+
+
+
+
+
+
+ ```
+
+- Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store.
+
+ ```xml
+
+
+
+ $CmdID$
+
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C
+
+
+
+
+ $CmdID$
+
+ $CmdID$
+
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation
+
+
+ int
+
+ 2
+
+
+
+ $CmdID$
+
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob
+
+
+ chr
+
+ Base64_Encode_Cert_Blob
+
+
+
+ $CmdID$
+
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword
+
+
+ chr
+
+ Base64Encoded_Encrypted_Password_Blog
+
+
+
+ $CmdID$
+
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType
+
+
+ int
+
+ 2
+
+
+
+ $CmdID$
+
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore
+
+
+ chr
+
+ My
+
+
+
+ $CmdID$
+
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable
+
+
+ bool
+
+ true
+
+
+
-
-
-```
+
+
+ ```
+
-Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store.
+
-```xml
-
-
-
- $CmdID$
-
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C
-
-
-
-
- $CmdID$
-
- $CmdID$
-
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation
-
-
- int
-
- 2
-
-
-
- $CmdID$
-
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob
-
-
- chr
-
- Base64_Encode_Cert_Blob
-
-
-
- $CmdID$
-
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword
-
-
- chr
-
- Base64Encoded_Encrypted_Password_Blog
-
-
-
- $CmdID$
-
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType
-
-
- int
-
- 2
-
-
-
- $CmdID$
-
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore
-
-
- chr
-
- My
-
-
+## Related articles
-
- $CmdID$
-
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable
-
-
- bool
-
- true
-
-
-
-
-
-
-```
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 8d8a117d95..08abb4da3e 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,1055 +1,2198 @@
---
title: ClientCertificateInstall DDF file
-description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# ClientCertificateInstall DDF file
-This topic shows the OMA DM device description framework (DDF) for the **ClientCertificateInstall** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ ClientCertificateInstall
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- ClientCertificateInstall
- ./Vendor/MSFT
+ PFXCertInstall
+
+
+
+
+ Required for PFX certificate installation. The parent node grouping the PFX cert related settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.1/MDM/ClientCertificateInstall
-
-
-
- PFXCertInstall
-
-
-
-
- Required for PFX certificate installation. The parent node grouping the PFX cert related settings. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
-Format is node.
-Supported operations are Get, Add, Delete
+
+
+
+
+
+
+ Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
-
-
-
-
-
-
-
-
-
- UniqueID
-
-
-
-
-
- KeyLocation
-
-
-
-
-
-
- Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation. Supported operations are Get, Add.
- Datatype will be int
-1- Install to TPM, fail if not present
-2 – Install to TPM if present, if not present fallback to Software
-3 – Install to software
-4 – Install to NGC container whose name is specified
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ContainerName
-
-
-
-
-
-
- Optional.
-Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
-Format is chr.
-Supported operations are Get, Add, Delete and Replace.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXCertBlob
-
-
-
-
-
-
- Required.
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+
+
+
+
+ KeyLocation
+
+
+
+
+
+
+ Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Install to TPM if present, fail if not present.
+
+
+ 2
+ Install to TPM if present. If not present, fallback to software.
+
+
+ 3
+ Install to software.
+
+
+ 4
+ Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified
+
+
+
+
+
+ ContainerName
+
+
+
+
+
+
+ Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertBlob
+
+
+
+
+
+
+ Required.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
-Format is Binary64.
-Supported operations are Get, Add, Replace.
If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
-CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windows/desktop/aa381414(v=vs.85).aspx
+CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXCertPassword
-
-
-
-
-
-
-
-Required if PFX is password protected.
-Password that protects the PFX blob.
-Format is chr. Supported operations are Add, Get.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXCertPasswordEncryptionType
-
-
-
-
-
-
- 0
- Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
-If the value is
-0 - Password is not encrypted
-1- Password is encrypted using the MDM certificate by the MDM server
-2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
-The datatype for this node is int.
-Supported operations are Add, Replace.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXKeyExportable
-
-
-
-
-
-
- true
- Optional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool.
-Supported operations are Add, Get.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Thumbprint
-
-
-
-
- Returns the thumbprint of the PFX certificate installed. Format is string.Supported operations are Get.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int.
-Support operations are Get.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXCertPasswordEncryptionStore
-
-
-
-
-
-
- Optional.
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
-Datatype is string,
-Support operation are Add, Get and Replace.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- SCEP
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
-Format is node.
-Supported operations are Get, Add, Delete.
+ PFXCertPassword
+
+
+
+
+
+
+ Password that protects the PFX blob. This is required if the PFX is password protected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPasswordEncryptionType
+
+
+
+
+
+
+ 0
+ Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
+If the value is
+0 - Password is not encrypted
+1- Password is encrypted using the MDM certificate by the MDM server
+2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Password is not encrypted.
+
+
+ 1
+ Password is encrypted with the MDM certificate.
+
+
+ 2
+ Password is encrypted with custom certificate.
+
+
+
+
+
+ PFXKeyExportable
+
+
+
+
+
+
+ true
+ Optional. Used to specify if the private key installed is exportable (can be exported later).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation
+
+ [3]
+
+
+
+
+
+
+
+ Thumbprint
+
+
+
+
+ Returns the thumbprint of the PFX certificate installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPasswordEncryptionStore
+
+
+
+
+
+
+ Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType
+
+ [2]
+
+
+
+
+
+
+
+
+
+ SCEP
+
+
+
+
+ Node for SCEP. An alert is sent after the SCEP certificate is installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
Calling Delete on the this node, should delete the corresponding SCEP certificate
-
-
-
-
-
-
-
-
-
- UniqueID
-
-
-
-
-
- Install
-
-
-
-
-
-
-
- Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete.
-
-NOTE: Though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ServerURL
-
-
-
-
-
-
-
- Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
-Format is string.
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Challenge
-
-
-
-
-
-
-
- Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Format is chr. Supported operations are Get, Add, Replace, Delete. Challenge will be deleted shortly after the Exec command is accepted.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EKUMapping
-
-
-
-
-
-
-
- Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3.
-
-Format is chr.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyUsage
-
-
-
-
-
-
-
- Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
-
-Format is int.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SubjectName
-
-
-
-
-
-
-
- Required. Specify the subject name. Format is chr. Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyProtection
-
-
-
-
-
-
-
- 3
- Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
-
-SCEP enrolled cert doesn’t support TPM PIN protection. Supported values:
-
-1 – private key protected by TPM,
-
-2 – private key protected by phone TPM if the device supports TPM.
-
-3 (default) – private key saved in software KSP
-
-4 – private key protected by NGC. If this option is specified, container name should be specified, if not enrollment will fail.
-
-
-Format is int.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryDelay
-
-
-
-
-
-
-
- 5
- Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+
+
+
+
+ Install
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerURL
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Challenge
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EKUMapping
+
+
+
+
+
+
+
+ Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyUsage
+
+
+
+
+
+
+
+ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectName
+
+
+
+
+
+
+
+ Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyProtection
+
+
+
+
+
+
+
+ 3
+ Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
+SCEP enrolled cert doesn’t support TPM PIN protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Private key protected by TPM.
+
+
+ 2
+ Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1.
+
+
+ 3
+ (Default) Private key saved in software KSP.
+
+
+ 4
+ Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail.
+
+
+
+
+
+ RetryDelay
+
+
+
+
+
+
+
+ 5
+ Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
Default value is: 5
-The min value is 1.
-
-Format is int.
-
-Supported operations are Get, Add, Delete noreplace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryCount
-
-
-
-
-
-
-
- 3
- Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
-The min value is 0 which means no retry. Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
- Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyLength
-
-
-
-
-
-
-
- Required for enrollment. Specify private key length (RSA). Format is int.
-
-Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HashAlgorithm
-
-
-
-
-
-
-
- Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
-
-For NGC, only SHA256 is supported as the supported algorithm
-
-Format is chr.
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CAThumbprint
-
-
-
-
-
-
-
- Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
-Format is chr.
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SubjectAlternativeNames
-
-
-
-
-
-
-
- Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
-
-Format is chr.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidPeriod
-
-
-
-
-
-
-
- Days
- Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
-Format is chr.
-Supported operations are Get, Add, Delete, Replace.
+The min value is 1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ RetryCount
+
+
+
+
+
+
+
+ 3
+ Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
+The min value is 0 which means no retry.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-30]
+
+
+
+
+ TemplateName
+
+
+
+
+
+
+
+ Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyLength
+
+
+
+
+
+
+
+ Required for enrollment. Specify private key length (RSA).
+Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1024
+ 1024
+
+
+ 2048
+ 2048
+
+
+ 4096
+ 4096
+
+
+
+
+
+ HashAlgorithm
+
+
+
+
+
+
+
+ Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+For NGC, only SHA256 is supported as the supported algorithm
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CAThumbprint
+
+
+
+
+
+
+
+ Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectAlternativeNames
+
+
+
+
+
+
+
+ Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidPeriod
+
+
+
+
+
+
+
+ Days
+ Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Days
+ Days
+
+
+ Months
+ Months
+
+
+ Years
+ Years
+
+
+
+
+
+ ValidPeriodUnits
+
+
+
+
+
+
+
+ 0
+ Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidPeriodUnits
-
-
-
-
-
-
-
- 0
- Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
-
-Format is int.
-
-Supported operations are Get, Add, Delete, Replace.
-
-NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ContainerName
-
-
-
-
-
-
-
- Optional.
-Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
-
-Format is chr.
-
-Supported operations are Get, Add, Delete and Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomTextToShowInPrompt
-
-
-
-
-
-
-
- Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
-
-Format is chr.
-
-Supported operations are Get, Add, Delete and Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Enroll
-
-
-
-
- Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
-
-Format is null, e.g. this node doesn’t contain a value.
-
-Supported operation is Exec.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AADKeyIdentifierList
-
-
-
-
-
-
-
- Optional. Specify the Azure Active Directory Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CertThumbprint
-
-
-
-
- Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Format is chr. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Required. Specify the latest status for the certificate due to enroll request.
-
-Format is chr.
-
-Supported operation is Get.
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ContainerName
+
+
+
+
+
+
+
+ Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CustomTextToShowInPrompt
+
+
+
+
+
+
+
+ Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enroll
+
+
+
+
+ Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AADKeyIdentifierList
+
+
+
+
+
+
+
+ Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+
+
+
+
+ CertThumbprint
+
+
+
+
+ Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Required. Specify the latest status for the certificate due to enroll request.
Valid values are:
1 – finished successfully
2 – pending (the device hasn’t finished the action but has received the SCEP server pending response)
32 – unknown
16 - action failed
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ErrorCode
-
-
-
-
- Optional. The integer value that indicates the HRESULT of the last enrollment error code.
-Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RespondentServerUrl
-
-
-
-
- Required. Returns the URL of the SCEP server that responded to the enrollment request.
-
-Format is String.
-
-Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RespondentServerUrl
+
+
+
+
+ Required. Returns the URL of the SCEP server that responded to the enrollment request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ClientCertificateInstall
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ PFXCertInstall
+
+
+
+
+ Required for PFX certificate installation. The parent node grouping the PFX cert related settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
+Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+
+
+
+
+ KeyLocation
+
+
+
+
+
+
+ Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Install to TPM if present, fail if not present.
+
+
+ 2
+ Install to TPM if present. If not present, fallback to software.
+
+
+ 3
+ Install to software.
+
+
+ 4
+ Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified
+
+
+
+
+
+ ContainerName
+
+
+
+
+
+
+ Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertBlob
+
+
+
+
+
+
+ Required.
+CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
+If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
+If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
+CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPassword
+
+
+
+
+
+
+ Password that protects the PFX blob. This is required if the PFX is password protected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPasswordEncryptionType
+
+
+
+
+
+
+ 0
+ Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
+If the value is
+0 - Password is not encrypted
+1- Password is encrypted using the MDM certificate by the MDM server
+2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Password is not encrypted.
+
+
+ 1
+ Password is encrypted with the MDM certificate.
+
+
+ 2
+ Password is encrypted with custom certificate.
+
+
+
+
+
+ PFXKeyExportable
+
+
+
+
+
+
+ true
+ Optional. Used to specify if the private key installed is exportable (can be exported later).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation
+
+ [3]
+
+
+
+
+
+
+
+ Thumbprint
+
+
+
+
+ Returns the thumbprint of the PFX certificate installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPasswordEncryptionStore
+
+
+
+
+
+
+ Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType
+
+ [2]
+
+
+
+
+
+
+
+
+
+ SCEP
+
+
+
+
+ Node for SCEP. An alert is sent after the SCEP certificate is installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+Calling Delete on the this node, should delete the corresponding SCEP certificate
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+
+
+
+
+ Install
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerURL
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Challenge
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EKUMapping
+
+
+
+
+
+
+
+ Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyUsage
+
+
+
+
+
+
+
+ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectName
+
+
+
+
+
+
+
+ Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyProtection
+
+
+
+
+
+
+
+ 3
+ Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
+SCEP enrolled cert doesn’t support TPM PIN protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Private key protected by TPM.
+
+
+ 2
+ Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1.
+
+
+ 3
+ (Default) Private key saved in software KSP.
+
+
+ 4
+ Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail.
+
+
+
+
+
+ RetryDelay
+
+
+
+
+
+
+
+ 5
+ Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+Default value is: 5
+The min value is 1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ RetryCount
+
+
+
+
+
+
+
+ 3
+ Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
+The min value is 0 which means no retry.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-30]
+
+
+
+
+ TemplateName
+
+
+
+
+
+
+
+ Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyLength
+
+
+
+
+
+
+
+ Required for enrollment. Specify private key length (RSA).
+Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1024
+ 1024
+
+
+ 2048
+ 2048
+
+
+ 4096
+ 4096
+
+
+
+
+
+ HashAlgorithm
+
+
+
+
+
+
+
+ Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+
+For NGC, only SHA256 is supported as the supported algorithm
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CAThumbprint
+
+
+
+
+
+
+
+ Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectAlternativeNames
+
+
+
+
+
+
+
+ Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidPeriod
+
+
+
+
+
+
+
+ Days
+ Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Days
+ Days
+
+
+ Months
+ Months
+
+
+ Years
+ Years
+
+
+
+
+
+ ValidPeriodUnits
+
+
+
+
+
+
+
+ 0
+ Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ContainerName
+
+
+
+
+
+
+
+ Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CustomTextToShowInPrompt
+
+
+
+
+
+
+
+ Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enroll
+
+
+
+
+ Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AADKeyIdentifierList
+
+
+
+
+
+
+
+ Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+
+
+
+
+ CertThumbprint
+
+
+
+
+ Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Required. Specify the latest status for the certificate due to enroll request.
+Valid values are:
+1 – finished successfully
+2 – pending (the device hasn’t finished the action but has received the SCEP server pending response)
+32 – unknown
+16 - action failed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RespondentServerUrl
+
+
+
+
+ Required. Returns the URL of the SCEP server that responded to the enrollment request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md)
+[ClientCertificateInstall configuration service provider reference](clientcertificateinstall-csp.md)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index dd6034f807..40d679359a 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,10 +1,10 @@
---
title: Defender CSP
-description: Learn more about the Defender CSP
+description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/02/2022
+ms.date: 02/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -21,92 +21,90 @@ ms.topic: reference
-The following example shows the Defender configuration service provider in tree format.
+The following list shows the Defender configuration service provider nodes:
-```text
-./Device/Vendor/MSFT/Defender
---- Configuration
------- AllowDatagramProcessingOnWinServer
------- AllowNetworkProtectionDownLevel
------- AllowNetworkProtectionOnWinServer
------- ASROnlyPerRuleExclusions
------- DataDuplicationDirectory
------- DataDuplicationRemoteLocation
------- DefaultEnforcement
------- DeviceControl
---------- PolicyGroups
------------- {GroupId}
---------------- GroupData
---------- PolicyRules
------------- {RuleId}
---------------- RuleData
------- DeviceControlEnabled
------- DisableCpuThrottleOnIdleScans
------- DisableDnsOverTcpParsing
------- DisableDnsParsing
------- DisableFtpParsing
------- DisableGradualRelease
------- DisableHttpParsing
------- DisableInboundConnectionFiltering
------- DisableLocalAdminMerge
------- DisableNetworkProtectionPerfTelemetry
------- DisableRdpParsing
------- DisableSshParsing
------- DisableTlsParsing
------- EnableDnsSinkhole
------- EnableFileHashComputation
------- EngineUpdatesChannel
------- ExcludedIpAddresses
------- HideExclusionsFromLocalAdmins
------- MeteredConnectionUpdates
------- PassiveRemediation
------- PauseUpdateExpirationTime
------- PauseUpdateFlag
------- PauseUpdateStartTime
------- PlatformUpdatesChannel
------- SchedulerRandomizationTime
------- SecurityIntelligenceUpdatesChannel
------- SupportLogLocation
------- TamperProtection
------- TDTFeatureEnabled
------- ThrottleForScheduledScanOnly
---- Detections
------- {ThreatId}
---------- Category
---------- CurrentStatus
---------- ExecutionStatus
---------- InitialDetectionTime
---------- LastThreatStatusChangeTime
---------- Name
---------- NumberOfDetections
---------- Severity
---------- URL
---- Health
------- ComputerState
------- DefenderEnabled
------- DefenderVersion
------- EngineVersion
------- FullScanOverdue
------- FullScanRequired
------- FullScanSigVersion
------- FullScanTime
------- IsVirtualMachine
------- NisEnabled
------- ProductStatus
------- QuickScanOverdue
------- QuickScanSigVersion
------- QuickScanTime
------- RebootRequired
------- RtpEnabled
------- SignatureOutOfDate
------- SignatureVersion
------- TamperProtectionEnabled
---- OfflineScan
---- RollbackEngine
---- RollbackPlatform
---- Scan
---- UpdateSignature
-```
+- ./Device/Vendor/MSFT/Defender
+ - [Configuration](#configuration)
+ - [AllowDatagramProcessingOnWinServer](#configurationallowdatagramprocessingonwinserver)
+ - [AllowNetworkProtectionDownLevel](#configurationallownetworkprotectiondownlevel)
+ - [AllowNetworkProtectionOnWinServer](#configurationallownetworkprotectiononwinserver)
+ - [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
+ - [DataDuplicationDirectory](#configurationdataduplicationdirectory)
+ - [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
+ - [DataDuplicationRemoteLocation](#configurationdataduplicationremotelocation)
+ - [DefaultEnforcement](#configurationdefaultenforcement)
+ - [DeviceControl](#configurationdevicecontrol)
+ - [PolicyGroups](#configurationdevicecontrolpolicygroups)
+ - [{GroupId}](#configurationdevicecontrolpolicygroupsgroupid)
+ - [GroupData](#configurationdevicecontrolpolicygroupsgroupidgroupdata)
+ - [PolicyRules](#configurationdevicecontrolpolicyrules)
+ - [{RuleId}](#configurationdevicecontrolpolicyrulesruleid)
+ - [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata)
+ - [DeviceControlEnabled](#configurationdevicecontrolenabled)
+ - [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans)
+ - [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing)
+ - [DisableDnsParsing](#configurationdisablednsparsing)
+ - [DisableFtpParsing](#configurationdisableftpparsing)
+ - [DisableGradualRelease](#configurationdisablegradualrelease)
+ - [DisableHttpParsing](#configurationdisablehttpparsing)
+ - [DisableInboundConnectionFiltering](#configurationdisableinboundconnectionfiltering)
+ - [DisableLocalAdminMerge](#configurationdisablelocaladminmerge)
+ - [DisableNetworkProtectionPerfTelemetry](#configurationdisablenetworkprotectionperftelemetry)
+ - [DisableRdpParsing](#configurationdisablerdpparsing)
+ - [DisableSmtpParsing](#configurationdisablesmtpparsing)
+ - [DisableSshParsing](#configurationdisablesshparsing)
+ - [DisableTlsParsing](#configurationdisabletlsparsing)
+ - [EnableDnsSinkhole](#configurationenablednssinkhole)
+ - [EnableFileHashComputation](#configurationenablefilehashcomputation)
+ - [EngineUpdatesChannel](#configurationengineupdateschannel)
+ - [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
+ - [IntelTDTEnabled](#configurationinteltdtenabled)
+ - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
+ - [PassiveRemediation](#configurationpassiveremediation)
+ - [PlatformUpdatesChannel](#configurationplatformupdateschannel)
+ - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
+ - [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
+ - [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
+ - [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel)
+ - [SupportLogLocation](#configurationsupportloglocation)
+ - [TamperProtection](#configurationtamperprotection)
+ - [ThrottleForScheduledScanOnly](#configurationthrottleforscheduledscanonly)
+ - [Detections](#detections)
+ - [{ThreatId}](#detectionsthreatid)
+ - [Category](#detectionsthreatidcategory)
+ - [CurrentStatus](#detectionsthreatidcurrentstatus)
+ - [ExecutionStatus](#detectionsthreatidexecutionstatus)
+ - [InitialDetectionTime](#detectionsthreatidinitialdetectiontime)
+ - [LastThreatStatusChangeTime](#detectionsthreatidlastthreatstatuschangetime)
+ - [Name](#detectionsthreatidname)
+ - [NumberOfDetections](#detectionsthreatidnumberofdetections)
+ - [Severity](#detectionsthreatidseverity)
+ - [URL](#detectionsthreatidurl)
+ - [Health](#health)
+ - [ComputerState](#healthcomputerstate)
+ - [DefenderEnabled](#healthdefenderenabled)
+ - [DefenderVersion](#healthdefenderversion)
+ - [EngineVersion](#healthengineversion)
+ - [FullScanOverdue](#healthfullscanoverdue)
+ - [FullScanRequired](#healthfullscanrequired)
+ - [FullScanSigVersion](#healthfullscansigversion)
+ - [FullScanTime](#healthfullscantime)
+ - [IsVirtualMachine](#healthisvirtualmachine)
+ - [NisEnabled](#healthnisenabled)
+ - [ProductStatus](#healthproductstatus)
+ - [QuickScanOverdue](#healthquickscanoverdue)
+ - [QuickScanSigVersion](#healthquickscansigversion)
+ - [QuickScanTime](#healthquickscantime)
+ - [RebootRequired](#healthrebootrequired)
+ - [RtpEnabled](#healthrtpenabled)
+ - [SignatureOutOfDate](#healthsignatureoutofdate)
+ - [SignatureVersion](#healthsignatureversion)
+ - [TamperProtectionEnabled](#healthtamperprotectionenabled)
+ - [OfflineScan](#offlinescan)
+ - [RollbackEngine](#rollbackengine)
+ - [RollbackPlatform](#rollbackplatform)
+ - [Scan](#scan)
+ - [UpdateSignature](#updatesignature)
@@ -125,6 +123,7 @@ The following example shows the Defender configuration service provider in tree
+
An interior node to group Windows Defender configuration information.
@@ -163,6 +162,7 @@ An interior node to group Windows Defender configuration information.
+
This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.
@@ -177,6 +177,7 @@ This settings controls whether Network Protection is allowed to enable datagram
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -185,7 +186,7 @@ This settings controls whether Network Protection is allowed to enable datagram
| Value | Description |
|:--|:--|
| 1 | Datagram processing on Windows Server is enabled. |
-| 0 | Datagram processing on Windows Server is disabled. |
+| 0 (Default) | Datagram processing on Windows Server is disabled. |
@@ -210,6 +211,7 @@ This settings controls whether Network Protection is allowed to enable datagram
+
This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.
@@ -224,6 +226,7 @@ This settings controls whether Network Protection is allowed to be configured in
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -232,7 +235,7 @@ This settings controls whether Network Protection is allowed to be configured in
| Value | Description |
|:--|:--|
| 1 | Network protection will be enabled downlevel. |
-| 0 | Network protection will be disabled downlevel. |
+| 0 (Default) | Network protection will be disabled downlevel. |
@@ -257,6 +260,7 @@ This settings controls whether Network Protection is allowed to be configured in
+
This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
@@ -279,8 +283,8 @@ This settings controls whether Network Protection is allowed to be configured in
| Value | Description |
|:--|:--|
-| 1 (Default) | Allow |
-| 0 | Disallow |
+| 1 (Default) | Allow. |
+| 0 | Disallow. |
@@ -305,6 +309,7 @@ This settings controls whether Network Protection is allowed to be configured in
+
Apply ASR only per rule exclusions.
@@ -343,6 +348,7 @@ Apply ASR only per rule exclusions.
+
Define data duplication directory for device control.
@@ -365,6 +371,47 @@ Define data duplication directory for device control.
+
+### Configuration/DataDuplicationLocalRetentionPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationLocalRetentionPeriod
+```
+
+
+
+
+Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-120]` |
+| Default Value | 60 |
+
+
+
+
+
+
+
+
### Configuration/DataDuplicationRemoteLocation
@@ -381,6 +428,7 @@ Define data duplication directory for device control.
+
Define data duplication remote location for device control.
@@ -419,6 +467,7 @@ Define data duplication remote location for device control.
+
Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.
@@ -433,6 +482,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
@@ -440,8 +490,8 @@ Control Device Control default enforcement. This is the enforcement applied if t
| Value | Description |
|:--|:--|
-| 1 | Default Allow Enforcement |
-| 2 | Default Deny Enforcement |
+| 1 (Default) | Default Allow Enforcement. |
+| 2 | Default Deny Enforcement. |
@@ -466,7 +516,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -504,7 +554,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -542,7 +592,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -580,7 +630,8 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
+For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control).
@@ -618,7 +669,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -656,7 +707,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -694,7 +745,8 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
+For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control).
@@ -732,6 +784,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
+
Control Device Control feature.
@@ -746,6 +799,7 @@ Control Device Control feature.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -753,8 +807,8 @@ Control Device Control feature.
| Value | Description |
|:--|:--|
-| 1 | |
-| 0 | |
+| 1 | . |
+| 0 (Default) | . |
@@ -779,7 +833,8 @@ Control Device Control feature.
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
@@ -801,8 +856,8 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
| Value | Description |
|:--|:--|
-| 1 (Default) | Disable CPU Throttle on idle scans |
-| 0 | Enable CPU Throttle on idle scans |
+| 1 (Default) | Disable CPU Throttle on idle scans. |
+| 0 | Enable CPU Throttle on idle scans. |
@@ -827,6 +882,7 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
+
This setting disables DNS over TCP Parsing for Network Protection.
@@ -849,8 +905,8 @@ This setting disables DNS over TCP Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | DNS over TCP parsing is disabled |
-| 0 (Default) | DNS over TCP parsing is enabled |
+| 1 | DNS over TCP parsing is disabled. |
+| 0 (Default) | DNS over TCP parsing is enabled. |
@@ -875,6 +931,7 @@ This setting disables DNS over TCP Parsing for Network Protection.
+
This setting disables DNS Parsing for Network Protection.
@@ -897,8 +954,8 @@ This setting disables DNS Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | DNS parsing is disabled |
-| 0 (Default) | DNS parsing is enabled |
+| 1 | DNS parsing is disabled. |
+| 0 (Default) | DNS parsing is enabled. |
@@ -923,6 +980,7 @@ This setting disables DNS Parsing for Network Protection.
+
This setting disables FTP Parsing for Network Protection.
@@ -945,8 +1003,8 @@ This setting disables FTP Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | FTP parsing is disabled |
-| 0 (Default) | FTP parsing is enabled |
+| 1 | FTP parsing is disabled. |
+| 0 (Default) | FTP parsing is enabled. |
@@ -971,6 +1029,7 @@ This setting disables FTP Parsing for Network Protection.
+
Enable this policy to disable gradual rollout of Defender updates.
@@ -985,6 +1044,7 @@ Enable this policy to disable gradual rollout of Defender updates.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -992,8 +1052,8 @@ Enable this policy to disable gradual rollout of Defender updates.
| Value | Description |
|:--|:--|
-| 1 | Gradual release is disabled |
-| 0 | Gradual release is enabled |
+| 1 | Gradual release is disabled. |
+| 0 (Default) | Gradual release is enabled. |
@@ -1018,6 +1078,7 @@ Enable this policy to disable gradual rollout of Defender updates.
+
This setting disables HTTP Parsing for Network Protection.
@@ -1040,8 +1101,8 @@ This setting disables HTTP Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | HTTP parsing is disabled |
-| 0 (Default) | HTTP parsing is enabled |
+| 1 | HTTP parsing is disabled. |
+| 0 (Default) | HTTP parsing is enabled. |
@@ -1066,6 +1127,7 @@ This setting disables HTTP Parsing for Network Protection.
+
This setting disables Inbound connection filtering for Network Protection.
@@ -1080,6 +1142,7 @@ This setting disables Inbound connection filtering for Network Protection.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1087,8 +1150,8 @@ This setting disables Inbound connection filtering for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | Inbound connection filtering is disabled |
-| 0 | Inbound connection filtering is enabled |
+| 1 | Inbound connection filtering is disabled. |
+| 0 (Default) | Inbound connection filtering is enabled. |
@@ -1113,7 +1176,8 @@ This setting disables Inbound connection filtering for Network Protection.
-When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
+
+When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
@@ -1127,6 +1191,7 @@ When this value is set to false, it allows a local admin the ability to specify
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1134,8 +1199,8 @@ When this value is set to false, it allows a local admin the ability to specify
| Value | Description |
|:--|:--|
-| 1 | Disable Local Admin Merge |
-| 0 | Enable Local Admin Merge |
+| 1 | Disable Local Admin Merge. |
+| 0 (Default) | Enable Local Admin Merge. |
@@ -1160,6 +1225,7 @@ When this value is set to false, it allows a local admin the ability to specify
+
This setting disables the gathering and send of performance telemetry from Network Protection.
@@ -1174,6 +1240,7 @@ This setting disables the gathering and send of performance telemetry from Netwo
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1181,8 +1248,8 @@ This setting disables the gathering and send of performance telemetry from Netwo
| Value | Description |
|:--|:--|
-| 1 | Network protection telemetry is disabled |
-| 0 | Network protection telemetry is enabled |
+| 1 | Network protection telemetry is disabled. |
+| 0 (Default) | Network protection telemetry is enabled. |
@@ -1207,6 +1274,7 @@ This setting disables the gathering and send of performance telemetry from Netwo
+
This setting disables RDP Parsing for Network Protection.
@@ -1221,6 +1289,7 @@ This setting disables RDP Parsing for Network Protection.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1228,8 +1297,8 @@ This setting disables RDP Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | RDP Parsing is disabled |
-| 0 | RDP Parsing is enabled |
+| 1 | RDP Parsing is disabled. |
+| 0 (Default) | RDP Parsing is enabled. |
@@ -1238,6 +1307,55 @@ This setting disables RDP Parsing for Network Protection.
+
+### Configuration/DisableSmtpParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableSmtpParsing
+```
+
+
+
+
+This setting disables SMTP Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | SMTP parsing is disabled. |
+| 0 (Default) | SMTP parsing is enabled. |
+
+
+
+
+
+
+
+
### Configuration/DisableSshParsing
@@ -1254,6 +1372,7 @@ This setting disables RDP Parsing for Network Protection.
+
This setting disables SSH Parsing for Network Protection.
@@ -1276,8 +1395,8 @@ This setting disables SSH Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | SSH parsing is disabled |
-| 0 (Default) | SSH parsing is enabled |
+| 1 | SSH parsing is disabled. |
+| 0 (Default) | SSH parsing is enabled. |
@@ -1302,6 +1421,7 @@ This setting disables SSH Parsing for Network Protection.
+
This setting disables TLS Parsing for Network Protection.
@@ -1324,8 +1444,8 @@ This setting disables TLS Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | TLS parsing is disabled |
-| 0 (Default) | TLS parsing is enabled |
+| 1 | TLS parsing is disabled. |
+| 0 (Default) | TLS parsing is enabled. |
@@ -1350,6 +1470,7 @@ This setting disables TLS Parsing for Network Protection.
+
This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.
@@ -1364,6 +1485,7 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
@@ -1371,8 +1493,8 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
| Value | Description |
|:--|:--|
-| 1 | DNS Sinkhole is disabled |
-| 0 | DNS Sinkhole is enabled |
+| 1 (Default) | DNS Sinkhole is disabled. |
+| 0 | DNS Sinkhole is enabled. |
@@ -1397,6 +1519,7 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
+
Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans.
@@ -1419,8 +1542,8 @@ Enables or disables file hash computation feature. When this feature is enabled
| Value | Description |
|:--|:--|
-| 0 (Default) | Disable |
-| 1 | Enable |
+| 0 (Default) | Disable. |
+| 1 | Enable. |
@@ -1445,6 +1568,7 @@ Enables or disables file hash computation feature. When this feature is enabled
+
Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
@@ -1459,6 +1583,7 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1466,7 +1591,7 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
| Value | Description |
|:--|:--|
-| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. |
| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. |
| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). |
@@ -1480,45 +1605,6 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
-
-### Configuration/ExcludedIpAddresses
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses
-```
-
-
-
-This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: `|`) |
-
-
-
-
-
-
-
-
### Configuration/HideExclusionsFromLocalAdmins
@@ -1535,7 +1621,8 @@ This node contains a list of values specifying any IP addresses that wdnisdrv wi
-This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
+
+This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
@@ -1551,6 +1638,7 @@ This policy setting controls whether or not exclusions are visible to local admi
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1559,7 +1647,7 @@ This policy setting controls whether or not exclusions are visible to local admi
| Value | Description |
|:--|:--|
| 1 | If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. |
-| 0 | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. |
+| 0 (Default) | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. |
@@ -1568,6 +1656,55 @@ This policy setting controls whether or not exclusions are visible to local admi
+
+### Configuration/IntelTDTEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/IntelTDTEnabled
+```
+
+
+
+
+This policy setting configures the Intel TDT integration level for Intel TDT-capable devices.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat. |
+| 2 | If you configure this setting to disabled, Intel TDT integration will turn off. |
+
+
+
+
+
+
+
+
### Configuration/MeteredConnectionUpdates
@@ -1584,7 +1721,8 @@ This policy setting controls whether or not exclusions are visible to local admi
-Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed
+
+Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed.
@@ -1606,8 +1744,8 @@ Allow managed devices to update through metered connections. Default is 0 - not
| Value | Description |
|:--|:--|
-| 1 | Allowed |
-| 0 (Default) | Not Allowed |
+| 1 | Allowed. |
+| 0 (Default) | Not Allowed. |
@@ -1632,6 +1770,7 @@ Allow managed devices to update through metered connections. Default is 0 - not
+
Setting to control automatic remediation for Sense scans.
@@ -1646,6 +1785,7 @@ Setting to control automatic remediation for Sense scans.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1653,9 +1793,9 @@ Setting to control automatic remediation for Sense scans.
| Flag | Description |
|:--|:--|
-| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation |
-| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit |
-| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation |
+| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation. |
+| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit. |
+| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation. |
@@ -1664,129 +1804,6 @@ Setting to control automatic remediation for Sense scans.
-
-### Configuration/PauseUpdateExpirationTime
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateExpirationTime
-```
-
-
-
-Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-
-
-
-
-
-
-### Configuration/PauseUpdateFlag
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateFlag
-```
-
-
-
-Setting to control automatic remediation for Sense scans.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Update not paused |
-| 1 | Update paused |
-
-
-
-
-
-
-
-
-
-### Configuration/PauseUpdateStartTime
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateStartTime
-```
-
-
-
-Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-
-
-
-
-
### Configuration/PlatformUpdatesChannel
@@ -1803,6 +1820,7 @@ Pause update from the UTC time in ISO string format without milliseconds, for ex
+
Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
@@ -1817,6 +1835,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1824,7 +1843,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
| Value | Description |
|:--|:--|
-| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. |
| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. |
| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). |
@@ -1838,6 +1857,104 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
+
+### Configuration/RandomizeScheduleTaskTimes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/RandomizeScheduleTaskTimes
+```
+
+
+
+
+In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 23 hours. This can be useful in virtual machines or VDI deployments.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. |
+| 0 | Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. |
+
+
+
+
+
+
+
+
+
+### Configuration/ScanOnlyIfIdleEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ScanOnlyIfIdleEnabled
+```
+
+
+
+
+In Microsoft Defender Antivirus, this setting will run scheduled scans only if the system is idle.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Runs scheduled scans only if the system is idle. |
+| 0 | Runs scheduled scans regardless of whether the system is idle. |
+
+
+
+
+
+
+
+
### Configuration/SchedulerRandomizationTime
@@ -1854,6 +1971,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
+
This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting.
@@ -1894,6 +2012,7 @@ This setting allows you to configure the scheduler randomization in hours. The r
+
Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
@@ -1908,6 +2027,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1915,7 +2035,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i
| Value | Description |
|:--|:--|
-| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
@@ -1942,6 +2062,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i
+
The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
@@ -1992,6 +2113,7 @@ More details:
+
Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.
@@ -2006,6 +2128,7 @@ Tamper protection helps protect important security features from unwanted change
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -2014,54 +2137,6 @@ Tamper protection helps protect important security features from unwanted change
-
-### Configuration/TDTFeatureEnabled
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/TDTFeatureEnabled
-```
-
-
-
-This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. |
-| 2 | If you configure this setting to disabled, Intel TDT integration will be turned off. |
-
-
-
-
-
-
-
-
### Configuration/ThrottleForScheduledScanOnly
@@ -2078,6 +2153,7 @@ This policy setting configures the integration level for Intel TDT integration f
+
A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only.
@@ -2126,6 +2202,7 @@ A CPU usage limit can be applied to scheduled scans only, or to scheduled and cu
+
An interior node to group all threats detected by Windows Defender.
@@ -2164,6 +2241,7 @@ An interior node to group all threats detected by Windows Defender.
+
The ID of a threat that has been detected by Windows Defender.
@@ -2203,7 +2281,8 @@ The ID of a threat that has been detected by Windows Defender.
-Threat category ID. Supported values:
+
+Threat category ID. Supported values:
| Value | Description |
|:--|:--|
@@ -2294,6 +2373,7 @@ Threat category ID. Supported values:
+
Information about the current status of the threat. The following list shows the supported values:
| Value | Description |
@@ -2346,6 +2426,7 @@ Information about the current status of the threat. The following list shows the
+
Information about the execution status of the threat.
@@ -2384,6 +2465,7 @@ Information about the execution status of the threat.
+
The first time this particular threat was detected.
@@ -2422,6 +2504,7 @@ The first time this particular threat was detected.
+
The last time this particular threat was changed.
@@ -2460,6 +2543,7 @@ The last time this particular threat was changed.
+
The name of the specific threat.
@@ -2498,6 +2582,7 @@ The name of the specific threat.
+
Number of times this threat has been detected on a particular client.
@@ -2536,6 +2621,7 @@ Number of times this threat has been detected on a particular client.
+
Threat severity ID. The following list shows the supported values:
| Value | Description |
@@ -2582,6 +2668,7 @@ Threat severity ID. The following list shows the supported values:
+
URL link for additional threat information.
@@ -2620,6 +2707,7 @@ URL link for additional threat information.
+
An interior node to group information about Windows Defender health status.
@@ -2658,6 +2746,7 @@ An interior node to group information about Windows Defender health status.
+
Provide the current state of the device. The following list shows the supported values:
| Value | Description |
@@ -2705,6 +2794,7 @@ Provide the current state of the device. The following list shows the supported
+
Indicates whether the Windows Defender service is running.
@@ -2743,6 +2833,7 @@ Indicates whether the Windows Defender service is running.
+
Version number of Windows Defender on the device.
@@ -2781,6 +2872,7 @@ Version number of Windows Defender on the device.
+
Version number of the current Windows Defender engine on the device.
@@ -2819,6 +2911,7 @@ Version number of the current Windows Defender engine on the device.
+
Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default).
@@ -2857,6 +2950,7 @@ Indicates whether a Windows Defender full scan is overdue for the device. A Full
+
Indicates whether a Windows Defender full scan is required.
@@ -2895,6 +2989,7 @@ Indicates whether a Windows Defender full scan is required.
+
Signature version used for the last full scan of the device.
@@ -2933,6 +3028,7 @@ Signature version used for the last full scan of the device.
+
Time of the last Windows Defender full scan of the device.
@@ -2971,6 +3067,7 @@ Time of the last Windows Defender full scan of the device.
+
Indicates whether the device is a virtual machine.
@@ -3009,6 +3106,7 @@ Indicates whether the device is a virtual machine.
+
Indicates whether network protection is running.
@@ -3047,6 +3145,7 @@ Indicates whether network protection is running.
+
Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values:
| Value | Description |
@@ -3131,6 +3230,7 @@ Provide the current state of the product. This is a bitmask flag value that can
+
Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default).
@@ -3169,6 +3269,7 @@ Indicates whether a Windows Defender quick scan is overdue for the device. A Qui
+
Signature version used for the last quick scan of the device.
@@ -3207,6 +3308,7 @@ Signature version used for the last quick scan of the device.
+
Time of the last Windows Defender quick scan of the device.
@@ -3245,6 +3347,7 @@ Time of the last Windows Defender quick scan of the device.
+
Indicates whether a device reboot is needed.
@@ -3283,6 +3386,7 @@ Indicates whether a device reboot is needed.
+
Indicates whether real-time protection is running.
@@ -3321,6 +3425,7 @@ Indicates whether real-time protection is running.
+
Indicates whether the Windows Defender signature is outdated.
@@ -3359,6 +3464,7 @@ Indicates whether the Windows Defender signature is outdated.
+
Version number of the current Windows Defender signatures on the device.
@@ -3397,6 +3503,7 @@ Version number of the current Windows Defender signatures on the device.
+
Indicates whether the Windows Defender tamper protection feature is enabled.
@@ -3435,6 +3542,7 @@ Indicates whether the Windows Defender tamper protection feature is enabled.
+
OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.
@@ -3474,6 +3582,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher
+
RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.
@@ -3513,6 +3622,7 @@ RollbackEngine action rolls back Microsoft Defender engine to it's last known go
+
RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command.
@@ -3552,6 +3662,7 @@ RollbackPlatform action rolls back Microsoft Defender to it's last known good in
+
Node that can be used to start a Windows Defender scan on a device.
@@ -3573,8 +3684,8 @@ Node that can be used to start a Windows Defender scan on a device.
| Value | Description |
|:--|:--|
-| 1 | quick scan |
-| 2 | full scan |
+| 1 | Quick scan. |
+| 2 | Full scan. |
@@ -3599,6 +3710,7 @@ Node that can be used to start a Windows Defender scan on a device.
+
Node that can be used to perform signature updates for Windows Defender.
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 661c491b22..b540c17da8 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/02/2022
+ms.date: 02/17/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.105861.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
@@ -816,6 +816,7 @@ The following XML file contains the device description framework (DDF) for the D
+ Follow the instructions provided here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide
@@ -884,6 +885,7 @@ The following XML file contains the device description framework (DDF) for the D
+ Follow the instructions provided here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide
@@ -910,6 +912,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.
@@ -1024,7 +1027,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.14393
- 9.9
+ 1.3
@@ -1069,37 +1072,6 @@ The following XML file contains the device description framework (DDF) for the D
-
- ExcludedIpAddresses
-
-
-
-
-
-
-
- This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 10.0.14393
- 1.3
-
-
-
-
-
- DisableCpuThrottleOnIdleScans
@@ -1148,6 +1120,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
@@ -1452,6 +1425,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
@@ -1506,6 +1480,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
@@ -1560,6 +1535,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
@@ -1602,6 +1578,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0Enable this policy to disable gradual rollout of Defender updates.
@@ -1640,6 +1617,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.
@@ -1678,6 +1656,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 1This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.
@@ -1716,6 +1695,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0This setting disables Inbound connection filtering for Network Protection.
@@ -1754,6 +1734,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0This setting disables RDP Parsing for Network Protection.
@@ -1792,6 +1773,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.
@@ -1830,6 +1812,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0This setting disables the gathering and send of performance telemetry from Network Protection.
@@ -1868,6 +1851,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
@@ -2026,6 +2010,38 @@ The following XML file contains the device description framework (DDF) for the D
+
+ DataDuplicationLocalRetentionPeriod
+
+
+
+
+
+
+
+ 60
+ Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+ [1-120]
+
+
+ DeviceControlEnabled
@@ -2035,6 +2051,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0Control Device Control feature.
@@ -2075,6 +2092,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 1Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.
@@ -2113,6 +2131,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0Setting to control automatic remediation for Sense scans.
@@ -2147,105 +2166,7 @@ The following XML file contains the device description framework (DDF) for the D
- PauseUpdateStartTime
-
-
-
-
-
-
-
- Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 10.0.14393
- 1.3
-
-
-
-
-
-
- PauseUpdateExpirationTime
-
-
-
-
-
-
-
- Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 10.0.14393
- 1.3
-
-
-
-
-
-
- PauseUpdateFlag
-
-
-
-
-
-
-
- Setting to control automatic remediation for Sense scans.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 10.0.14393
- 1.3
-
-
-
- 0
- Update not paused
-
-
- 1
- Update paused
-
-
-
-
-
- TDTFeatureEnabled
+ IntelTDTEnabled
@@ -2254,7 +2175,7 @@ The following XML file contains the device description framework (DDF) for the D
0
- This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
+ This policy setting configures the Intel TDT integration level for Intel TDT-capable devices.
@@ -2274,11 +2195,128 @@ The following XML file contains the device description framework (DDF) for the D
0
- If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft.
+ If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.2
- If you configure this setting to disabled, Intel TDT integration will be turned off.
+ If you configure this setting to disabled, Intel TDT integration will turn off.
+
+
+
+
+
+ DisableSmtpParsing
+
+
+
+
+
+
+
+ 0
+ This setting disables SMTP Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ SMTP parsing is disabled
+
+
+ 0
+ SMTP parsing is enabled
+
+
+
+
+
+ RandomizeScheduleTaskTimes
+
+
+
+
+
+
+
+ 1
+ In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 23 hours. This can be useful in virtual machines or VDI deployments.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime.
+
+
+ 0
+ Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
+
+
+
+
+
+ ScanOnlyIfIdleEnabled
+
+
+
+
+
+
+
+ 1
+ In Microsoft Defender Antivirus, this setting will run scheduled scans only if the system is idle.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Runs scheduled scans only if the system is idle.
+
+
+ 0
+ Runs scheduled scans regardless of whether the system is idle.
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index ac1777a84f..4b35dd3c12 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,251 +1,1454 @@
---
title: DevDetail CSP
-description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server.
-ms.reviewer:
+description: Learn more about the DevDetail CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/27/2020
+ms.topic: reference
---
+
+
+
# DevDetail CSP
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
+
+
The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-For the DevDetail CSP, you can't use the Replace command unless the node already exists.
+For the DevDetail CSP, you can't use the Replace command unless the node already exists. The OMA Client Provisioning protocol isn't supported for this configuration service provider.
+
-The following information shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol isn't supported for this configuration service provider.
+
+The following list shows the DevDetail configuration service provider nodes:
-```console
-.
-DevDetail
-----URI
---------MaxDepth
---------MaxTotLen
---------MaxSegLen
-----DevTyp
-----OEM
-----FwV
-----SwV
-----HwV
-----LrgObj
-----Ext
---------Microsoft
-------------MobileID
-------------RadioSwV
-------------Resolution
-------------CommercializationOperator
-------------ProcessorArchitecture
-------------ProcessorType
-------------OSPlatform
-------------LocalTime
-------------DeviceName
-------------DNSComputerName (Added in Windows 10, version 2004)
-------------TotalStorage
-------------TotalRAM
-------------SMBIOSSerialNumber (Added in Windows 10, version 1809)
---------WLANMACAddress
---------VoLTEServiceSetting
---------WlanIPv4Address
---------WlanIPv6Address
---------WlanDnsSuffix
---------WlanSubnetMask
---------DeviceHardwareData (Added in Windows 10, version 1703)
+- ./DevDetail
+ - [DevTyp](#devtyp)
+ - [Ext](#ext)
+ - [DeviceHardwareData](#extdevicehardwaredata)
+ - [Microsoft](#extmicrosoft)
+ - [CommercializationOperator](#extmicrosoftcommercializationoperator)
+ - [DeviceName](#extmicrosoftdevicename)
+ - [DNSComputerName](#extmicrosoftdnscomputername)
+ - [FreeStorage](#extmicrosoftfreestorage)
+ - [LocalTime](#extmicrosoftlocaltime)
+ - [MobileID](#extmicrosoftmobileid)
+ - [OSPlatform](#extmicrosoftosplatform)
+ - [ProcessorArchitecture](#extmicrosoftprocessorarchitecture)
+ - [ProcessorType](#extmicrosoftprocessortype)
+ - [RadioSwV](#extmicrosoftradioswv)
+ - [Resolution](#extmicrosoftresolution)
+ - [SMBIOSSerialNumber](#extmicrosoftsmbiosserialnumber)
+ - [SMBIOSVersion](#extmicrosoftsmbiosversion)
+ - [SystemSKU](#extmicrosoftsystemsku)
+ - [TotalRAM](#extmicrosofttotalram)
+ - [TotalStorage](#extmicrosofttotalstorage)
+ - [VoLTEServiceSetting](#extvolteservicesetting)
+ - [WlanDnsSuffix](#extwlandnssuffix)
+ - [WlanIPv4Address](#extwlanipv4address)
+ - [WlanIPv6Address](#extwlanipv6address)
+ - [WLANMACAddress](#extwlanmacaddress)
+ - [WlanSubnetMask](#extwlansubnetmask)
+ - [FwV](#fwv)
+ - [HwV](#hwv)
+ - [LrgObj](#lrgobj)
+ - [OEM](#oem)
+ - [SwV](#swv)
+ - [URI](#uri)
+ - [MaxDepth](#urimaxdepth)
+ - [MaxSegLen](#urimaxseglen)
+ - [MaxTotLen](#urimaxtotlen)
+
+
+
+## DevTyp
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/DevTyp
```
-**DevTyp**
-Required. Returns the device model name /SystemProductName as a string.
+
-Supported operation is Get.
+
+
+Returns the device model name /SystemProductName as a string.
+
-**OEM**
-Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**FwV**
-Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+
+
+
-Supported operation is Get.
+
-**SwV**
-Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the client device. In the future, the build numbers may converge.
+
+## Ext
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**HwV**
-Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision.
+
+```Device
+./DevDetail/Ext
+```
+
-For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+
+
+Subtree to hold vendor-specific parameters.
+
-Supported operation is Get.
+
+
+
-**LrgObj**
-Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**URI/MaxDepth**
-Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
+
+
+
-Supported operation is Get.
+
-This value is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
+
+### Ext/DeviceHardwareData
-**URI/MaxTotLen**
-Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Supported operation is Get.
+
+```Device
+./DevDetail/Ext/DeviceHardwareData
+```
+
-This value is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
+
+
+Added in Windows 10 version 1703. Returns a base64 encoded string of the hardware parameters of a device.
+
-**URI/MaxSegLen**
-Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
+
+
+> [!NOTE]
+> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you can't parse the content to get any meaningful hardware information.
+
-Supported operation is Get.
+
+**Description framework properties**:
-This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-
+
+
-**Ext/Microsoft/MobileID**
-Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support.
+
-Supported operation is Get.
+
+### Ext/Microsoft
-The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
--->
+
+```Device
+./DevDetail/Ext/Microsoft
+```
+
-**Ext/Microsoft/RadioSwV**
-Required. Returns the radio stack software version number.
+
+
+Subtree to hold vendor-specific parameters.
+
-Supported operation is Get.
+
+
+
-**Ext/Microsoft/Resolution**
-Required. Returns the UI screen resolution of the device (example: "480x800").
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**Ext/Microsoft/CommercializationOperator**
-Required. Returns the name of the mobile operator if it exists. Otherwise, it returns 404.
+
+
+
-Supported operation is Get.
+
-**Ext/Microsoft/ProcessorArchitecture**
-Required. Returns the processor architecture of the device as "arm" or "x86".
+
+#### Ext/Microsoft/CommercializationOperator
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**Ext/Microsoft/ProcessorType**
-Required. Returns the processor type of the device as documented in SYSTEM_INFO.
+
+```Device
+./DevDetail/Ext/Microsoft/CommercializationOperator
+```
+
-Supported operation is Get.
+
+
+Returns the name of the mobile operator if it exists; otherwise it returns 404.
+
-**Ext/Microsoft/OSPlatform**
-Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**Ext/Microsoft/LocalTime**
-Required. Returns the client local time in ISO 8601 format.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Supported operation is Get.
+
+
+
-**Ext/Microsoft/DeviceName**
-Required. Contains the user-specified device name.
+
-Replace operation isn't supported in Windows client or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name doesn't take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
+
+#### Ext/Microsoft/DeviceName
-Value type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get and Replace.
+
+```Device
+./DevDetail/Ext/Microsoft/DeviceName
+```
+
-**Ext/Microsoft/DNSComputerName**
-Added in Windows 10, version 2004. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md).
+
+
+Contains the user-specified device name. Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
+
-The following are the available naming macros:
+
+
+
-| Macro | Description | Example | Generated Name |
-| -------| -------| -------| -------|
-| %RAND:<# of digits> | Generates the specified number of random digits. | `Test%RAND:6%` | Test123456|
-| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| `Test-Device-%SERIAL%` | Test-Device-456|
+
+**Description framework properties**:
-Value type is string. Supported operations are Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Reboot Behavior | Automatic |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/DNSComputerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/DNSComputerName
+```
+
+
+
+
+This node specifies the DNS name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:`<# of digits>`% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards.
+
+
+
+
+ This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md).
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
+
-**Ext/Microsoft/TotalRAM**
-Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Reboot Behavior | ServerInitiated |
+
-**Ext/Microsoft/SMBIOSSerialNumber**
-Added in Windows 10, version 1809. SMBIOS Serial Number of the device.
+
+
+
-Value type is string. Supported operation is Get.
+
-**Ext/WLANMACAddress**
-The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
+
+#### Ext/Microsoft/FreeStorage
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+```Device
+./DevDetail/Ext/Microsoft/FreeStorage
+```
+
+
+
+
+Total free storage in MB from first internal drive on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/LocalTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/LocalTime
+```
+
+
+
+
+Returns the client local time in ISO 8601 format. Example: 2003-06-16. T18:37:44Z.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/MobileID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/MobileID
+```
+
+
+
+
+Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support. The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/OSPlatform
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/OSPlatform
+```
+
+
+
+
+Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/ProcessorArchitecture
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/ProcessorArchitecture
+```
+
+
+
+
+Returns the processor architecture of the device as "arm" or "x86".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/ProcessorType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/ProcessorType
+```
+
+
+
+
+Returns the processor type of the device as documented in SYSTEM_INFO.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/RadioSwV
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/RadioSwV
+```
+
+
+
+
+Returns the radio stack software version number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/Resolution
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/Resolution
+```
+
+
+
+
+Resolution of the device in the format of WidthxLength (e.g., "400x800").
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/SMBIOSSerialNumber
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/SMBIOSSerialNumber
+```
+
+
+
+
+SMBIOS Serial Number of the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/SMBIOSVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/SMBIOSVersion
+```
+
+
+
+
+SMBIOS version of the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/SystemSKU
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/SystemSKU
+```
+
+
+
+
+Returns the System SKU, as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/TotalRAM
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/TotalRAM
+```
+
+
+
+
+Total available memory in MB on the device (may be less than total physical memory).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Ext/Microsoft/TotalStorage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/Microsoft/TotalStorage
+```
+
+
+
+
+Total available storage in MB from first internal drive on the device (may be less than total physical storage). Available for Windows Mobile only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Ext/VoLTEServiceSetting
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/VoLTEServiceSetting
+```
+
+
+
+
+The VoLTE service setting on or off. Only exposed to Mobile Operator-based OMA-DM servers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Ext/WlanDnsSuffix
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/WlanDnsSuffix
+```
+
+
+
+
+The DNS suffix of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Ext/WlanIPv4Address
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/WlanIPv4Address
+```
+
+
+
+
+The IPv4 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Ext/WlanIPv6Address
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/WlanIPv6Address
+```
+
+
+
+
+The IPv6 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Ext/WLANMACAddress
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/Ext/WLANMACAddress
+```
+
+
+
+
+The MAC address of the active WiFi connection.
+
+
+
+
> [!NOTE]
-> This isn't supported in Windows 10 for desktop editions.
+> This isn't supported in Windows 10 for desktop editions.
+
-**Ext/VoLTEServiceSetting**
-Returns the VoLTE service to on or off. This setting is only exposed to mobile operator OMA-DM servers.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**Ext/WlanIPv4Address**
-Returns the IPv4 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA DM servers.
+
+
+
-Supported operation is Get.
+
-**Ext/WlanIPv6Address**
-Returns the IPv6 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA-DM servers.
+
+### Ext/WlanSubnetMask
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**Ext/WlanDnsSuffix**
-Returns the DNS suffix of the active Wi-Fi connection. This suffix is only exposed to enterprise OMA-DM servers.
+
+```Device
+./DevDetail/Ext/WlanSubnetMask
+```
+
-Supported operation is Get.
+
+
+The subnet mask for the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.
+
-**Ext/WlanSubnetMask**
-Returns the subnet mask for the active Wi-Fi connection. This subnet mask is only exposed to enterprise OMA-DM servers.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**Ext/DeviceHardwareData**
-Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-> [!NOTE]
-> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you can't parse the content to get any meaningful hardware information.
+
+
+
-Supported operation is Get.
+
+
+
+## FwV
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/FwV
+```
+
+
+
+
+Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision. For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## HwV
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/HwV
+```
+
+
+
+
+Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision. For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## LrgObj
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/LrgObj
+```
+
+
+
+
+Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## OEM
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/OEM
+```
+
+
+
+
+Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## SwV
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/SwV
+```
+
+
+
+
+Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## URI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/URI
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### URI/MaxDepth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/URI/MaxDepth
+```
+
+
+
+
+Returns the maximum depth of the management tree that the device supports. The default is zero (0). This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### URI/MaxSegLen
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/URI/MaxSegLen
+```
+
+
+
+
+Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0). This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### URI/MaxTotLen
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevDetail/URI/MaxTotLen
+```
+
+
+
+
+Returns the maximum total length of any URI used to address a node or node property. The default is zero (0). This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
## Related articles
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index 701008751e..143225fc55 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -1,31 +1,29 @@
---
title: DevDetail DDF file
-description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the DevDetail configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/03/2020
+ms.topic: reference
---
+
+
# DevDetail DDF file
-This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the DevDetail configuration service provider.
```xml
-]>
+]>
1.2
+
+ DevDetail.
@@ -33,6 +31,7 @@ The XML below is the current version for this CSP.
+ The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server.
@@ -43,8 +42,13 @@ The XML below is the current version for this CSP.
- urn:oma:mo:oma-dm-devdetail:1.2
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+ URI
@@ -62,7 +66,7 @@ The XML below is the current version for this CSP.
-
+
@@ -71,6 +75,7 @@ The XML below is the current version for this CSP.
+ Returns the maximum depth of the management tree that the device supports. The default is zero (0). This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
@@ -81,7 +86,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -91,6 +96,7 @@ The XML below is the current version for this CSP.
+ Returns the maximum total length of any URI used to address a node or node property. The default is zero (0). This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
@@ -101,7 +107,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -111,6 +117,7 @@ The XML below is the current version for this CSP.
+ Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0). This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
@@ -121,7 +128,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -132,7 +139,7 @@ The XML below is the current version for this CSP.
- Device model name, as specified and tracked by the manufacturer
+ Returns the device model name /SystemProductName as a string.
@@ -143,7 +150,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -153,7 +160,7 @@ The XML below is the current version for this CSP.
- Name of OEM
+ Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
@@ -164,7 +171,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -174,7 +181,7 @@ The XML below is the current version for this CSP.
- Provide the version of OEM ROM region.
+ Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision. For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
@@ -185,7 +192,28 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+
+
+ SwV
+
+
+
+
+ Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+
+
+
+
+
+
+
+
+
+
+
@@ -195,7 +223,7 @@ The XML below is the current version for this CSP.
- Returns the hardware version.
+ Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision. For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
@@ -206,7 +234,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -216,9 +244,7 @@ The XML below is the current version for this CSP.
-
- Large object isn't supported. The data for this node is "false".
-
+ Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
@@ -229,7 +255,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -250,7 +276,7 @@ The XML below is the current version for this CSP.
-
+
@@ -270,7 +296,7 @@ The XML below is the current version for this CSP.
-
+
@@ -279,7 +305,7 @@ The XML below is the current version for this CSP.
- Indicates the subscriber ID registered with the cellular network. For GSM and UMTS networks, the value returned is the IMSI value; for other networks, SyncML Status code 404 is returned.
+ Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support. The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
@@ -290,7 +316,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -300,7 +326,7 @@ The XML below is the current version for this CSP.
- Version of the software radio stack
+ Returns the radio stack software version number.
@@ -311,7 +337,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -332,7 +358,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -342,7 +368,7 @@ The XML below is the current version for this CSP.
- Name of operator with whom the device was commercialized.
+ Returns the name of the mobile operator if it exists; otherwise it returns 404.
@@ -353,7 +379,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -363,7 +389,7 @@ The XML below is the current version for this CSP.
- Processor architecture of the device, as returned by the GetSystemInfo API.
+ Returns the processor architecture of the device as "arm" or "x86".
@@ -374,7 +400,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -384,7 +410,7 @@ The XML below is the current version for this CSP.
- Processor type of the device, as returned by the GetSystemInfo API.
+ Returns the processor type of the device as documented in SYSTEM_INFO.
@@ -395,7 +421,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -405,7 +431,7 @@ The XML below is the current version for this CSP.
- Name of the operating system platform.
+ Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
@@ -416,7 +442,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -426,7 +452,7 @@ The XML below is the current version for this CSP.
- Returns the UTC time formatted per ISO8601. Example: 2003-06-16T18:37:44Z.
+ Returns the client local time in ISO 8601 format. Example: 2003-06-16T18:37:44Z.
@@ -437,7 +463,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -448,7 +474,7 @@ The XML below is the current version for this CSP.
- User-specified device name
+ Contains the user-specified device name. Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
@@ -459,8 +485,11 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+ Automatic
@@ -470,7 +499,7 @@ The XML below is the current version for this CSP.
- This node specifies the DNS name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards.
+ % and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards.]]>
@@ -481,8 +510,15 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ 10.0.19041
+ 1.2
+
+
+
+ ServerInitiated
@@ -502,7 +538,28 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+
+
+ FreeStorage
+
+
+
+
+ Total free storage in MB from first internal drive on the device.
+
+
+
+
+
+
+
+
+
+
+
@@ -523,7 +580,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -544,7 +601,57 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+ 10.0.17763
+ 1.2
+
+
+
+
+ SMBIOSVersion
+
+
+
+
+ SMBIOS version of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387
+ 1.2
+
+
+
+
+ SystemSKU
+
+
+
+
+ Returns the System SKU, as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU.
+
+
+
+
+
+
+
+
+
+
+
@@ -566,7 +673,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -587,7 +694,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -608,7 +715,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -629,7 +736,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -650,7 +757,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -671,7 +778,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -692,12 +799,19 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ 10.0.15063
+ 1.1
+
-
```
+
+## Related articles
+
+[DevDetail configuration service provider reference](devdetail-csp.md)
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index ba8c8543ab..8ce716e6e3 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,81 +1,320 @@
---
title: DeviceManageability CSP
-description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
-ms.reviewer:
+description: Learn more about the DeviceManageability CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 11/01/2017
+ms.topic: reference
---
+
+
+
# DeviceManageability CSP
-The table below shows the applicability of Windows:
+
+
+The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value `csp_version` is used to determine each of the CSP versions. The `csp_version` is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for `CFGMGR_PROPERTY_SEMANTICTYPE` has to be updated to read from the registry as well, so that both the paths return the same information.
+
-The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
+
+The following list shows the DeviceManageability configuration service provider nodes:
-For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that both the paths return the same information.
+- ./Device/Vendor/MSFT/DeviceManageability
+ - [Capabilities](#capabilities)
+ - [CSPVersions](#capabilitiescspversions)
+ - [Provider](#provider)
+ - [{ProviderID}](#providerproviderid)
+ - [ConfigInfo](#providerprovideridconfiginfo)
+ - [EnrollmentInfo](#providerprovideridenrollmentinfo)
+ - [PayloadTransfer](#providerprovideridpayloadtransfer)
+
-The following example shows the DeviceManageability configuration service provider in a tree format.
+
+## Capabilities
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeviceManageability/Capabilities
```
-./Device/Vendor/MSFT
-DeviceManageability
-----Capabilities
---------CSPVersions
-----Provider (Added in Windows 10, version 1709)
---------ProviderID (Added in Windows 10, version 1709)
-------------ConfigInfo (Added in Windows 10, version 1709)
-------------EnrollmentInfo (Added in Windows 10, version 1709)
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Capabilities/CSPVersions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeviceManageability/Capabilities/CSPVersions
```
+
-**./Device/Vendor/MSFT/DeviceManageability**
-Root node to group information about runtime MDM configuration capability on the target device.
+
+
+Returns the versions of all configuration service providers (CSP) for MDM.
+
-**Capabilities**
-Interior node.
+
+
+
-**Capabilities/CSPVersions**
-Returns the versions of all configuration service providers supported on the device for the MDM service.
+
+**Description framework properties**:
-**Provider**
-Added in Windows 10, version 1709. Interior node.
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Get |
+
-**Provider/_ProviderID_**
-Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources.
+
+
+
-**Provider/_ProviderID_/ConfigInfo**
-Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to use during sync session.
+
-ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
+
+## Provider
-Data type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/DeviceManageability/Provider
+```
+
-**Provider/_ProviderID_/EnrollmentInfo**
-Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
+
+
+
-Data type is string.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-## Related topics
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-[Configuration service provider reference](index.yml)
+
+
+
+
+
+### Provider/{ProviderID}
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+```Device
+./Device/Vendor/MSFT/DeviceManageability/Provider/{ProviderID}
+```
+
+
+
+Provider ID String of the Configuration Source.
+
+
+
+
+Provider ID should be unique among the different config sources.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: Provider ID String of the Configuration Source |
+
+
+
+
+
+
+
+
+
+#### Provider/{ProviderID}/ConfigInfo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeviceManageability/Provider/{ProviderID}/ConfigInfo
+```
+
+
+
+
+Configuration Info string value set by the config source. Recommended to be used during sync session.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Provider/{ProviderID}/EnrollmentInfo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeviceManageability/Provider/{ProviderID}/EnrollmentInfo
+```
+
+
+
+
+Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Provider/{ProviderID}/PayloadTransfer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DeviceManageability/Provider/{ProviderID}/PayloadTransfer
+```
+
+
+
+
+Payload Transfer string value set by the config source. Recommended to be used during sync session.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md
index 8854d21cfc..3436c3b0bb 100644
--- a/windows/client-management/mdm/devicemanageability-ddf.md
+++ b/windows/client-management/mdm/devicemanageability-ddf.md
@@ -1,41 +1,85 @@
---
-title: DeviceManageability DDF
-description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
-ms.reviewer:
+title: DeviceManageability DDF file
+description: View the XML file containing the device description framework (DDF) for the DeviceManageability configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
-# DeviceManageability DDF
+
+# DeviceManageability DDF file
-This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1709.
+The following XML file contains the device description framework (DDF) for the DeviceManageability configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ DeviceManageability
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+ Root node to group information about runtime MDM configuration capability on the target device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Capabilities
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- DeviceManageability
- ./Device/Vendor/MSFT
+ CSPVersions
+ Returns the versions of all configuration service providers (CSP) for MDM.
-
+
@@ -44,60 +88,74 @@ The XML below is for Windows 10, version 1709.
- com.microsoft/1.1/MDM/DeviceManageability
+
+
+
+
+ Provider
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Provider
+
+
+
+
+ 10.0.17134
+ 1.1
+
+
+
+
+
+
+
+
+
+
+
+ Provider ID String of the Configuration Source
+
+
+
+
+
+
+
+
+
+ ProviderID
+
+
+
+
+ Provider ID String of the Configuration Source
+
+
- Capabilities
+ ConfigInfo
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- CSPVersions
-
-
-
-
- Returns the versions of all configuration service providers (CSP) for MDM.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Provider
-
-
-
+
+
+ Configuration Info string value set by the config source. Recommended to be used during sync session.
-
+
@@ -105,96 +163,78 @@ The XML below is for Windows 10, version 1709.
- Provider
+ ConfigInfo
-
+
+
+
+
+
+
+ PayloadTransfer
+
+
+
+
+
+
+
+ Payload Transfer string value set by the config source. Recommended to be used during sync session.
+
+
+
+
+
+
+
+
+
+ PayloadTransfer
+
+
+
+
+ 10.0.22621, 10.0.22000.918, 10.0.19044.2193, 10.0.19043.2193, 10.0.19042.2193
+ 1.1
+
+
+
+
+
+
+ EnrollmentInfo
+
+
+
+
+
+
+
+ Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment.
+
+
+
+
+
+
+
+
+
+ EnrollmentInfo
+
+
+
+
+
-
-
-
-
-
-
-
-
- Provider ID String of the Configuration Source
-
-
-
-
-
-
-
-
-
- ProviderID
-
-
-
-
-
- ConfigInfo
-
-
-
-
-
-
-
- Configuration Info string value set by the config source. Recommended to be used during sync session.
-
-
-
-
-
-
-
-
-
- ConfigInfo
-
- text/plain
-
-
-
-
- EnrollmentInfo
-
-
-
-
-
-
-
- Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment.
-
-
-
-
-
-
-
-
-
- EnrollmentInfo
-
- text/plain
-
-
-
-
+
+
```
-
-
-
-
-
-
-
-
+## Related articles
+[DeviceManageability configuration service provider reference](devicemanageability-csp.md)
diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md
new file mode 100644
index 0000000000..35028e068e
--- /dev/null
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@@ -0,0 +1,342 @@
+---
+title: DevicePreparation CSP
+description: Learn more about the DevicePreparation CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/28/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+
+# DevicePreparation CSP
+
+> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+
+
+
+
+
+
+The following list shows the DevicePreparation configuration service provider nodes:
+
+- ./Device/Vendor/MSFT/DevicePreparation
+ - [BootstrapperAgent](#bootstrapperagent)
+ - [ClassID](#bootstrapperagentclassid)
+ - [ExecutionContext](#bootstrapperagentexecutioncontext)
+ - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
+ - [PageEnabled](#pageenabled)
+ - [PageSettings](#pagesettings)
+ - [PageStatus](#pagestatus)
+
+
+
+## BootstrapperAgent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent
+```
+
+
+
+
+The subnodes configure settings for the Bootstrapper Agent.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### BootstrapperAgent/ClassID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/ClassID
+```
+
+
+
+
+This node stores the class ID for the Bootstrapper Agent WinRT object.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### BootstrapperAgent/ExecutionContext
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/ExecutionContext
+```
+
+
+
+
+This node holds opaque data that will be passed to the Bootstrapper Agent as a parameter when it is invoked to execute.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### BootstrapperAgent/InstallationStatusUri
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/InstallationStatusUri
+```
+
+
+
+
+This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+## PageEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/PageEnabled
+```
+
+
+
+
+This node determines whether to enable or show the Device Preparation page.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | The page is not enabled. |
+| true | The page is enabled. |
+
+
+
+
+
+
+
+
+
+## PageSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/PageSettings
+```
+
+
+
+
+This node configures specific settings for the Device Preparation page.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+## PageStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/PageStatus
+```
+
+
+
+
+This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = Succeeded; 4 = Failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 | Enabled. |
+| 2 | InProgress. |
+| 3 | Succeeded. |
+| 4 | Failed. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
new file mode 100644
index 0000000000..e10e6a1a49
--- /dev/null
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -0,0 +1,252 @@
+---
+title: DevicePreparation DDF file
+description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+# DevicePreparation DDF file
+
+The following XML file contains the device description framework (DDF) for the DevicePreparation configuration service provider.
+
+```xml
+
+]>
+
+ 1.2
+
+
+
+ DevicePreparation
+ ./Device/Vendor/MSFT
+
+
+
+
+ Parent node for the CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ PageEnabled
+
+
+
+
+
+ false
+ This node determines whether to enable or show the Device Preparation page.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ The page is not enabled
+
+
+ true
+ The page is enabled
+
+
+
+
+
+ PageStatus
+
+
+
+
+ This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = Succeeded; 4 = Failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disabled
+
+
+ 1
+ Enabled
+
+
+ 2
+ InProgress
+
+
+ 3
+ Succeeded
+
+
+ 4
+ Failed
+
+
+
+
+
+ PageSettings
+
+
+
+
+
+ This node configures specific settings for the Device Preparation page.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BootstrapperAgent
+
+
+
+
+ The subnodes configure settings for the Bootstrapper Agent.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ClassID
+
+
+
+
+
+ This node stores the class ID for the Bootstrapper Agent WinRT object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExecutionContext
+
+
+
+
+
+ This node holds opaque data that will be passed to the Bootstrapper Agent as a parameter when it is invoked to execute.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallationStatusUri
+
+
+
+
+
+ This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related articles
+
+[DevicePreparation configuration service provider reference](devicepreparation-csp.md)
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 0f4c3a631c..dc7f201767 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,375 +1,2057 @@
---
title: DeviceStatus CSP
-description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
-ms.reviewer:
+description: Learn more about the DeviceStatus CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/25/2021
+ms.topic: reference
---
+
+
+
# DeviceStatus CSP
-The table below shows the applicability of Windows:
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+The following list shows the DeviceStatus configuration service provider nodes:
-The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
+- ./Vendor/MSFT/DeviceStatus
+ - [Antispyware](#antispyware)
+ - [SignatureStatus](#antispywaresignaturestatus)
+ - [Status](#antispywarestatus)
+ - [Antivirus](#antivirus)
+ - [SignatureStatus](#antivirussignaturestatus)
+ - [Status](#antivirusstatus)
+ - [Battery](#battery)
+ - [EstimatedChargeRemaining](#batteryestimatedchargeremaining)
+ - [EstimatedRuntime](#batteryestimatedruntime)
+ - [Status](#batterystatus)
+ - [CellularIdentities](#cellularidentities)
+ - [{IMEI}](#cellularidentitiesimei)
+ - [CommercializationOperator](#cellularidentitiesimeicommercializationoperator)
+ - [ICCID](#cellularidentitiesimeiiccid)
+ - [IMSI](#cellularidentitiesimeiimsi)
+ - [PhoneNumber](#cellularidentitiesimeiphonenumber)
+ - [RoamingCompliance](#cellularidentitiesimeiroamingcompliance)
+ - [RoamingStatus](#cellularidentitiesimeiroamingstatus)
+ - [CertAttestation](#certattestation)
+ - [MDMClientCertAttestation](#certattestationmdmclientcertattestation)
+ - [Compliance](#compliance)
+ - [EncryptionCompliance](#complianceencryptioncompliance)
+ - [DeviceGuard](#deviceguard)
+ - [HypervisorEnforcedCodeIntegrityStatus](#deviceguardhypervisorenforcedcodeintegritystatus)
+ - [LsaCfgCredGuardStatus](#deviceguardlsacfgcredguardstatus)
+ - [SystemGuardStatus](#deviceguardsystemguardstatus)
+ - [VirtualizationBasedSecurityHwReq](#deviceguardvirtualizationbasedsecurityhwreq)
+ - [VirtualizationBasedSecurityStatus](#deviceguardvirtualizationbasedsecuritystatus)
+ - [DMA](#dma)
+ - [BootDMAProtectionStatus](#dmabootdmaprotectionstatus)
+ - [DomainName](#domainname)
+ - [Firewall](#firewall)
+ - [Status](#firewallstatus)
+ - [NetworkIdentifiers](#networkidentifiers)
+ - [{MacAddress}](#networkidentifiersmacaddress)
+ - [IPAddressV4](#networkidentifiersmacaddressipaddressv4)
+ - [IPAddressV6](#networkidentifiersmacaddressipaddressv6)
+ - [IsConnected](#networkidentifiersmacaddressisconnected)
+ - [Type](#networkidentifiersmacaddresstype)
+ - [OS](#os)
+ - [Edition](#osedition)
+ - [Mode](#osmode)
+ - [SecureBootState](#securebootstate)
+ - [TPM](#tpm)
+ - [ManufacturerId](#tpmmanufacturerid)
+ - [ManufacturerIdTxt](#tpmmanufactureridtxt)
+ - [ManufacturerVersion](#tpmmanufacturerversion)
+ - [SpecificationVersion](#tpmspecificationversion)
+ - [UAC](#uac)
+ - [Status](#uacstatus)
+
-The following example shows the DeviceStatus configuration service provider in tree format.
+
+## Antispyware
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antispyware
```
-./Vendor/MSFT
-DeviceStatus
-----SecureBootState
-----CellularIdentities
---------IMEI
-------------IMSI
-------------ICCID
-------------PhoneNumber
-------------CommercializationOperator
-------------RoamingStatus
-------------RoamingCompliance
-----NetworkIdentifiers
---------MacAddress
-------------IPAddressV4
-------------IPAddressV6
-------------IsConnected
-------------Type
-----Compliance
---------EncryptionCompliance
-----TPM
---------SpecificationVersion
-----OS
---------Edition
---------Mode
-----Antivirus
---------SignatureStatus
---------Status
-----Antispyware
---------SignatureStatus
---------Status
-----Firewall
---------Status
-----UAC
---------Status
-----Battery
---------Status
---------EstimatedChargeRemaining
---------EstimatedRuntime
-----DomainName
-----DeviceGuard
---------VirtualizationBasedSecurityHwReq
---------VirtualizationBasedSecurityStatus
---------LsaCfgCredGuardStatus
-----CertAttestation
---------MDMClientCertAttestation
+
+
+
+
+Node for the antispyware query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Antispyware/SignatureStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antispyware/SignatureStatus
```
+
-**DeviceStatus**
-The root node for the DeviceStatus configuration service provider.
-
-**DeviceStatus/SecureBootState**
-Indicates whether secure boot is enabled. The value is one of the following values:
-
-- 0 - Not supported
-- 1 - Enabled
-- 2 - Disabled
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities**
-Required. Node for queries on the SIM cards.
-
->[!NOTE]
->Multiple SIMs are supported.
-
-**DeviceStatus/CellularIdentities/***IMEI*
-The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
-
-**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
-The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
-The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
-Phone number associated with the specific IMEI number.
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
-The mobile service provider or mobile operator associated with the specific IMEI number.
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
-Indicates whether the SIM card associated with the specific IMEI number is roaming.
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
-Boolean value that indicates compliance with the enforced enterprise roaming policy.
-
-Supported operation is Get.
-
-**DeviceStatus/NetworkIdentifiers**
-Node for queries on network and device properties.
-
-**DeviceStatus/NetworkIdentifiers/***MacAddress*
-MAC address of the wireless network card. A MAC address is present for each network card on the device.
-
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
-IPv4 address of the network card associated with the MAC address.
-
-Supported operation is Get.
-
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
-IPv6 address of the network card associated with the MAC address.
-
-Supported operation is Get.
-
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
-Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
-
-Supported operation is Get.
-
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
-Type of network connection. The value is one of the following values:
-
-- 2 - WLAN (or other Wireless interface)
-- 1 - LAN (or other Wired interface)
-- 0 - Unknown
-
-Supported operation is Get.
-
-**DeviceStatus/Compliance**
-Node for the compliance query.
-
-**DeviceStatus/Compliance/EncryptionCompliance**
-Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
-
-- 0 - Not encrypted
-- 1 - Encrypted
-
-Supported operation is Get.
-
-**DeviceStatus/TPM**
-Added in Windows, version 1607. Node for the TPM query.
-
-Supported operation is Get.
-
-**DeviceStatus/TPM/SpecificationVersion**
-Added in Windows, version 1607. String that specifies the specification version.
-
-Supported operation is Get.
-
-**DeviceStatus/OS**
-Added in Windows, version 1607. Node for the OS query.
-
-Supported operation is Get.
-
-**DeviceStatus/OS/Edition**
-Added in Windows, version 1607. String that specifies the OS edition.
-
-Supported operation is Get.
-
-**DeviceStatus/OS/Mode**
-Added in Windows, version 1803. Read only node that specifies the device mode.
-
-Valid values:
-
-- 0 - The device is in standard configuration.
-- 1 - The device is in S mode configuration.
-
-Supported operation is Get.
-
-**DeviceStatus/Antivirus**
-Added in Windows, version 1607. Node for the antivirus query.
-
-Supported operation is Get.
-
-**DeviceStatus/Antivirus/SignatureStatus**
-Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
-
-Valid values:
-
-- 0 - The security software reports that it isn't the most recent version.
-- 1 (default) - The security software reports that it's the most recent version.
-- 2 – Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
-
-Supported operation is Get.
-
-If more than one antivirus provider is active, this node returns:
-
-- 1 – If every active antivirus provider has a valid signature status.
-- 0 – If any of the active antivirus providers has an invalid signature status.
-
-This node also returns 0 when no antivirus provider is active.
-
-**DeviceStatus/Antivirus/Status**
-Added in Windows, version 1607. Integer that specifies the status of the antivirus.
-
-Valid values:
-
-- 0 – Antivirus is on and monitoring.
-- 1 – Antivirus is disabled.
-- 2 – Antivirus isn't monitoring the device/PC or some options have been turned off.
-- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
-- 4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
-
-Supported operation is Get.
-
-**DeviceStatus/Antispyware**
-Added in Windows, version 1607. Node for the anti-spyware query.
-
-Supported operation is Get.
-
-**DeviceStatus/Antispyware/SignatureStatus**
-Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
-
-Valid values:
-
-- 0 - The security software reports that it isn't the most recent version.
-- 1 - The security software reports that it's the most recent version.
-- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
-
-Supported operation is Get.
-
-If more than one anti-spyware provider is active, this node returns:
-
-- 1 – If every active anti-spyware provider has a valid signature status.
-- 0 – If any of the active anti-spyware providers has an invalid signature status.
+
+
+Integer that specifies the status of the antispyware signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 - The security software reports that it is the most recent version. 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.) If more than one antispyware provider is active, this node returns: 1 - If every active antispyware provider has a valid signature status. 0 - If any of the active antispyware providers has an invalid signature status.
+
+
+
This node also returns 0 when no anti-spyware provider is active.
+
-**DeviceStatus/Antispyware/Status**
-Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
+
+**Description framework properties**:
-Valid values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 1 |
+
-- 0 - The status of the security provider category is good and doesn't need user attention.
-- 1 - The status of the security provider category isn't monitored by Windows Security.
-- 2 - The status of the security provider category is poor and the computer may be at risk.
-- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service isn't actively protecting the computer.
+
+
+
-Supported operation is Get.
+
-**DeviceStatus/Firewall**
-Added in Windows, version 1607. Node for the firewall query.
+
+### Antispyware/Status
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-**DeviceStatus/Firewall/Status**
-Added in Windows, version 1607. Integer that specifies the status of the firewall.
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antispyware/Status
+```
+
-Valid values:
+
+
+Integer that specifies the status of the antispyware. Valid values: 0 - The status of the security provider category is good and does not need user attention. 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). 2 - The status of the security provider category is poor and the computer may be at risk. 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
+
-- 0 – Firewall is on and monitoring.
-- 1 – Firewall has been disabled.
-- 2 – Firewall isn't monitoring all networks or some rules have been turned off.
-- 3 (default) – Firewall is temporarily not monitoring all networks.
-- 4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**DeviceStatus/UAC**
-Added in Windows, version 1607. Node for the UAC query.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 3 |
+
-Supported operation is Get.
+
+
+
-**DeviceStatus/UAC/Status**
-Added in Windows, version 1607. Integer that specifies the status of the UAC.
+
-Supported operation is Get.
+
+## Antivirus
-**DeviceStatus/Battery**
-Added in Windows, version 1607. Node for the battery query.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Supported operation is Get.
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antivirus
+```
+
-**DeviceStatus/Battery/Status**
-Added in Windows, version 1607. Integer that specifies the status of the battery
+
+
+Node for the antivirus query.
+
-Supported operation is Get.
+
+
+
-**DeviceStatus/Battery/EstimatedChargeRemaining**
-Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
+
+**Description framework properties**:
-The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported operation is Get.
+
+
+
-**DeviceStatus/Battery/EstimatedRuntime**
-Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
+
-The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+### Antivirus/SignatureStatus
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-**DeviceStatus/DomainName**
-Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antivirus/SignatureStatus
+```
+
-Supported operation is Get.
+
+
+Integer that specifies the status of the antivirus signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 (default) - The security software reports that it is the most recent version. 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.) If more than one antivirus provider is active, this node returns: 1 - If every active antivirus provider has a valid signature status. 0 - If any of the active antivirus providers has an invalid signature status.
+
-**DeviceStatus/DeviceGuard**
-Added in Windows, version 1709. Node for Device Guard query.
+
+
+This node also returns 0 when no antivirus provider is active.
+
-Supported operation is Get.
+
+**Description framework properties**:
-**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
-Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 1 |
+
-- 0x0: System meets hardware configuration requirements
-- 0x1: SecureBoot required
-- 0x2: DMA Protection required
-- 0x4: HyperV not supported for Guest VM
-- 0x8: HyperV feature isn't available
+
+
+
-Supported operation is Get.
+
-**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
-Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
+
+### Antivirus/Status
-- 0 - Running
-- 1 - Reboot required
-- 2 - 64-bit architecture required
-- 3 - Not licensed
-- 4 - Not configured
-- 5 - System doesn't meet hardware requirements
-- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Supported operation is Get.
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antivirus/Status
+```
+
-**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
-Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
+
+
+Integer that specifies the status of the antivirus. Valid values: 0 - Antivirus is on and monitoring, 1 - Antivirus is disabled, 2 - Antivirus is not monitoring the device/PC or some options have been turned off, 3 (default) - Antivirus is temporarily not completely monitoring the device/PC, 4 - Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.)
+
-- 0 - Running
-- 1 - Reboot required
-- 2 - Not licensed for Credential Guard
-- 3 - Not configured
-- 4 - VBS not running
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**DeviceStatus/CertAttestation/MDMClientCertAttestation**
-Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 3 |
+
-Supported operation is Get.
+
+
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
+
+## Battery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Battery
+```
+
+
+
+
+Node for the battery query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Battery/EstimatedChargeRemaining
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Battery/EstimatedChargeRemaining
+```
+
+
+
+
+Integer that specifies the estimated battery charge remaining. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+### Battery/EstimatedRuntime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Battery/EstimatedRuntime
+```
+
+
+
+
+Integer that specifies the estimated runtime of the battery. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+### Battery/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Battery/Status
+```
+
+
+
+
+Integer that specifies the status of the battery.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## CellularIdentities
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities
+```
+
+
+
+
+Node for queries on the SIM cards.
+
+
+
+
+> [!NOTE]
+> Multiple SIMs are supported.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### CellularIdentities/{IMEI}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}
+```
+
+
+
+
+The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/CommercializationOperator
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/CommercializationOperator
+```
+
+
+
+
+The mobile service provider or mobile operator associated with the specific IMEI number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/ICCID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/ICCID
+```
+
+
+
+
+The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/IMSI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/IMSI
+```
+
+
+
+
+The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/PhoneNumber
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/PhoneNumber
+```
+
+
+
+
+Phone number associated with the specific IMEI number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/RoamingCompliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/RoamingCompliance
+```
+
+
+
+
+Boolean value that indicates compliance with the enforced enterprise roaming policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/RoamingStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/RoamingStatus
+```
+
+
+
+
+Indicates whether the SIM card associated with the specific IMEI number is roaming.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## CertAttestation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CertAttestation
+```
+
+
+
+
+Node for Certificate Attestation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### CertAttestation/MDMClientCertAttestation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CertAttestation/MDMClientCertAttestation
+```
+
+
+
+
+MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Compliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Compliance
+```
+
+
+
+
+Node for the compliance query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Compliance/EncryptionCompliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Compliance/EncryptionCompliance
+```
+
+
+
+
+Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: 0 - not encrypted, 1 - encrypted.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## DeviceGuard
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard
+```
+
+
+
+
+Node for Device Guard query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/HypervisorEnforcedCodeIntegrityStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/HypervisorEnforcedCodeIntegrityStatus
+```
+
+
+
+
+Hypervisor Enforced Code Integrity (HVCI) status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - VBS not running.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/LsaCfgCredGuardStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus
+```
+
+
+
+
+Local System Authority (LSA) credential guard status. 0 - Running, 1 - Reboot required, 2 - Not licensed for Credential Guard, 3 - Not configured, 4 - VBS not running.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/SystemGuardStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/SystemGuardStatus
+```
+
+
+
+
+System Guard status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - System doesn't meet hardware requirements.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/VirtualizationBasedSecurityHwReq
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
+```
+
+
+
+
+Virtualization-based security hardware requirement status. The value is a 256 value bitmask. 0x0: System meets hardware configuration requirements, 0x1: SecureBoot required, 0x2: DMA Protection required, 0x4: HyperV not supported for Guest VM, 0x8: HyperV feature is not available.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/VirtualizationBasedSecurityStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
+```
+
+
+
+
+Virtualization-based security status. Value is one of the following: 0 - Running, 1 - Reboot required, 2 - 64 bit architecture required, 3 - not licensed, 4 - not configured, 5 - System doesn't meet hardware requirements, 42 - Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## DMA
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DMA
+```
+
+
+
+
+Node for DMA query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DMA/BootDMAProtectionStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DMA/BootDMAProtectionStatus
+```
+
+
+
+
+Boot DMA Protection status. 1 - Enabled, 2 - Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## DomainName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DomainName
+```
+
+
+
+
+Returns the fully qualified domain name of the device(if any).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Firewall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Firewall
+```
+
+
+
+
+Node for the firewall query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Firewall/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Firewall/Status
+```
+
+
+
+
+Integer that specifies the status of the firewall. Valid values: 0 - Firewall is on and monitoring, 1 - Firewall has been disabled, 2 - Firewall is not monitoring all networks or some rules have been turned off, 3 (default) - Firewall is temporarily not monitoring all networks, 4 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.)
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 3 |
+
+
+
+
+
+
+
+
+
+## NetworkIdentifiers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers
+```
+
+
+
+
+Node for queries on network and device properties.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### NetworkIdentifiers/{MacAddress}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}
+```
+
+
+
+
+MAC address of the wireless network card. A MAC address is present for each network card on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+#### NetworkIdentifiers/{MacAddress}/IPAddressV4
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IPAddressV4
+```
+
+
+
+
+IPv4 address of the network card associated with the MAC address.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### NetworkIdentifiers/{MacAddress}/IPAddressV6
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IPAddressV6
+```
+
+
+
+
+IPv6 address of the network card associated with the MAC address.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### NetworkIdentifiers/{MacAddress}/IsConnected
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IsConnected
+```
+
+
+
+
+Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### NetworkIdentifiers/{MacAddress}/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/Type
+```
+
+
+
+
+Type of network connection. The value is one of the following: 2 - WLAN (or other Wireless interface), 1 - LAN (or other Wired interface), 0 - Unknown.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## OS
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/OS
+```
+
+
+
+
+Node for the OS query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### OS/Edition
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/OS/Edition
+```
+
+
+
+
+String that specifies the OS edition.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+### OS/Mode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/OS/Mode
+```
+
+
+
+
+Read only node that specifies the device mode. Valid values: 0 - the device is in standard configuration, 1 - the device is in S mode configuration.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+## SecureBootState
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/SecureBootState
+```
+
+
+
+
+Indicates whether secure boot is enabled. The value is one of the following: 0 - Not supported, 1 - Enabled, 2 - Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## TPM
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM
+```
+
+
+
+
+Node for the TPM query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### TPM/ManufacturerId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM/ManufacturerId
+```
+
+
+
+
+String that specifies the TPM manufacturer ID as a number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+### TPM/ManufacturerIdTxt
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM/ManufacturerIdTxt
+```
+
+
+
+
+String that specifies the TPM manufacturer ID as text.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+### TPM/ManufacturerVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM/ManufacturerVersion
+```
+
+
+
+
+String that specifies the manufacturer version.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+### TPM/SpecificationVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM/SpecificationVersion
+```
+
+
+
+
+String that specifies the specification version.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+## UAC
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/UAC
+```
+
+
+
+
+Node for the UAC query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### UAC/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/UAC/Status
+```
+
+
+
+
+Integer that specifies the status of the UAC.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 758d3d324d..63dbac6ba7 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -1,928 +1,1201 @@
---
-title: DeviceStatus DDF
-description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+title: DeviceStatus DDF file
+description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/12/2018
+ms.topic: reference
---
-# DeviceStatus DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# DeviceStatus DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1803.
+The following XML file contains the device description framework (DDF) for the DeviceStatus configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ DeviceStatus
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- DeviceStatus
- ./Vendor/MSFT
+ SecureBootState
+
+
+
+
+ Indicates whether secure boot is enabled. The value is one of the following: 0 - Not supported, 1 - Enabled, 2 - Disabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CellularIdentities
+
+
+
+
+ Node for queries on the SIM cards.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.4/MDM/DeviceStatus
-
+
+
+
+ The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
+
+
+
+
+
+
+
+
+
+ IMEI
+
+
+
+
+
+
- SecureBootState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ IMSI
+
+
+
+
+ The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
+
+
+
+
+
+
+
+
+
+
+
+
+
- CellularIdentities
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IMEI
-
-
-
-
-
- IMSI
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ICCID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PhoneNumber
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CommercializationOperator
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoamingStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoamingCompliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ ICCID
+
+
+
+
+ The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
+
+
+
+
+
+
+
+
+
+
+
+
+
- NetworkIdentifiers
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MacAddress
-
-
-
-
-
- IPAddressV4
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IPAddressV6
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsConnected
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ PhoneNumber
+
+
+
+
+ Phone number associated with the specific IMEI number.
+
+
+
+
+
+
+
+
+
+
+
+
+
- Compliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncryptionCompliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+ CommercializationOperator
+
+
+
+
+ The mobile service provider or mobile operator associated with the specific IMEI number.
+
+
+
+
+
+
+
+
+
+
+
+
+
- TPM
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SpecificationVersion
-
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+ RoamingStatus
+
+
+
+
+ Indicates whether the SIM card associated with the specific IMEI number is roaming.
+
+
+
+
+
+
+
+
+
+
+
+
+
- OS
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Edition
-
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Mode
-
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Antivirus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SignatureStatus
-
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Antispyware
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SignatureStatus
-
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Firewall
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- UAC
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Battery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EstimatedChargeRemaining
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EstimatedRuntime
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DomainName
-
-
-
-
- Returns the fully qualified domain name of the device(if any).
-
-
-
-
-
-
-
-
-
- DomainName
-
- text/plain
-
-
-
-
- DeviceGuard
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- VirtualizationBasedSecurityHwReq
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- VirtualizationBasedSecurityStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LsaCfgCredGuardStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CertAttestation
-
-
-
-
- Node for Certificate Attestation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MDMClientCertAttestation
-
-
-
-
- MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ RoamingCompliance
+
+
+
+
+ Boolean value that indicates compliance with the enforced enterprise roaming policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NetworkIdentifiers
+
+
+
+
+ Node for queries on network and device properties.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MAC address of the wireless network card. A MAC address is present for each network card on the device.
+
+
+
+
+
+
+
+
+
+ MacAddress
+
+
+
+
+
+
+
+
+ IPAddressV4
+
+
+
+
+ IPv4 address of the network card associated with the MAC address.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IPAddressV6
+
+
+
+
+ IPv6 address of the network card associated with the MAC address.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsConnected
+
+
+
+
+ Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+ Type of network connection. The value is one of the following: 2 - WLAN (or other Wireless interface), 1 - LAN (or other Wired interface), 0 - Unknown
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Compliance
+
+
+
+
+ Node for the compliance query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EncryptionCompliance
+
+
+
+
+ Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: 0 - not encrypted, 1 - encrypted
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TPM
+
+
+
+
+ Node for the TPM query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ SpecificationVersion
+
+
+
+
+ Not available
+ String that specifies the specification version.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ManufacturerId
+
+
+
+
+ Not available
+ String that specifies the TPM manufacturer ID as a number.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387
+ 1.5
+
+
+
+
+ ManufacturerIdTxt
+
+
+
+
+ Not available
+ String that specifies the TPM manufacturer ID as text.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387
+ 1.5
+
+
+
+
+ ManufacturerVersion
+
+
+
+
+ Not available
+ String that specifies the manufacturer version.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387
+ 1.5
+
+
+
+
+
+ OS
+
+
+
+
+ Node for the OS query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ Edition
+
+
+
+
+ Not available
+ String that specifies the OS edition.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Mode
+
+
+
+
+ Not available
+ Read only node that specifies the device mode. Valid values: 0 - the device is in standard configuration, 1 - the device is in S mode configuration
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.4
+
+
+
+
+
+ Antivirus
+
+
+
+
+ Node for the antivirus query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ SignatureStatus
+
+
+
+
+ 1
+ Integer that specifies the status of the antivirus signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 (default) - The security software reports that it is the most recent version. 2 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) If more than one antivirus provider is active, this node returns: 1 – If every active antivirus provider has a valid signature status. 0 – If any of the active antivirus providers has an invalid signature status.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ 3
+ Integer that specifies the status of the antivirus. Valid values: 0 – Antivirus is on and monitoring, 1 – Antivirus is disabled, 2 – Antivirus is not monitoring the device/PC or some options have been turned off, 3 (default) – Antivirus is temporarily not completely monitoring the device/PC, 4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Antispyware
+
+
+
+
+ Node for the antispyware query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ SignatureStatus
+
+
+
+
+ 1
+ Integer that specifies the status of the antispyware signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 - The security software reports that it is the most recent version. 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) If more than one antispyware provider is active, this node returns: 1 – If every active antispyware provider has a valid signature status. 0 – If any of the active antispyware providers has an invalid signature status.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ 3
+ Integer that specifies the status of the antispyware. Valid values: 0 - The status of the security provider category is good and does not need user attention. 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). 2 - The status of the security provider category is poor and the computer may be at risk. 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Firewall
+
+
+
+
+ Node for the firewall query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ Status
+
+
+
+
+ 3
+ Integer that specifies the status of the firewall. Valid values: 0 – Firewall is on and monitoring, 1 – Firewall has been disabled, 2 – Firewall is not monitoring all networks or some rules have been turned off, 3 (default) – Firewall is temporarily not monitoring all networks, 4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UAC
+
+
+
+
+ Node for the UAC query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ Status
+
+
+
+
+ Integer that specifies the status of the UAC.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Battery
+
+
+
+
+ Node for the battery query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ Status
+
+
+
+
+ 0
+ Integer that specifies the status of the battery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EstimatedChargeRemaining
+
+
+
+
+ 0
+ Integer that specifies the estimated battery charge remaining. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EstimatedRuntime
+
+
+
+
+ 0
+ Integer that specifies the estimated runtime of the battery. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DomainName
+
+
+
+
+ Returns the fully qualified domain name of the device(if any).
+
+
+
+
+
+
+
+
+
+ DomainName
+
+
+
+
+ 10.0.17134
+ 1.3
+
+
+
+
+ DeviceGuard
+
+
+
+
+ Node for Device Guard query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.3
+
+
+
+ VirtualizationBasedSecurityHwReq
+
+
+
+
+ Virtualization-based security hardware requirement status. The value is a 256 value bitmask. 0x0: System meets hardware configuration requirements, 0x1: SecureBoot required, 0x2: DMA Protection required, 0x4: HyperV not supported for Guest VM, 0x8: HyperV feature is not available
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ VirtualizationBasedSecurityStatus
+
+
+
+
+ Virtualization-based security status. Value is one of the following: 0 - Running, 1 - Reboot required, 2 - 64 bit architecture required, 3 - not licensed, 4 - not configured, 5 - System doesn't meet hardware requirements, 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LsaCfgCredGuardStatus
+
+
+
+
+ Local System Authority (LSA) credential guard status. 0 - Running, 1 - Reboot required, 2 - Not licensed for Credential Guard, 3 - Not configured, 4 - VBS not running
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HypervisorEnforcedCodeIntegrityStatus
+
+
+
+
+ Hypervisor Enforced Code Integrity (HVCI) status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - VBS not running
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+
+ SystemGuardStatus
+
+
+
+
+ System Guard status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - System doesn't meet hardware requirements
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+
+
+ DMA
+
+
+
+
+ Node for DMA query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ BootDMAProtectionStatus
+
+
+
+
+ Boot DMA Protection status. 1 - Enabled, 2 - Disabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CertAttestation
+
+
+
+
+ Node for Certificate Attestation
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621, 10.0.22000.1165
+ 1.5
+
+
+
+ MDMClientCertAttestation
+
+
+
+
+ MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
+
+## Related articles
+
+[DeviceStatus configuration service provider reference](devicestatus-csp.md)
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index eeef8c18ab..8f4dd5b955 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -1,84 +1,329 @@
---
title: DevInfo CSP
-description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server.
-ms.reviewer:
+description: Learn more about the DevInfo CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.topic: reference
---
+
+
+
# DevInfo CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The DevInfo configuration service provider handles the managed object, which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-For the DevInfo CSP, you can't use the Replace command unless the node already exists.
+For the DevInfo CSP, you can't use the Replace command unless the node already exists. The OMA Client provisioning protocol isn't supported by this configuration service provider.
+
-The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
+
+The following list shows the DevInfo configuration service provider nodes:
+- ./DevInfo
+ - [DevId](#devid)
+ - [DmV](#dmv)
+ - [Ext](#ext)
+ - [ICCID](#exticcid)
+ - [Lang](#lang)
+ - [Man](#man)
+ - [Mod](#mod)
+
+
+
+## DevId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevInfo/DevId
```
-.
-DevInfo
-----DevId
-----Man
-----Mod
-----DmV
-----Lang
-```
+
-**DevId**
-Required. Returns an application-specific global unique device identifier by default.
+
+
+An unique device identifier. An application-specific global unique device identifier is provided in this node.
+
-Supported operation is Get.
-
-The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows:
+
+
+**UseHWDevID** node of the [DMAcc configuration service provider](dmacc-csp.md) can be used to modify the return value to instead return a hardware device ID as follows:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
-- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
+- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), an application specific global unique identifier (GUID) is returned irrespective of the value of UseHWDevID.
+
-**Man**
-Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
+
+**Description framework properties**:
-If no name is found, this returns to "Unknown".
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Supported operation is Get.
+
+
+
-**Mod**
-Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10/Windows 11 desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
+
-If no name is found, this returns to "Unknown".
+
+## DmV
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**DmV**
-Required. Returns the current management client revision of the device.
+
+```Device
+./DevInfo/DmV
+```
+
-Supported operation is Get.
+
+
+The current management client revision of the device.
+
-**Lang**
-Required. Returns the current user interface (UI) language setting of the device as defined by RFC1766.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-## Related topics
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-[Configuration service provider reference](index.yml)
+
+
+
+
+
+
+
+## Ext
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevInfo/Ext
+```
+
+
+
+
+Parent node for nodes extended by Microsoft.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Ext/ICCID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevInfo/Ext/ICCID
+```
+
+
+
+
+Retrieves the ICCID of the first adapter.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Lang
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevInfo/Lang
+```
+
+
+
+
+Returns the current user interface (UI) language setting of the device as defined by RFC1766.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Man
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevInfo/Man
+```
+
+
+
+
+Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer. If no name is found, this returns "Unknown".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Mod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./DevInfo/Mod
+```
+
+
+
+
+Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName. If no name is found, this returns "Unknown".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md
index dca49363e3..633bc085bd 100644
--- a/windows/client-management/mdm/devinfo-ddf-file.md
+++ b/windows/client-management/mdm/devinfo-ddf-file.md
@@ -1,177 +1,207 @@
---
title: DevInfo DDF file
-description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the DevInfo configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# DevInfo DDF file
-This topic shows the OMA DM device description framework (DDF) for the **DevInfo** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the DevInfo configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ DevInfo
+ .
+
+
+
+
+ The interior node holding all devinfo objects
+
+
+
+
+
+
+
+
+
+ The interior node holding all devinfo objects
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- DevInfo
- .
-
-
-
-
-
-
-
-
-
-
-
-
-
- The interior node holding all devinfo objects
-
- urn:oma:mo:oma-dm-devinfo:1.0
-
- 1
-
-
- DevId
-
-
-
-
- An unique device identifier. An application-specific global unique device identifier is provided in this node.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- 1
-
-
-
- Man
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- 1
-
-
-
- Mod
-
-
-
-
- Device model name, as specified and tracked by the mobile operator
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- 1
-
-
-
- DmV
-
-
-
-
- The current management client revision of the device.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- 1
-
-
-
- Lang
-
-
-
-
- The current language at the device user interface.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- 1
-
-
+ DevId
+
+
+
+
+ An unique device identifier. An application-specific global unique device identifier is provided in this node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Man
+
+
+
+
+ Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer. If no name is found, this returns "Unknown".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Mod
+
+
+
+
+ Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName. If no name is found, this returns "Unknown".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DmV
+
+
+
+
+ The current management client revision of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Lang
+
+
+
+
+ Returns the current user interface (UI) language setting of the device as defined by RFC1766.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Ext
+
+
+
+
+ Parent node for nodes extended by Microsoft.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ICCID
+
+
+
+
+ Retrieves the ICCID of the first adapter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
-
-
-[DevInfo configuration service provider](devinfo-csp.md)
-
-
-
-
-
-
-
-
-
+## Related articles
+[DevInfo configuration service provider reference](devinfo-csp.md)
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 7f88c701b6..34dbe6281b 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -1,110 +1,239 @@
---
title: DiagnosticLog CSP
-description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area.
-ms.reviewer:
+description: Learn more about the DiagnosticLog CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 11/19/2019
+ms.topic: reference
---
+
+
+
# DiagnosticLog CSP
-The table below shows the applicability of Windows:
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+The following list shows the DiagnosticLog configuration service provider nodes:
-The DiagnosticLog configuration service provider (CSP) provides the following feature areas:
-- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
-- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
-- [EtwLog area](#etwlog-area). Control ETW trace sessions.
-- [DeviceStateData area](#devicestatedata-area). Provide more device information.
-- [FileDownload area](#filedownload-area). Pull trace and state data directly from the device.
+- ./Vendor/MSFT/DiagnosticLog
+ - [DeviceStateData](#devicestatedata)
+ - [MdmConfiguration](#devicestatedatamdmconfiguration)
+ - [DiagnosticArchive](#diagnosticarchive)
+ - [ArchiveDefinition](#diagnosticarchivearchivedefinition)
+ - [ArchiveResults](#diagnosticarchivearchiveresults)
+ - [EtwLog](#etwlog)
+ - [Channels](#etwlogchannels)
+ - [{ChannelName}](#etwlogchannelschannelname)
+ - [Export](#etwlogchannelschannelnameexport)
+ - [Filter](#etwlogchannelschannelnamefilter)
+ - [State](#etwlogchannelschannelnamestate)
+ - [Collectors](#etwlogcollectors)
+ - [{CollectorName}](#etwlogcollectorscollectorname)
+ - [LogFileSizeLimitMB](#etwlogcollectorscollectornamelogfilesizelimitmb)
+ - [Providers](#etwlogcollectorscollectornameproviders)
+ - [{ProviderGuid}](#etwlogcollectorscollectornameprovidersproviderguid)
+ - [Keywords](#etwlogcollectorscollectornameprovidersproviderguidkeywords)
+ - [State](#etwlogcollectorscollectornameprovidersproviderguidstate)
+ - [TraceLevel](#etwlogcollectorscollectornameprovidersproviderguidtracelevel)
+ - [TraceControl](#etwlogcollectorscollectornametracecontrol)
+ - [TraceLogFileMode](#etwlogcollectorscollectornametracelogfilemode)
+ - [TraceStatus](#etwlogcollectorscollectornametracestatus)
+ - [FileDownload](#filedownload)
+ - [DMChannel](#filedownloaddmchannel)
+ - [{FileContext}](#filedownloaddmchannelfilecontext)
+ - [BlockCount](#filedownloaddmchannelfilecontextblockcount)
+ - [BlockData](#filedownloaddmchannelfilecontextblockdata)
+ - [BlockIndexToRead](#filedownloaddmchannelfilecontextblockindextoread)
+ - [BlockSizeKB](#filedownloaddmchannelfilecontextblocksizekb)
+ - [DataBlocks](#filedownloaddmchannelfilecontextdatablocks)
+ - [{BlockNumber}](#filedownloaddmchannelfilecontextdatablocksblocknumber)
+ - [Policy](#policy)
+ - [Channels](#policychannels)
+ - [{ChannelName}](#policychannelschannelname)
+ - [ActionWhenFull](#policychannelschannelnameactionwhenfull)
+ - [Enabled](#policychannelschannelnameenabled)
+ - [MaximumFileSize](#policychannelschannelnamemaximumfilesize)
+ - [SDDL](#policychannelschannelnamesddl)
+
-The links to different versions of the DiagnosticLog CSP DDF files are:
-- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
-- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
-- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
+
+## DeviceStateData
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-The following example shows the DiagnosticLog CSP in tree format.
-
+
+```Device
+./Vendor/MSFT/DiagnosticLog/DeviceStateData
```
-./Vendor/MSFT/DiagnosticLog
-----EtwLog
---------Collectors
-------------CollectorName
-----------------TraceStatus
-----------------TraceLogFileMode
-----------------TraceControl
-----------------LogFileSizeLimitMB
-----------------Providers
---------------------ProviderGuid
-------------------------Keywords
-------------------------TraceLevel
-------------------------State
---------Channels
-------------ChannelName
-----------------Export
-----------------State
-----------------Filter
-----DeviceStateData
---------MdmConfiguration
-----FileDownload
---------DMChannel
-------------FileContext
-----------------BlockSizeKB
-----------------BlockCount
-----------------BlockIndexToRead
-----------------BlockData
-----------------DataBlocks
---------------------BlockNumber
+
+
+
+
+Root node of all types of device state data that CSP exposes.
+
+
+
+
+The DeviceStateData functionality within the DiagnosticLog CSP provides extra device information.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceStateData/MdmConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration
```
+
-**./Vendor/MSFT/DiagnosticLog**
-The root node for the DiagnosticLog CSP.
+
+
+This node is to trigger snapping of the Device Management state data with "SNAP".
+
-Rest of the nodes in the DiagnosticLog CSP are described within their respective feature area sections.
+
+
+
-## DiagnosticArchive area
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+
+
+
+
+**Example**:
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration
+
+
+ chr
+
+ SNAP
+
+
+
+
+
+```
+
+
+
+
+
+## DiagnosticArchive
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/DiagnosticArchive
+```
+
+
+
+
+Root note for archive definition and collection.
+
+
+
+
The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage.
DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
> [!NOTE]
> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
+
-The following section describes the nodes for the DiagnosticArchive functionality.
+
+**Description framework properties**:
-**DiagnosticArchive**
-Added in version 1.4 of the CSP in Windows 10, version 1903. Root node for the DiagnosticArchive functionality.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-The supported operation is Get.
+
+
+
-**DiagnosticArchive/ArchiveDefinition**
-Added in version 1.4 of the CSP in Windows 10, version 1903.
+
-The supported operations are Add and Execute.
+
+### DiagnosticArchive/ArchiveDefinition
-The data type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-Expected value:
-Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
+
+```Device
+./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveDefinition
+```
+
-With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
+
+
+
-The following example shows a `Collection` XML:
+
+
+Execute action for this node accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified **SasUrl**. The zipped filename format is `DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip`.
+
+With Windows 10 KB5011543 and Windows 11 KB5011563, there is additional support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML. The following example shows a `Collection` XML:
``` xml
@@ -125,31 +254,24 @@ The following example shows a `Collection` XML:
The XML should include the following elements within the `Collection` element:
-**ID**:
-The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
+- **ID**: The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
+- **SasUrl**: The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
+ - Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
+ - Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
+ - Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
-**SasUrl**
-The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
+Additionally, the XML may include **One or more data gathering directives, which may include any of the following:**
-- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
-- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
-- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
-
-**One or more data gathering directives, which may include any of the following:**
-
-- **RegistryKey**
- - Exports all of the key names and values under a given path (recursive).
+- **RegistryKey**: Exports all of the key names and values under a given path (recursive).
- Expected input value: Registry path such as "HKLM\Software\Policies".
- Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command.
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those paths that're under HKLM and HKCR.
-- **Events**
- - Exports all events from the named Windows event log.
+- **Events**: Exports all events from the named Windows event log.
- Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
- Output format: Creates an .evtx file.
-- **Commands**
- - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
+- **Commands**: This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
- Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands that may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
@@ -172,8 +294,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- %windir%\\system32\\MdmDiagnosticsTool.exe
- %windir%\\system32\\pnputil.exe
-- **FoldersFiles**
- - Captures log files from a given path (without recursion).
+- **FoldersFiles**: Captures log files from a given path (without recursion).
- Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log".
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed:
- %PROGRAMFILES%
@@ -193,20 +314,65 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- .evtx
- .etl
-- **OutputFileFormat**
- - Flattens folder structure, instead of having individual folders for each directive in the XML.
- - The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
+- **OutputFileFormat**: Flattens folder structure, instead of having individual folders for each directive in the XML.
+ - The value "Flattened" is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
+
-**DiagnosticArchive/ArchiveResults**
-Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
+
+**Description framework properties**:
-The supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get, Replace |
+
-The data type is string.
+
+
+
-A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above:
+
-``` xml
+
+### DiagnosticArchive/ArchiveResults
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults
+```
+
+
+
+
+Pull up the results of the last archive run.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+**Example**:
+
+A Get to the above URI will return the results of the data gathering for the last diagnostics request. For example:
+
+```xml
@@ -250,11 +416,2373 @@ A Get to the above URI will return the results of the data gathering for the las
```
-Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, the mdmdiagnosticstool.exe command failed.
+To learn how to read the resulting data, see [How to review ArchiveResults](#how-to-review-archiveresults).
+
-### Making use of the uploaded data
+
-The zip archive that is created and uploaded by the CSP contains a folder structure like the following example:
+
+## EtwLog
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog
+```
+
+
+
+
+Root node of all types of event logging nodes that CSP manages.
+
+
+
+
+The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
+
+- [Collector-based tracing](#etwlogcollectors)
+- [Channel-based tracing](#etwlogchannels)
+
+The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](/windows/win32/etw/about-event-tracing).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### EtwLog/Channels
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Channels
+```
+
+
+
+
+Root node of registered "Channel" nodes.
+
+
+
+
+The type of event tracing exports event data from a specific channel. Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
+
+The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node.
+
+For each channel node, the user can:
+
+- Export channel event data into a log file (.evtx).
+- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
+- Specify an XPath query to filter events while exporting the channel event data.
+
+For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](../diagnose-mdm-failures-in-windows-10.md).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### EtwLog/Channels/{ChannelName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/{ChannelName}
+```
+
+
+
+
+Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin" |
+
+
+
+
+**Examples**:
+
+- Add a channel
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
+
+
+ node
+
+
+
+
+
+
+ ```
+
+- Delete a channel
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
+
+
+
+
+
+
+ ```
+
+
+
+
+
+##### EtwLog/Channels/{ChannelName}/Export
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/{ChannelName}/Export
+```
+
+
+
+
+This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec, Get |
+
+
+
+
+**Example**:
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export
+
+
+
+
+
+
+```
+
+
+
+
+
+##### EtwLog/Channels/{ChannelName}/Filter
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/{ChannelName}/Filter
+```
+
+
+
+
+This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | "" |
+
+
+
+
+**Example**:
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter
+
+
+
+
+
+
+```
+
+
+
+
+
+##### EtwLog/Channels/{ChannelName}/State
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/{ChannelName}/State
+```
+
+
+
+
+This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true | Channel is enabled. |
+| false | Channel is disabled. |
+
+
+
+
+**Examples**:
+
+- Get channel State:
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
+
+
+
+
+
+
+ ```
+
+- Set channel State:
+
+ ```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
+
+
+ bool
+
+ false
+
+
+
+
+
+ ```
+
+
+
+
+
+### EtwLog/Collectors
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors
+```
+
+
+
+
+Root node of registered "Collector" nodes.
+
+
+
+
+This type of event tracing collects event data from a collection of registered ETW providers. An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
+
+The `{CollectorName}` must be unique within the CSP and must not be a valid event channel name or a provider GUID.
+
+The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
+
+For each collector node, the user can:
+
+- Start or stop the session with all registered and enabled providers.
+- Query session status.
+- Change trace log file mode.
+- Change trace log file size limit.
+
+The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector.
+
+For each registered provider in this collector, the user can:
+
+- Specify keywords to filter events from this provider.
+- Change trace level to filter events from this provider.
+- Enable or disable the provider in the trace session.
+
+The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress.
+
+> [!NOTE]
+> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+**Example**:
+
+To gather diagnostics using this CSP:
+
+1. Specify a *CollectorName* for the container of the target ETW providers.
+2. (Optional) Set logging and log file parameters using the following options:
+ - [TraceLogFileMode](#etwlogcollectorscollectornametracelogfilemode)
+ - [LogFileSizeLimitMB](#etwlogcollectorscollectornamelogfilesizelimitmb)
+3. Indicate one or more target ETW providers by supplying its **ProviderGUID** to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
+4. (Optional) Set logging and log file parameters using the following options:
+ - [TraceLevel](#etwlogcollectorscollectornameprovidersproviderguidtracelevel)
+ - [Keywords](#etwlogcollectorscollectornameprovidersproviderguidkeywords)
+5. Start logging using **TraceControl** EXECUTE command "START".
+6. Perform actions on the target device that will generate activity in the log files.
+7. Stop logging using **TraceControl** EXECUTE command "STOP".
+8. Collect the log file located in the `%temp%` folder using the **Reading a log file** method described in [FileDownload](#filedownload).
+
+
+
+
+
+#### EtwLog/Collectors/{CollectorName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}
+```
+
+
+
+
+Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+**Examples**:
+
+- Add a collector
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
+
+
+ node
+
+
+
+
+
+
+ ```
+
+- Delete a collector
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
+
+
+
+
+
+
+ ```
+
+
+
+
+
+##### EtwLog/Collectors/{CollectorName}/LogFileSizeLimitMB
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/LogFileSizeLimitMB
+```
+
+
+
+
+This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[1-2048]` |
+| Default Value | 4 |
+
+
+
+
+
+
+
+
+
+##### EtwLog/Collectors/{CollectorName}/Providers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers
+```
+
+
+
+
+Root node of all providers registered in this collector node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}
+```
+
+
+
+
+Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: The node name must be a valid provider GUID. |
+
+
+
+
+**Examples**:
+
+- Add a provider:
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
+
+
+ node
+
+
+
+
+
+
+ ```
+
+- Delete a provider:
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
+
+
+
+
+
+
+ ```
+
+
+
+
+
+###### EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/Keywords
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/Keywords
+```
+
+
+
+
+This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | "0" |
+
+
+
+
+**Examples**:
+
+- Get provider Keywords:
+
+ ```xml
+
+
+
+ 1
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
+
+
+
+
+
+
+
+ ```
+
+- Set provider Keywords:
+
+ ```xml
+
+
+
+ 4
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
+
+
+
+ chr
+ text/plain
+
+ 12345678FFFFFFFF
+
+
+
+
+
+ ```
+
+
+
+
+
+###### EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/State
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/State
+```
+
+
+
+
+This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true (Default) | Provider is enabled in the trace session. This is the default. |
+| false | Provider is disabled in the trace session. |
+
+
+
+
+**Example**:
+
+Set provider State:
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State
+
+
+ bool
+
+ false
+
+
+
+
+
+```
+
+
+
+
+
+###### EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/TraceLevel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/TraceLevel
+```
+
+
+
+
+This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 5 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | TRACE_LEVEL_CRITICAL - Abnormal exit or termination events. |
+| 2 | TRACE_LEVEL_ERROR - Severe error events. |
+| 3 | TRACE_LEVEL_WARNING - Warning events such as allocation failures. |
+| 4 | TRACE_LEVEL_INFORMATION - Non-error events, such as entry or exit events. |
+| 5 (Default) | TRACE_LEVEL_VERBOSE - Detailed information. |
+
+
+
+
+**Example**:
+
+Set provider TraceLevel:
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel
+
+
+ int
+
+ 1
+
+
+
+
+
+```
+
+
+
+
+
+##### EtwLog/Collectors/{CollectorName}/TraceControl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/TraceControl
+```
+
+
+
+
+This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| START | Start log tracing. |
+| STOP | Stop log tracing. |
+
+
+
+
+**Examples**:
+
+After you've added a logging task, you can start/stop a trace by running an Execute command on this node.
+
+- Start collector trace logging:
+
+ ```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
+
+
+ chr
+
+ START
+
+
+
+
+
+ ```
+
+- Stop collector trace logging:
+
+ ```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
+
+
+ chr
+
+ STOP
+
+
+
+
+
+ ```
+
+
+
+
+
+##### EtwLog/Collectors/{CollectorName}/TraceLogFileMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/TraceLogFileMode
+```
+
+
+
+
+This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | EVENT_TRACE_FILE_MODE_SEQUENTIAL-Writes events to a log file sequentially. It stops when the file reaches its maximum size. |
+| 2 | EVENT_TRACE_FILE_MODE_CIRCULAR-Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. |
+
+
+
+
+
+
+
+
+
+##### EtwLog/Collectors/{CollectorName}/TraceStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/TraceStatus
+```
+
+
+
+
+This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## FileDownload
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload
+```
+
+
+
+
+Root node of all csp nodes that are related to log file download in csp.
+
+
+
+
+The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
+
+**Reading a log file**:
+
+1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
+2. Select a log file in the Enumeration result.
+3. Set **BlockSizeKB** per DM server payload limitation.
+4. Get **BlockCount** to determine total read request.
+5. Set **BlockIndexToRead** to initialize read start point.
+6. Get **BlockData** for upload log block.
+7. Increase **BlockIndexToRead**.
+8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### FileDownload/DMChannel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel
+```
+
+
+
+
+Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### FileDownload/DMChannel/{FileContext}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}
+```
+
+
+
+
+Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | UniqueName: The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. |
+
+
+
+
+
+
+
+
+
+##### FileDownload/DMChannel/{FileContext}/BlockCount
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/BlockCount
+```
+
+
+
+
+This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+**Example**:
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount
+
+
+
+
+
+
+```
+
+
+
+
+
+##### FileDownload/DMChannel/{FileContext}/BlockData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/BlockData
+```
+
+
+
+
+This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Get |
+
+
+
+
+**Example**:
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData
+
+
+
+
+
+
+```
+
+
+
+
+
+##### FileDownload/DMChannel/{FileContext}/BlockIndexToRead
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/BlockIndexToRead
+```
+
+
+
+
+This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1).
+
+
+
+
+**Example**:
+
+- Set BlockIndexToRead at 0:
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
+
+
+ int
+
+ 0
+
+
+
+
+
+ ```
+
+- Set BlockIndexToRead at 1:
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
+
+
+ int
+
+ 1
+
+
+
+
+
+ ```
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### FileDownload/DMChannel/{FileContext}/BlockSizeKB
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/BlockSizeKB
+```
+
+
+
+
+This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[1-16]` |
+| Default Value | 4 |
+
+
+
+
+**Examples**:
+
+- Set BlockSizeKB:
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
+
+
+ int
+
+ 1
+
+
+
+
+
+ ```
+
+- Get BlockSizeKB:
+
+ ```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
+
+
+
+
+
+
+ ```
+
+
+
+
+
+##### FileDownload/DMChannel/{FileContext}/DataBlocks
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/DataBlocks
+```
+
+
+
+
+Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### FileDownload/DMChannel/{FileContext}/DataBlocks/{BlockNumber}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/DataBlocks/{BlockNumber}
+```
+
+
+
+
+Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+## Policy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/Policy
+```
+
+
+
+
+Contains policy for diagnostic settings.
+
+
+
+
+This can be used to configure Windows event log policies, such as maximum log size.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Policy/Channels
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/Policy/Channels
+```
+
+
+
+
+Contains policy for Event Log channel settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Policy/Channels/{ChannelName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}
+```
+
+
+
+
+Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: The node name must be a valid Windows event log channel name, such as Microsoft-Client-Licensing-Platform%2FAdmin. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI. |
+
+
+
+
+**Examples**:
+
+- Add Channel
+
+ ```xml
+
+
+
+ 2
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
+
+
+
+ node
+
+
+
+
+
+
+
+ ```
+
+- Delete Channel
+
+ ```xml
+
+
+
+ 3
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
+
+
+
+
+
+
+
+ ```
+
+- Get Channel
+
+ ```xml
+
+
+
+ 4
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
+
+
+
+
+
+
+
+ ```
+
+
+
+
+
+##### Policy/Channels/{ChannelName}/ActionWhenFull
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}/ActionWhenFull
+```
+
+
+
+
+Action to take when the log file reaches maximum size. "Truncate", "Overwrite", "Archive".
+
+
+
+
+If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Truncate | When the log file reaches its maximum file size, new events are not written to the log and are lost. |
+| Overwrite | When the log file reaches its maximum file size, new events overwrite old events. |
+| Archive | When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file. |
+
+
+
+
+**Examples**:
+
+- Add **ActionWhenFull**
+
+ ```xml
+
+
+
+ 14
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
+
+
+
+ chr
+ text/plain
+
+ Archive
+
+
+
+
+
+ ```
+
+- Delete **ActionWhenFull**
+
+ ```xml
+
+
+
+ 15
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
+
+
+
+
+
+
+
+ ```
+
+- Get **ActionWhenFull**
+
+ ```xml
+
+
+
+ 13
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
+
+
+
+
+
+
+
+ ```
+
+- Replace **ActionWhenFull**
+
+ ```xml
+
+
+
+ 16
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
+
+
+
+ chr
+ text/plain
+
+ Truncate
+
+
+
+
+
+ ```
+
+
+
+
+
+##### Policy/Channels/{ChannelName}/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}/Enabled
+```
+
+
+
+
+This policy setting specifies whether the channel should be enabled or disabled. Set value to TRUE to enable and FALSE to disable.
+
+
+
+
+If you disable or don't configure this policy setting, the locally configured value is used as default.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true | Enables the channel. |
+| false | Disables the channel. |
+
+
+
+
+**Examples**:
+
+- Add **Enabled**
+
+ ```xml
+
+
+
+ 18
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
+
+
+
+ bool
+ text/plain
+
+ TRUE
+
+
+
+
+
+ ```
+
+- Delete **Enabled**
+
+ ```xml
+
+
+
+ 19
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
+
+
+
+
+
+
+
+ ```
+
+- Get **Enabled**
+
+ ```xml
+
+
+
+ 17
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
+
+
+
+
+
+
+
+ ```
+
+- Replace **Enabled**
+
+ ```xml
+
+
+
+ 20
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
+
+
+
+ bool
+ text/plain
+
+ FALSE
+
+
+
+
+
+ ```
+
+
+
+
+
+##### Policy/Channels/{ChannelName}/MaximumFileSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}/MaximumFileSize
+```
+
+
+
+
+Maximum size of the channel log file in MB.
+
+
+
+
+- If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
+- If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-2000000]` |
+| Default Value | 1 |
+
+
+
+
+**Examples**:
+
+- Add **MaximumFileSize**
+
+ ```xml
+
+
+
+ 6
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
+
+
+
+ int
+ text/plain
+
+ 3
+
+
+
+
+
+ ```
+
+- Delete **MaximumFileSize**
+
+ ```xml
+
+
+
+ 7
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
+
+
+
+
+
+
+
+ ```
+
+- Get **MaximumFileSize**
+
+ ```xml
+
+
+
+ 5
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
+
+
+
+
+
+
+
+ ```
+
+- Replace **MaximumFileSize**
+
+ ```xml
+
+
+
+ 8
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
+
+
+
+ int
+ text/plain
+
+ 5
+
+
+
+
+
+ ```
+
+
+
+
+
+##### Policy/Channels/{ChannelName}/SDDL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}/SDDL
+```
+
+
+
+
+SDDL String controlling access to the channel. For more information, see [ChannelType Complex Type](/windows/win32/wes/eventmanifestschema-channeltype-complextype).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Case Sensitive | True |
+
+
+
+
+**Examples**:
+
+- Add **SDDL**
+
+ ```xml
+
+
+
+ 10
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
+
+
+
+ chr
+ text/plain
+
+ YourSDDL
+
+
+
+
+
+ ```
+
+- Delete **SDDL**
+
+ ```xml
+
+
+
+ 11
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
+
+
+
+
+
+
+
+ ```
+
+- Get **SDDL**
+
+ ```xml
+
+
+
+ 9
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
+
+
+
+
+
+
+
+ ```
+
+- Replace **SDDL**
+
+ ```xml
+
+
+
+ 12
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
+
+
+
+ chr
+ text/plain
+
+ YourNewSDDL
+
+
+
+
+
+ ```
+
+
+
+
+
+
+## Comparing FileDownload and DiagnosticArchive
+
+Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows.
+
+- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
+- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
+
+## How to review ArchiveResults
+
+The zip archive that is created and uploaded by [ArchiveResults](#diagnosticarchivearchiveresults) contains a folder structure like the following example:
```powershell
PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z
@@ -268,8 +2796,7 @@ la--- 1/4/2021 2:45 PM 2
la--- 12/2/2020 6:27 PM 2701 results.xml
```
-Each data gathering directive from the original `Collection` XML corresponds to a folder in the output.
-For example, the first directive was:
+Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, the first directive was:
```xml
@@ -294,8 +2821,10 @@ Administrators can apply automation to 'results.xml' to create their own preferr
```powershell
Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
```
+
This example produces output similar to the following output:
-```
+
+```text
DirectiveNumber DirectiveHRESULT DirectiveInput
--------------- ---------------- --------------
1 0 HKLM\Software\Policies
@@ -351,7 +2880,8 @@ foreach( $element in $resultElements )
#endregion
Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse
```
-That example script produces a set of files similar to the following set of files, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or refer to `results.xml` repeatedly:
+
+This example script produces a set of files similar to the following set of files, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or refer to `results.xml` repeatedly:
```powershell
PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name
@@ -369,1312 +2899,10 @@ PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_format
1591 (09) (_windir__system32_ping_exe_-n_50_localhost) (0x00000000) output.log
5192 (10) (_windir__system32_Dsregcmd_exe__status) (0x00000000) output.log
```
+
-## Policy area
+
-The Policy functionality within the DiagnosticLog CSP configures Windows event log policies, such as maximum log size.
+## Related articles
-The following section describes the nodes for the Policy functionality.
-
-**Policy**
-Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log.
-
-The supported operation is Get.
-
-**Policy/Channels**
-Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains Event Log channel settings.
-
-The supported operation is Get.
-
-**Policy/Channels/_ChannelName_**
-Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When the name is being specified in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
-
-Supported operations are Add, Delete, and Get.
-
-Add **Channel**
-
-``` xml
-
-
-
- 2
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
-
-
-
- node
-
-
-
-
-
-
-
-```
-
-Delete **Channel**
-
-``` xml
-
-
-
- 3
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
-
-
-
-
-
-
-
-```
-
-Get **Channel**
-
-``` xml
-
-
-
- 4
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
-
-
-
-
-
-
-
-```
-
-**Policy/Channels/_ChannelName_/MaximumFileSize**
-Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
-
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
-
-If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-The data type is integer.
-
-Add **MaximumFileSize**
-
-``` xml
-
-
-
- 6
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
-
-
-
- int
- text/plain
-
- 3
-
-
-
-
-
-```
-
-Delete **MaximumFileSize**
-
-``` xml
-
-
-
- 7
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
-
-
-
-
-
-
-
-```
-
-Get **MaximumFileSize**
-
-``` xml
-
-
-
- 5
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
-
-
-
-
-
-
-
-```
-
-Replace **MaximumFileSize**
-
-``` xml
-
-
-
- 8
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
-
-
-
- int
- text/plain
-
- 5
-
-
-
-
-
-```
-
-**Policy/Channels/_ChannelName_/SDDL**
-Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting represents SDDL string controlling access to the channel.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-The data type is string.
-
-Default string is as follows:
-
-`https://learn.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
-
-Add **SDDL**
-
-``` xml
-
-
-
- 10
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
-
-
-
- chr
- text/plain
-
- YourSDDL
-
-
-
-
-
-```
-
-Delete **SDDL**
-
-``` xml
-
-
-
-
- 11
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
-
-
-
-
-
-
-
-```
-
-Get **SDDL**
-
-``` xml
-
-
-
- 9
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
-
-
-
-
-
-
-
-```
-
-Replace **SDDL**
-
-``` xml
-
-
-
- 12
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
-
-
-
- chr
- text/plain
-
- YourNewSDDL
-
-
-
-
-
-```
-
-**Policy/Channels/_ChannelName_/ActionWhenFull**
-Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting controls Event Log behavior when the log file reaches its maximum size.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-The data type is string.
-
-The following are the possible values:
-- Truncate—When the log file reaches its maximum file size, new events aren't written to the log and are lost.
-- Overwrite—When the log file reaches its maximum file size, new events overwrite old events.
-- Archive—When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value isn't set, the new file is saved in the same directory as current log file.
-
-If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
-
-If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
-
-Add **ActionWhenFull**
-
-``` xml
-
-
-
- 14
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
-
-
-
- chr
- text/plain
-
- Archive
-
-
-
-
-
-```
-
-Delete **ActionWhenFull**
-
-``` xml
-
-
-
- 15
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
-
-
-
-
-
-
-
-```
-
-Get **ActionWhenFull**
-
-``` xml
-
-
-
- 13
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
-
-
-
-
-
-
-
-```
-
-Replace **ActionWhenFull**
-
-``` xml
-
-
-
- 16
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
-
-
-
- chr
- text/plain
-
- Truncate
-
-
-
-
-
-```
-
-**Policy/Channels/_ChannelName_/Enabled**
-Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies whether the channel should be enabled or disabled.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-The data type is boolean.
-
-The following are the possible values:
-
-- TRUE—Enables the channel.
-- FALSE—Disables the channel.
-
-If you disable or don't configure this policy setting, the locally configured value is used as default.
-
-Get **Enabled**
-
-``` xml
-
-
-
- 17
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
-
-
-
-
-
-
-
-```
-
-Add **Enabled**
-
-``` xml
-
-
-
- 18
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
-
-
-
- bool
- text/plain
-
- TRUE
-
-
-
-
-
-```
-
-Delete **Enabled**
-
-``` xml
-
-
-
- 19
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
-
-
-
-
-
-
-
-```
-
-Replace **Enabled**
-
-``` xml
-
-
-
- 20
-
-
-
- ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
-
-
-
- bool
- text/plain
-
- FALSE
-
-
-
-
-
-```
-
-## EtwLog area
-
-The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
-
-- [Collector-based tracing](#collector-based-tracing)
-- [Channel-based tracing](#channel-based-tracing)
-
-The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](/windows/win32/etw/about-event-tracing).
-
-### Collector-based tracing
-
-This type of event tracing collects event data from a collection of registered ETW providers.
-
-An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
-
-The *CollectorName* must be unique within the CSP and must not be a valid event channel name or a provider GUID.
-
-The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
-
-For each collector node, the user can:
-
-- Start or stop the session with all registered and enabled providers.
-- Query session status.
-- Change trace log file mode.
-- Change trace log file size limit.
-
-The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector.
-
-For each registered provider in this collector, the user can:
-
-- Specify keywords to filter events from this provider.
-- Change trace level to filter events from this provider.
-- Enable or disable the provider in the trace session.
-
-The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress.
-
-> [!NOTE]
-> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
-### Channel-based tracing
-
-The type of event tracing exports event data from a specific channel. This method is only supported on the desktop.
-
-Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
-
-The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node.
-
-For each channel node, the user can:
-
-- Export channel event data into a log file (.evtx).
-- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
-- Specify an XPath query to filter events while exporting the channel event data.
-
-For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10]((../diagnose-mdm-failures-in-windows-10.md).
-
-To gather diagnostics using this CSP:
-
-1. Specify a *CollectorName* for the container of the target ETW providers.
-2. (Optional) Set logging and log file parameters using the following options:
-
- - [TraceLogFileMode](#etwlog-collectors-collectorname-tracelogfilemode)
- - [LogFileSizeLimitMB](#etwlog-collectors-collectorname-logfilesizelimitmb)
-
-3. Indicate one or more target ETW providers by supplying its **ProviderGUID** to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
-4. (Optional) Set logging and log file parameters using the following options:
- - [TraceLevel](#etwlog-collectors-collectorname-providers-providerguid-tracelevel)
- - [Keywords](#etwlog-collectors-collectorname-providers-providerguid-keywords)
-5. Start logging using **TraceControl** EXECUTE command “START”.
-6. Perform actions on the target device that will generate activity in the log files.
-7. Stop logging using **TraceControl** EXECUTE command “STOP”.
-8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file).
-
-The following section describes the nodes for EtwLog functionality.
-
-**EtwLog**
-Node to contain the Error Tracing for Windows log.
-
-The supported operation is Get.
-
-**EtwLog/Collectors**
-Interior node to contain dynamic child interior nodes for active providers.
-
-The supported operation is Get.
-
-**EtwLog/Collectors/_CollectorName_**
-Dynamic nodes to represent active collector configuration.
-
-Supported operations are Add, Delete, and Get.
-
-Add a collector
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
-
-
- node
-
-
-
-
-
-
-```
-
-Delete a collector
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
-
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/TraceStatus**
-Specifies whether the current logging status is running.
-
-The data type is an integer.
-
-The supported operation is Get.
-
-The following table represents the possible values:
-
-| Value | Description |
-| ----- | ----------- |
-| 0 | Stopped |
-| 1 | Started |
-
-**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**
-Specifies the log file logging mode.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description |
-| ----- | ------------------ |
-| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
-| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. |
-
-**EtwLog/Collectors/*CollectorName*/TraceControl**
-Specifies the logging and report action state.
-
-The data type is a string.
-
-The following table lists the possible values:
-
-| Value | Description |
-| ----- | ------------------ |
-| START | Start log tracing. |
-| STOP | Stop log tracing. |
-
-The supported operation is Execute.
-
-After you've added a logging task, you can start a trace by running an Execute command on this node with the value START.
-
-To stop the trace, running an execute command on this node with the value STOP.
-
-Start collector trace logging
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
-
-
- chr
-
- START
-
-
-
-
-
-```
-
-Stop collector trace logging
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
-
-
- chr
-
- STOP
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/LogFileSizeLimitMB**
-Sets the log file size limit, in MB.
-
-The data type is an integer.
-
-Valid values are 1-2048. The default value is 4.
-
-Supported operations are Get and Replace.
-
-**EtwLog/Collectors/*CollectorName*/Providers**
-Interior node to contain dynamic child interior nodes for active providers.
-
-The supported operation is Get.
-
-**EtwLog/Collectors/*CollectorName*/Providers/_ProviderGUID_**
-Dynamic nodes to represent active provider configuration per provider GUID.
-
-> [!NOTE]
-> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
-Supported operations are Add, Delete, and Get.
-
-Add a provider
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
-
-
- node
-
-
-
-
-
-
-```
-
-Delete a provider
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
-
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel**
-Specifies the level of detail included in the trace log.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description |
-| ----- | ------------------ |
-| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
-| 2 – TRACE_LEVEL_ERROR | Severe error events |
-| 3 – TRACE_LEVEL_WARNING | Warning events such as allocation failures |
-| 4 – TRACE_LEVEL_INFORMATION | Non-error events, such as entry or exit events |
-| 5 – TRACE_LEVEL_VERBOSE | Detailed information |
-
-Set provider **TraceLevel**
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel
-
-
- int
-
- 1
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**
-Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
-
-The data type is a string.
-
-Supported operations are Get and Replace.
-
-Default value is 0 meaning no keyword.
-
-Get provider **Keywords**
-
-```xml
-
-
-
- 1
-
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
-
-
-
-
-
-
-
-```
-
-Set provider **Keywords**
-
-```xml
-
-
-
- 4
-
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
-
-
-
- chr
- text/plain
-
- 12345678FFFFFFFF
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State**
-Specifies if this provider is enabled in the trace session.
-
-The data type is a boolean.
-
-Supported operations are Get and Replace. This change will be effective during active trace session.
-
-The following table lists the possible values:
-
-| Value | Description |
-| ----- | ------------------ |
-| TRUE | Provider is enabled in the trace session. This value is the default value. |
-| FALSE | Provider is disabled in the trace session. |
-
-Set provider **State**
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State
-
-
- bool
-
- false
-
-
-
-
-
-```
-
-**EtwLog/Channels**
-Interior node to contain dynamic child interior nodes for registered channels.
-
-The supported operation is Get.
-
-**EtwLog/Channels/_ChannelName_**
-Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin"
-
-Supported operations are Add, Delete, and Get.
-
-Add a channel
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
-
-
- node
-
-
-
-
-
-
-```
-
-Delete a channel
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
-
-
-
-
-
-
-```
-
-**EtwLog/Channels/*ChannelName*/Export**
-Node to trigger the command to export channel event data into the log file.
-
-The supported operation is Execute.
-
-Export channel event data
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export
-
-
-
-
-
-
-```
-
-**EtwLog/Channels/*ChannelName*/Filter**
-Specifies the XPath query string to filter the events while exporting.
-
-The data type is a string.
-
-Supported operations are Get and Replace.
-
-Default value is empty string.
-
-Get channel **Filter**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter
-
-
-
-
-
-
-```
-
-**EtwLog/Channels/*ChannelName*/State**
-Specifies if the Channel is enabled or disabled.
-
-The data type is a boolean.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description |
-| ----- | -------------------- |
-| TRUE | Channel is enabled. |
-| FALSE | Channel is disabled. |
-
-Get channel **State**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
-
-
-
-
-
-
-```
-
-Set channel **State**
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
-
-
- bool
-
- false
-
-
-
-
-
-```
-
-## DeviceStateData area
-
-The DeviceStateData functionality within the DiagnosticLog CSP provides extra device information.
-
-The following section describes the nodes for the DeviceStateData functionality.
-
-**DeviceStateData**
-Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed.
-
-**DeviceStateData/MdmConfiguration**
-Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP.
-
-The supported value is Execute.
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration
-
-
- chr
-
- SNAP
-
-
-
-
-
-```
-
-## FileDownload area
-
-The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
-
-### Comparing FileDownload and DiagnosticArchive
-
-Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows.
-
-- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
-- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
-
-The following section describes the nodes for the FileDownload functionality.
-
-**FileDownload**
-Node to contain child nodes for log file transportation protocols and corresponding actions.
-
-**FileDownload/DMChannel**
-Node to contain child nodes using DM channel for transport protocol.
-
-**FileDownload/DMChannel/_FileContext_**
-Dynamic interior nodes that represent per log file context.
-
-**FileDownload/DMChannel/*FileContext*/BlockSizeKB**
-Sets the log read buffer, in KB.
-
-The data type is an integer.
-
-Valid values are 1-16. The default value is 4.
-
-Supported operations are Get and Replace.
-
-Set **BlockSizeKB**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
-
-
- int
-
- 1
-
-
-
-
-
-```
-
-Get **BlockSizeKB**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
-
-
-
-
-
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockCount**
-Represents the total read block count for the log file.
-
-The data type is an integer.
-
-The only supported operation is Get.
-
-Get **BlockCount**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount
-
-
-
-
-
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockIndexToRead**
-Represents the read block start location.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-Set **BlockIndexToRead** at 0
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
-
-
- int
-
- 0
-
-
-
-
-
-```
-
-Set **BlockIndexToRead** at 1
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
-
-
- int
-
- 1
-
-
-
-
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockData**
-The data type is Base64.
-
-The only supported operation is Get.
-
-Get **BlockData**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData
-
-
-
-
-
-
-```
-
-**FileDownload/DMChannel/*FileContext*/DataBlocks**
-Node to transfer the selected log file block to the DM server.
-
-**FileDownload/DMChannel/*FileContext*/DataBlocks/_BlockNumber_**
-The data type is Base64.
-
-The supported operation is Get.
-
-### Reading a log file
-
-To read a log file:
-
-1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
-2. Select a log file in the Enumeration result.
-3. Set **BlockSizeKB** per DM server payload limitation.
-4. Get **BlockCount** to determine total read request.
-5. Set **BlockIndexToRead** to initialize read start point.
-6. Get **BlockData** for upload log block.
-7. Increase **BlockIndexToRead**.
-8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index a268523ce4..e87402d67d 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1,1304 +1,81 @@
---
-title: DiagnosticLog DDF
-description: Learn about the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP).
-ms.reviewer:
+title: DiagnosticLog DDF file
+description: View the XML file containing the device description framework (DDF) for the DiagnosticLog configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/21/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
-# DiagnosticLog DDF
+
-This topic shows the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The content below are the latest versions of the DDF files:
-
-- [DiagnosticLog CSP version 1.2](#version-1-2)
-- [DiagnosticLog CSP version 1.3](#version-1-3)
-- [DiagnosticLog CSP version 1.4](#version-1-4)
-
-## DiagnosticLog CSP version 1.2
+# DiagnosticLog DDF file
+The following XML file contains the device description framework (DDF) for the DiagnosticLog configuration service provider.
```xml
-]>
-
- 1.2
-
- DiagnosticLog
- ./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.2/MDM/DiagnosticLog
-
-
-
- EtwLog
-
-
-
-
- Root node of all types of event logging nodes that CSP manages.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Collectors
-
-
-
-
- Root node of registered "Collector" nodes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name.
-
-
-
-
-
-
-
-
-
- CollectorName
-
-
-
-
-
- TraceStatus
-
-
-
-
- This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped".
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceLogFileMode
-
-
-
-
-
- 1
- This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceControl
-
-
-
-
-
- This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LogFileSizeLimitMB
-
-
-
-
-
- 4
- This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Providers
-
-
-
-
- Root node of all providers registered in this collector node.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID.
-
-
-
-
-
-
-
-
-
- ProviderGuid
-
-
-
-
-
- Keywords
-
-
-
-
-
- "0"
- This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceLevel
-
-
-
-
-
- 5
- This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- State
-
-
-
-
-
- true
- This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
- Channels
-
-
-
-
- Root node of registered "Channel" nodes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
-
-
-
-
-
-
-
-
-
- ChannelName
-
-
-
-
-
- Export
-
-
-
-
-
- This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- State
-
-
-
-
-
- This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Filter
-
-
-
-
-
- ""
- This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- FileDownload
-
-
-
-
- Root node of all csp nodes that are related to log file download in csp.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DMChannel
-
-
-
-
- Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server.
-
-
-
-
-
-
-
-
-
- FileContext
-
-
-
-
-
- BlockSizeKB
-
-
-
-
-
- 4
- This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockCount
-
-
-
-
- This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockIndexToRead
-
-
-
-
-
- This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockData
-
-
-
-
- This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DataBlocks
-
-
-
-
- Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to.
-
-
-
-
-
-
-
-
-
- BlockNumber
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## DiagnosticLog CSP version 1.3
-
-
-```xml
-
-]>
-
- 1.2
-
- DiagnosticLog
- ./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.3/MDM/DiagnosticLog
-
-
-
- EtwLog
-
-
-
-
- Root node of all types of event logging nodes that CSP manages.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Collectors
-
-
-
-
- Root node of registered "Collector" nodes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name.
-
-
-
-
-
-
-
-
-
- CollectorName
-
-
-
-
-
- TraceStatus
-
-
-
-
- This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped".
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceLogFileMode
-
-
-
-
-
- 1
- This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceControl
-
-
-
-
-
- This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LogFileSizeLimitMB
-
-
-
-
-
- 4
- This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Providers
-
-
-
-
- Root node of all providers registered in this collector node.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID.
-
-
-
-
-
-
-
-
-
- ProviderGuid
-
-
-
-
-
- Keywords
-
-
-
-
-
- "0"
- This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceLevel
-
-
-
-
-
- 5
- This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- State
-
-
-
-
-
- true
- This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
- Channels
-
-
-
-
- Root node of registered "Channel" nodes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
-
-
-
-
-
-
-
-
-
- ChannelName
-
-
-
-
-
- Export
-
-
-
-
-
- This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- State
-
-
-
-
-
- This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Filter
-
-
-
-
-
- ""
- This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- DeviceStateData
-
-
-
-
- Root node of all types of device state data that CSP exposes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MdmConfiguration
-
-
-
-
- This node is to trigger snapping of the Device Management state data with "SNAP".
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- FileDownload
-
-
-
-
- Root node of all csp nodes that are related to log file download in csp.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DMChannel
-
-
-
-
- Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server.
-
-
-
-
-
-
-
-
-
- FileContext
-
-
-
-
-
- BlockSizeKB
-
-
-
-
-
- 4
- This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockCount
-
-
-
-
- This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockIndexToRead
-
-
-
-
-
- This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockData
-
-
-
-
- This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DataBlocks
-
-
-
-
- Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to.
-
-
-
-
-
-
-
-
-
- BlockNumber
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## DiagnosticLog CSP version 1.4
-```xml
-
-
-]>
+]>
1.2
+
+
+
+ DiagnosticLog
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.2
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ EtwLog
+
+
+
+
+ Root node of all types of event logging nodes that CSP manages.
+
+
+
+
+
+
+
+
+
+
+
+
+
- DiagnosticLog
- ./Vendor/MSFT
+ Collectors
+ Root node of registered "Collector" nodes.
@@ -1309,36 +86,155 @@ The content below are the latest versions of the DDF files:
- com.microsoft/1.4/MDM/DiagnosticLog
+
- EtwLog
+
+
+
+
- Root node of all types of event logging nodes that CSP manages.
+ Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name.
-
+
-
+
+ CollectorName
-
+
+
+
+
- Collectors
+ TraceStatus
- Root node of registered "Collector" nodes.
+ This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TraceLogFileMode
+
+
+
+
+
+ 1
+ This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ EVENT_TRACE_FILE_MODE_SEQUENTIAL-Writes events to a log file sequentially. It stops when the file reaches its maximum size.
+
+
+ 2
+ EVENT_TRACE_FILE_MODE_CIRCULAR-Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.
+
+
+
+
+
+ TraceControl
+
+
+
+
+
+ This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ START
+ Start log tracing.
+
+
+ STOP
+ Stop log tracing
+
+
+
+
+
+ LogFileSizeLimitMB
+
+
+
+
+
+ 4
+ This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-2048]
+
+
+
+
+ Providers
+
+
+
+
+ Root node of all providers registered in this collector node.
@@ -1346,21 +242,22 @@ The content below are the latest versions of the DDF files:
-
+
-
+
-
+
+
- Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name.
+ Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID.
@@ -1370,63 +267,23 @@ The content below are the latest versions of the DDF files:
- CollectorName
+ ProviderGuid
-
+
+
+ The node name must be a valid provider GUID.
+
- TraceStatus
-
-
-
-
- This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped".
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceLogFileMode
+ Keywords
- 1
- This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceControl
-
-
-
-
-
- This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node.
+ "0"
+ This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started.
@@ -1437,19 +294,21 @@ The content below are the latest versions of the DDF files:
- text/plain
+
+
+
- LogFileSizeLimitMB
+ TraceLevel
- 4
- This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4.
+ 5
+ This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started.
@@ -1460,189 +319,30 @@ The content below are the latest versions of the DDF files:
- text/plain
-
-
-
-
- Providers
-
-
-
-
- Root node of all providers registered in this collector node.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID.
-
-
-
-
-
-
-
-
-
- ProviderGuid
-
-
-
-
-
- Keywords
-
-
-
-
-
- "0"
- This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TraceLevel
-
-
-
-
-
- 5
- This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- State
-
-
-
-
-
- true
- This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
- Channels
-
-
-
-
- Root node of registered "Channel" nodes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
-
-
-
-
-
-
-
-
-
- ChannelName
-
-
-
-
-
- Export
-
-
-
-
-
- This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node.
-
-
-
-
-
-
-
-
-
-
- text/plain
+
+
+
+ 1
+ TRACE_LEVEL_CRITICAL - Abnormal exit or termination events
+
+
+ 2
+ TRACE_LEVEL_ERROR - Severe error events
+
+
+ 3
+ TRACE_LEVEL_WARNING - Warning events such as allocation failures
+
+
+ 4
+ TRACE_LEVEL_INFORMATION - Non-error events, such as entry or exit events
+
+
+ 5
+ TRACE_LEVEL_VERBOSE - Detailed information
+
+
@@ -1652,7 +352,8 @@ The content below are the latest versions of the DDF files:
- This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel.
+ true
+ This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true.
@@ -1663,63 +364,134 @@ The content below are the latest versions of the DDF files:
- text/plain
-
-
-
-
- Filter
-
-
-
-
-
- ""
- This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string.
-
-
-
-
-
-
-
-
-
-
- text/plain
+
+
+
+ true
+ Provider is enabled in the trace session. This is the default.
+
+
+ false
+ Provider is disabled in the trace session.
+
+
+
+
+ Channels
+
+
+
+
+ Root node of registered "Channel" nodes.
+
+
+
+
+
+
+
+
+
+
+
+
+
- DeviceStateData
+
+
+
+
- Root node of all types of device state data that CSP exposes.
+ Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
-
+
-
+
+ ChannelName
-
+
+
+ The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin"
+
- MdmConfiguration
+ Export
+
- This node is to trigger snapping of the Device Management state data with "SNAP".
+ This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State
+
+
+
+
+
+ This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+ Channel is enabled.
+
+
+ false
+ Channel is disabled.
+
+
+
+
+
+ Filter
+
+
+
+
+
+ ""
+ This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string.
@@ -1727,454 +499,558 @@ The content below are the latest versions of the DDF files:
-
+
- text/plain
-
-
-
-
-
- FileDownload
-
-
-
-
- Root node of all csp nodes that are related to log file download in csp.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DMChannel
-
-
-
-
- Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server.
-
-
-
-
-
-
-
-
-
- FileContext
-
-
-
-
-
- BlockSizeKB
-
-
-
-
-
- 4
- This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockCount
-
-
-
-
- This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockIndexToRead
-
-
-
-
-
- This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockData
-
-
-
-
- This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DataBlocks
-
-
-
-
- Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to.
-
-
-
-
-
-
-
-
-
- BlockNumber
-
-
-
-
-
-
-
-
-
-
- Policy
-
-
-
-
- Contains policy for diagnostic settings.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Channels
-
-
-
-
- Contains policy for Event Log channel settings.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
-
-
-
-
-
-
-
-
-
- ChannelName
-
-
-
-
-
- MaximumFileSize
-
-
-
-
-
-
-
- Maximum size of the channel log file in MB.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SDDL
-
-
-
-
-
-
-
- SDDL String controlling access to the channel. Default: https://learn.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ActionWhenFull
-
-
-
-
-
-
-
- Action to take when the log file reaches maximum size. "Truncate", "Overwrite", "Archive".
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- This policy setting specifies whether the channel should be enabled or disabled. Set value to TRUE to enable and FALSE to disable.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- DiagnosticArchive
-
-
-
-
- Root note for archive definition and collection.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ArchiveDefinition
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ArchiveResults
-
-
-
-
- Pull up the results of the last archive run.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
+
+
+
+
+
+ DeviceStateData
+
+
+
+
+ Root node of all types of device state data that CSP exposes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MdmConfiguration
+
+
+
+
+
+ This node is to trigger snapping of the Device Management state data with "SNAP".
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+
+
+ FileDownload
+
+
+
+
+ Root node of all csp nodes that are related to log file download in csp.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DMChannel
+
+
+
+
+ Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server.
+
+
+
+
+
+
+
+
+
+ FileContext
+
+
+
+
+ The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node.
+
+
+
+ BlockSizeKB
+
+
+
+
+
+ 4
+ This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-16]
+
+
+
+
+ BlockCount
+
+
+
+
+ This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockIndexToRead
+
+
+
+
+
+ This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockData
+
+
+
+
+ This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DataBlocks
+
+
+
+
+ Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to.
+
+
+
+
+
+
+
+
+
+ BlockNumber
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+ Contains policy for diagnostic settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.4
+
+
+
+ Channels
+
+
+
+
+ Contains policy for Event Log channel settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
+
+
+
+
+
+
+
+
+
+ ChannelName
+
+
+
+
+ The node name must be a valid Windows event log channel name, such as Microsoft-Client-Licensing-Platform%2FAdmin. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
+
+
+
+ MaximumFileSize
+
+
+
+
+
+
+
+ 1
+ Maximum size of the channel log file in MB.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-2000000]
+
+
+
+
+ SDDL
+
+
+
+
+
+
+
+ SDDL String controlling access to the channel. Default: https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ActionWhenFull
+
+
+
+
+
+
+
+ Action to take when the log file reaches maximum size. "Truncate", "Overwrite", "Archive".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Truncate
+ When the log file reaches its maximum file size, new events are not written to the log and are lost.
+
+
+ Overwrite
+ When the log file reaches its maximum file size, new events overwrite old events.
+
+
+ Archive
+ When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file.
+
+
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ This policy setting specifies whether the channel should be enabled or disabled. Set value to TRUE to enable and FALSE to disable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+ Enables the channel.
+
+
+ false
+ Disables the channel.
+
+
+
+
+
+
+
+
+ DiagnosticArchive
+
+
+
+
+ Root note for archive definition and collection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.4
+
+
+
+ ArchiveDefinition
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ArchiveResults
+
+
+
+
+ Pull up the results of the last archive run.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-
-[DiagnosticLog configuration service provider](diagnosticlog-csp.md)
-
-
-
-
+[DiagnosticLog configuration service provider reference](diagnosticlog-csp.md)
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index aa91c7caf5..488633b587 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -1,317 +1,1595 @@
---
title: DMAcc CSP
-description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects.
-ms.reviewer:
+description: Learn more about the DMAcc CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.topic: reference
---
+
+
+
# DMAcc CSP
-The table below shows the applicability of Windows:
+
+
+The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION](w7-application-csp.md) configuration service provider.
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION configuration service provider](w7-application-csp.md)
-
-> [!Note]
+> [!NOTE]
>This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DMAcc CSP, you can't use the Replace command unless the node already exists.
+
-The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
+
+The following list shows the DMAcc configuration service provider nodes:
+- ./SyncML/DMAcc
+ - [{AccountUID}](#accountuid)
+ - [AAuthPref](#accountuidaauthpref)
+ - [AppAddr](#accountuidappaddr)
+ - [{ObjectName}](#accountuidappaddrobjectname)
+ - [Addr](#accountuidappaddrobjectnameaddr)
+ - [AddrType](#accountuidappaddrobjectnameaddrtype)
+ - [Port](#accountuidappaddrobjectnameport)
+ - [{ObjectName}](#accountuidappaddrobjectnameportobjectname)
+ - [PortNbr](#accountuidappaddrobjectnameportobjectnameportnbr)
+ - [AppAuth](#accountuidappauth)
+ - [{ObjectName}](#accountuidappauthobjectname)
+ - [AAuthData](#accountuidappauthobjectnameaauthdata)
+ - [AAuthLevel](#accountuidappauthobjectnameaauthlevel)
+ - [AAuthName](#accountuidappauthobjectnameaauthname)
+ - [AAuthSecret](#accountuidappauthobjectnameaauthsecret)
+ - [AAuthType](#accountuidappauthobjectnameaauthtype)
+ - [AppID](#accountuidappid)
+ - [Ext](#accountuidext)
+ - [Microsoft](#accountuidextmicrosoft)
+ - [BackCompatRetryDisabled](#accountuidextmicrosoftbackcompatretrydisabled)
+ - [ConnRetryFreq](#accountuidextmicrosoftconnretryfreq)
+ - [CRLCheck](#accountuidextmicrosoftcrlcheck)
+ - [DefaultEncoding](#accountuidextmicrosoftdefaultencoding)
+ - [DisableOnRoaming](#accountuidextmicrosoftdisableonroaming)
+ - [InitialBackOffTime](#accountuidextmicrosoftinitialbackofftime)
+ - [InitiateSession](#accountuidextmicrosoftinitiatesession)
+ - [MaxBackOffTime](#accountuidextmicrosoftmaxbackofftime)
+ - [ProtoVer](#accountuidextmicrosoftprotover)
+ - [Role](#accountuidextmicrosoftrole)
+ - [SSLCLIENTCERTSEARCHCRITERIA](#accountuidextmicrosoftsslclientcertsearchcriteria)
+ - [UseHwDevID](#accountuidextmicrosoftusehwdevid)
+ - [UseNonceResync](#accountuidextmicrosoftusenonceresync)
+ - [Name](#accountuidname)
+ - [PrefConRef](#accountuidprefconref)
+ - [ServerID](#accountuidserverid)
+
+
+
+## {AccountUID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}
```
-./SyncML
-DMAcc
-----*
---------AppID
---------ServerID
---------Name
---------PrefConRef
---------AppAddr
-------------*
-----------------Addr
-----------------AddrType
-----------------Port
---------------------*
-------------------------PortNbr
---------AAuthPref
---------AppAuth
-------------*
-----------------AAuthLevel
-----------------AAuthType
-----------------AAuthName
-----------------AAuthSecret
-----------------AAuthData
---------Ext
-------------Microsoft
-----------------Role
-----------------ProtoVer
-----------------DefaultEncoding
-----------------UseHwDevID
-----------------ConnRetryFreq
-----------------InitialBackOffTime
-----------------MaxBackOffTime
-----------------BackCompatRetryDisabled
-----------------UseNonceResync
-----------------CRLCheck
-----------------DisableOnRoaming
-----------------SSLCLIENTCERTSEARCHCRITERIA
+
+
+
+
+This interior node acts as a placeholder for zero or more OMA DM server accounts. If this OMA DM server account is bootstrapped using the [w7 APPLICATION](w7-application-csp.md), the name of this
+node is generated from the 256-bit version of SHA-2 hash of the w7 PROVIDER-ID parm.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+### {AccountUID}/AAuthPref
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AAuthPref
```
-**DMAcc**
-Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol.
+
-***AccountUID***
-Optional. Defines the unique identifier for an OMA DM server account that uses the OMA DM version 1.2 protocol.
+
+
+Specifies the application authentication preference. Supported values: BASIC, DIGEST. If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first.
+
-For a [w7 APPLICATION configuration service provider](w7-application-csp.md) bootstrapped account, this element is assigned a unique name by the OMA DM Client. The unique name is the hexadecimal representation of the 256-bit SHA-2 hash of the provider ID. The OMA DM server can change this node name in subsequent OMA DM sessions.
+
+
+
-***AccountUID*/AppID**
-Required. Specifies the application identifier for the OMA DM account.
+
+**Description framework properties**:
-This value must be set to "w7".
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+**Allowed values**:
-***AccountUID*/ServerID**
-Required. Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive.
+| Value | Description |
+|:--|:--|
+| BASIC | The client attempts BASIC authentication. |
+| DIGEST | The client attempts MD5 authentication. |
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+
+
-***AccountUID*/Name**
-Optional. Specifies the display name of the application.
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+### {AccountUID}/AppAddr
-***AccountUID*/PrefConRef**
-Optional. Specifies the preferred connectivity for the OMA DM account.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-This element contains either a URI to a NAP management object or a connection GUID used by Connection Manager. If this element is missing, the device uses the default connection that is provided by Connection Manager.
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAddr
+```
+
-Value type is string. Supported operations are Add, Get, and Replace.
-
-***AccountUID*/AppAddr**
+
+
Interior node for DM server address.
+
-Required.
+
+
+
-**AppAddr/***ObjectName*
-Required. Defines the OMA DM server address. Only one server address can be configured.
+
+**Description framework properties**:
-When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1". This DM address is the first one encountered in the w7 APPLICATION configuration service provider; other DM accounts are ignored.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
-***ObjectName*/Addr**
-Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element.
+
+
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
-***ObjectName*/AddrType**
-Required. Specifies the format and interpretation of the Addr node value. The default is "URI".
+
+#### {AccountUID}/AppAddr/{ObjectName}
-The default value of "URI" specifies that the OMA DM account address in **Addr** is a URI address. A value of "IPv4" specifies that the OMA DM account address in **Addr** is an IP address.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}
+```
+
-***ObjectName*/Port**
+
+
+Defines the OMA DM server address. Only one server address can be configured. When mapping the [w7 APPLICATION](w7-application-csp.md) configuration service provider to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the [w7 APPLICATION](w7-application-csp.md) configuration service provider, other DM accounts are ignored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/AppAddr/{ObjectName}/Addr
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/Addr
+```
+
+
+
+
+Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/AppAddr/{ObjectName}/AddrType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/AddrType
+```
+
+
+
+
+Specifies the format and interpretation of the Addr node value. The default is "URI". The default value of "URI" specifies that the OMA DM account address in Addr is a URI address. A value of "IPv4" specifies that the OMA DM account address in Addr is an IP address.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+| Default Value | URI |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| URI (Default) | The OMA DM account address in Addr is a URI address. |
+| IPv4 | The OMA DM account address in Addr is an IP address. |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/AppAddr/{ObjectName}/Port
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/Port
+```
+
+
+
+
Interior node for port information.
+
-Optional.
+
+
+
-**Port/***ObjectName*
-Required. Only one port number can be configured.
+
+**Description framework properties**:
-When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1".
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
-***ObjectName*/PortNbr**
-Required. Specifies the port number of the OMA MD account address. This number must be a decimal number that fits within the range of a 16-bit unsigned integer.
+
+
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
-***AccountUID*/AAuthPref**
-Optional. Specifies the application authentication preference.
+
+###### {AccountUID}/AppAddr/{ObjectName}/Port/{ObjectName}
-A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria aren't met, then the client tries BASIC authorization first.
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/Port/{ObjectName}
+```
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+
+Only one port number can be configured. When mapping the [w7 APPLICATION](w7-application-csp.md) configuration service provider to the DMAcc Configuration Service Provider, the name of this element is "1".
+
-***AccountUID*/AppAuth**
-Optional. Defines authentication settings.
+
+
+
-**AppAuth/***ObjectName*
-Required. Defines one set of authentication settings.
+
+**Description framework properties**:
-When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get, Replace |
+| Dynamic Node Naming | ClientInventory |
+
-***ObjectName*/AAuthlevel**
-Required. Specifies the application authentication level.
+
+
+
-A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level.
+
-Value type is string. Supported operations are Add and Replace.
+
+###### {AccountUID}/AppAddr/{ObjectName}/Port/{ObjectName}/PortNbr
-***ObjectName*/AAuthType**
-Required. Specifies the authentication type.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-If the AAuthlevel is "CLCRED", the supported values are "BASIC" and "DIGEST". If the AAuthlevel is "SRVCRED", the supported value is "DIGEST".
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/Port/{ObjectName}/PortNbr
+```
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+
+Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer.
+
-***ObjectName*/AAuthName**
-Optional. Specifies the authentication name.
+
+
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+**Description framework properties**:
-***ObjectName*/AAuthSecret**
-Optional. Specifies the password or secret used for authentication.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
-Value type is string. Supported operations are Add and Replace.
+
+
+
-***ObjectName*/AAuthData**
-Optional. Specifies the next nonce used for authentication.
+
-"Nonce" refers to a number used once. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in repeat attacks.
+
+### {AccountUID}/AppAuth
-Value type is binary. Supported operations are Add and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-***AccountUID*/Ext**
-Required. Defines a set of extended parameters.
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAuth
+```
+
-This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created.
+
+
+Defines authentication settings.
+
-**Ext/Microsoft**
-Required. Defines a set of Microsoft-specific extended parameters.
+
+
+
-This element is created automatically when the OMA DM account is created.
+
+**Description framework properties**:
-**Microsoft/BackCompatRetryDisabled**
-Optional. Specifies whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default is "FALSE".
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
-The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled.
+
+
+
-Value type is bool. Supported operations are Add, Get, and Replace.
+
-**Microsoft/ConnRetryFreq**
-Optional. Specifies the number of retries the DM client performs when there are Connection Manager level or wininet level errors.
+
+#### {AccountUID}/AppAuth/{ObjectName}
-The default value is 3.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is integer. Supported operations are Add, Get, and Replace.
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}
+```
+
-**Microsoft/DefaultEncoding**
-Optional. Specifies whether the OMA DM client will use WBXML or XML for the DM package when communicating with the server. The default is "application/vnd.syncml.dm+xml".
+
+
+Defines one set of authentication settings. When mapping the [w7 APPLICATION](w7-application-csp.md) configuration service provider to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
+
-The default value of "application/vnd.syncml.dm+xml" specifies that XML is used. A value of "application/vnd.syncml.dm+wbxml" specifies that WBXML is used.
+
+
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+**Description framework properties**:
-**Microsoft/InitialBackOffTime**
-Optional. Specifies the initial wait time in milliseconds when the OMA DM client retries for the first time. The wait time grows exponentially.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+| Dynamic Node Naming | ClientInventory |
+
-The default value is 16000.
+
+
+
-Value type is integer. Supported operations are Add, Get, and Replace.
+
-**Microsoft/MaxBackOffTime**
-Optional. This node specifies the maximum number of milliseconds to wait before attempting a connection retry.
+
+##### {AccountUID}/AppAuth/{ObjectName}/AAuthData
-The default value is 86400000.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is integer. Supported operations are Add, Get, and Replace.
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthData
+```
+
-**Microsoft/ProtoVer**
-Optional. Specifies the OMA DM Protocol version that the server supports. There's no default value.
+
+
+Specifies the next nonce used for authentication. "Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks.
+
-Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
+
+
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+**Description framework properties**:
-**Microsoft/Role**
-Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server.
+| Property name | Property value |
+|:--|:--|
+| Format | bin |
+| Access Type | Add, Replace |
+
-If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
+
+
+
-- 4 = SECROLE\_OPERATO
-- 8 = SECROLE\_MANAGE
-- 16 = SECROLE\_USER\_AUT
-- 128 = SECROLE\_OPERATOR\_TPS
+
+
+##### {AccountUID}/AppAuth/{ObjectName}/AAuthLevel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthLevel
+```
+
+
+
+
+Specifies the application authentication level. A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| CLCRED | The credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. |
+| SRVCRED | The credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/AppAuth/{ObjectName}/AAuthName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthName
+```
+
+
+
+
+Specifies the authentication name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/AppAuth/{ObjectName}/AAuthSecret
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthSecret
+```
+
+
+
+
+Specifies the password or secret used for authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Replace |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/AppAuth/{ObjectName}/AAuthType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthType
+```
+
+
+
+
+Specifies the authentication type. If AAuthLevel is CLCRED, the supported types include BASIC and DIGEST. If AAuthLevel is SRVCRED, the only supported type is DIGEST.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel` Dependency Allowed Value: `SRVCRED` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| BASIC | BASIC. |
+| DIGEST | DIGEST. |
+
+
+
+
+
+
+
+
+
+### {AccountUID}/AppID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/AppID
+```
+
+
+
+
+Specifies the application identifier for the OMA DM account.. The only supported value is w7.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+| Default Value | w7 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| w7 (Default) | The only supported value. |
+
+
+
+
+
+
+
+
+
+### {AccountUID}/Ext
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext
+```
+
+
+
+
+Defines a set of extended parameters. This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### {AccountUID}/Ext/Microsoft
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft
+```
+
+
+
+
+Defines a set of Microsoft-specific extended parameters. This element is created automatically when the OMA DM account is created.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/BackCompatRetryDisabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/BackCompatRetryDisabled
+```
+
+
+
+
+This node specifies whether to disable the ability of the DM client to communicate with a down-level server.
+Possible Values:
+false (default) -- Compatibility with down-level servers is enabled
+true -- Compatibility with down-level servers is disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Backward-compatible retries are enabled. |
+| 1 | Backward-compatible retries are disabled. |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/ConnRetryFreq
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/ConnRetryFreq
+```
+
+
+
+
+This node specifies how many times DM client will retry a connection to the server if the connection fails. The default value is 3 retries.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+| Default Value | 3 |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/CRLCheck
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/CRLCheck
+```
+
+
+
+
+Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/DefaultEncoding
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/DefaultEncoding
+```
+
+
+
+
+This node specifies the encoding that the OMA-DM client will use to encode its first package. Valid values include "application/vnd.syncml.dm+xml" (for XML) and
+"application/vnd.syncml.dm+wbxml" (for WBXML). If this node is left unspecified, the OMA-DM client defaults to "application/vnd.syncml.dm+xml".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| application/vnd.syncml.dm+xml | XML is used. |
+| application/vnd.syncml.dm+wbxml | WBXML is used. |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/DisableOnRoaming
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/DisableOnRoaming
+```
+
+
+
+
+Determines whether the OMA DM client should be launched when roaming.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/InitialBackOffTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/InitialBackOffTime
+```
+
+
+
+
+This node specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait
+time grows exponentially. The default value is 16000 milliseconds.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+| Default Value | 16000 |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/InitiateSession
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/InitiateSession
+```
+
+
+
+
+When this node is added, a session is started with the MDM server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Add, Replace |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/MaxBackOffTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/MaxBackOffTime
+```
+
+
+
+
+This node specifies the maximum number of milliseconds to wait before attempting a connection retry. The default value is 86400000.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+| Default Value | 86400000 |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/ProtoVer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/ProtoVer
+```
+
+
+
+
+This node value corresponds to what the client would put in the VerDTD element of an OMA-DM package. No default value is assumed. The only valid value for this
+node is 1.1 or 1.2.
+
+
+
+
+The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1.1 | 1.1. |
+| 1.2 | 1.2. |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/Role
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/Role
+```
+
+
+
+
+If this node is unspecified, its default value is the access role of the session that created the server account. The value for this node must be a subset of the
+roles used in creating this server account.
+
+
+
+
The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object.
+
-Value type is integer. Supported operations are Get and Replace.
+
+**Description framework properties**:
-**Microsoft/UseHWDevID**
-Optional. Specifies whether to use the hardware ID for the ./DevInfo/DevID element in the DM account to identify the device. The default is "FALSE".
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+
-The default value of "FALSE" specifies that an application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID.
+
+**Allowed values**:
-A value is "TRUE" specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case:
+| Flag | Description |
+|:--|:--|
+| 4 | SECROLE_OPERATOR. |
+| 8 | SECROLE_MANAGER. |
+| 16 | SECROLE_USER_AUTH. |
+| 128 | SECROLE_OPERATOR_TPS. |
+
-- For GSM phones, the IMEI is returned.
-- For CDMA phones, the MEID is returned.
-- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
+
+
+
-Value type is bool. Supported operations are Add, Get, and Replace.
+
-**Microsoft/UseNonceResync**
-Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE".
+
+##### {AccountUID}/Ext/Microsoft/SSLCLIENTCERTSEARCHCRITERIA
-If the authentication fails because the server nonce doesn't match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device didn't authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-The default value of "FALSE" specifies that the client doesn't try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/SSLCLIENTCERTSEARCHCRITERIA
+```
+
-Value type is bool. Supported operations are Add, Get, and Replace.
-
-**CRLCheck**
-Optional. Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation.
-
-Value type is bool. Supported operations are Add, Get, and Replace.
-
-**DisableOnRoaming**
-Optional. Determines whether the OMA DM client should be launched when roaming.
-
-Value type is bool. Supported operations are Add, Get, and Replace.
-
-**SSLCLIENTCERTSEARCHCRITERIA**
-Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored.
-
-The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC.
-
-The supported names are Subject and Stores; wildcard certificate search isn't supported.
-
-Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
-
-> [!Note]
-> %EF%80%80 is the UTF8-encoded character U+F000.
-
-Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema:
+
+
+The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored. The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC. The supported names are Subject and Stores; wildcard certificate search is not supported. Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive. Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute ("CN=Tester,O=Microsoft"), use the following:
+
+
+
```xml
+ value="Subject=CN%3DTester,O%3DMicrosoft&Stores=My%5CUser" />
```
+
-Value type is string. Supported operations are Add, Get, and Replace.
+
+**Description framework properties**:
-**InitiateSession**
-Optional. When this node is added, a session is started with the MDM server.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
-Supported operations are Add, and Replace.
+
+
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
+
+##### {AccountUID}/Ext/Microsoft/UseHwDevID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/UseHwDevID
+```
+
+
+
+
+A value of true indicates that, during an OMA-DM session with this server, the value of the ./DevInfo/DevId node is the hardware ID of device (e.g, IMEI for a
+GSM device, ESN for a CDMA Device, hashed UUID for a non-radio device). The default value of false indicates that the value of ./DevInfo/DevId node is a hash of
+the UUID of the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | An application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID. |
+| 1 | The hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. |
+
+
+
+
+
+
+
+
+
+##### {AccountUID}/Ext/Microsoft/UseNonceResync
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/UseNonceResync
+```
+
+
+
+
+This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce
+resynchronization is disabled and authentication of the server notification fails, the notification is dropped.
+Possible Values:
+false (default) : Nonce resynchronization is disabled.
+true : Nonce resynchronization is enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | The client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. |
+| 1 | The client initiates a DM session if the backup server nonce is received after authentication failed. |
+
+
+
+
+
+
+
+
+
+### {AccountUID}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/Name
+```
+
+
+
+
+Specifies the display name of the application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {AccountUID}/PrefConRef
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/PrefConRef
+```
+
+
+
+
+The only supported values include the NAPID of a bootstrapped NAP management object or a connection GUID used by connection manager. If this node is missing, the device
+will use the default connection provided by connection manager.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {AccountUID}/ServerID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./SyncML/DMAcc/{AccountUID}/ServerID
+```
+
+
+
+
+Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index f2d4b6a20f..57bfdbcc89 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,875 +1,1094 @@
---
title: DMAcc DDF file
-description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/21/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# DMAcc DDF file
-This topic shows the OMA DM device description framework (DDF) for the **DMAcc** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the DMAcc configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ DMAcc
+ ./SyncML
+
+
+
+
+ This interior node is a common parent to all OMA DM server account nodes that use OMA DM 1.2 protocol.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- DMAcc
- ./SyncML
+
+
+
+
+
+
+
+
+
+ This interior node acts as a placeholder for zero or more OMA DM server accounts. If this OMA DM server account is bootstrapped using the w7 APPLICATION, the name of this node is generated from the 256-bit version of SHA-2 hash of the w7 PROVIDER-ID parm.
+
+
+
+
+
+
+
+
+
+ AccountUID
+
+
+
+
+
+
+
+
+ AppID
-
-
-
- This interior node is a common parent to all OMA DM server account nodes that use OMA DM 1.2 protocol.
-
-
-
-
-
-
-
-
-
-
- urn:oma:mo:oma-dm-dmacc:1.1
-
+
+
+
+
+
+ w7
+ Specifies the application identifier for the OMA DM account.. The only supported value is w7.
+
+
+
+
+
+
+
+
+
+ Application ID for DM Account MO
+
+
+
+
+
+ w7
+ The only supported value.
+
+
+
+
+
+ ServerID
+
+
+
+
+
+
+ Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive.
+
+
+
+
+
+
+
+
+
+ Server Identifier
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+
+ Specifies the display name of the application.
+
+
+
+
+
+
+
+
+
+ Displayable name for the Management Server
+
+
+
+
+
+
+
+
+ PrefConRef
+
+
+
+
+
+
+ The only supported values include the NAPID of a bootstrapped NAP management object or a connection GUID used by connection manager. If this node is missing, the device will use the default connection provided by connection manager.
+
+
+
+
+
+
+
+
+
+ Reference to preferred connectivity
+
+
+
+
+
+
+
+
+ AppAddr
+
+
+
+
+
+ Interior node for DM server address.
+
+
+
+
+
+
+
+
+
+ A collection of references to DM server address
+
+
+
- *
+
+
+
+
+
+
+
+ Defines the OMA DM server address. Only one server address can be configured. When mapping the w7 APPLICATION configuration service provider to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored.
+
+
+
+
+
+
+
+
+
+ ObjectName
+
+
+
+
+
+
+
+
+ Addr
-
-
-
-
-
-
- This interior node acts as a placeholder for zero or more OMA DM server accounts. If this OMA DM server account is bootstrapped using the w7 APPLICATION, the name of this node is generated from the 256-bit version of SHA-2 hash of the w7 PROVIDER-ID parm.
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+ Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element.
+
+
+
+
+
+
+
+
+
+ Management Server Address
+
+
+
+
+
+
+
+
+ AddrType
+
+
+
+
+
+
+ URI
+ Specifies the format and interpretation of the Addr node value. The default is "URI". The default value of "URI" specifies that the OMA DM account address in Addr is a URI address. A value of "IPv4" specifies that the OMA DM account address in Addr is an IP address.
+
+
+
+
+
+
+
+
+
+ Management Server Address Type
+
+
+
+
+
+ URI
+ The OMA DM account address in Addr is a URI address.
+
+
+ IPv4
+ The OMA DM account address in Addr is an IP address.
+
+
+
+
+
+ Port
+
+
+
+
+
+ Interior node for port information.
+
+
+
+
+
+
+
+
+
+ A collection of all Port objects
+
+
+
- AppID
+
+
+
+
+
+
+
+
+ Only one port number can be configured. When mapping the w7 APPLICATION configuration service provider to the DMAcc Configuration Service Provider, the name of this element is "1".
+
+
+
+
+
+
+
+
+
+ ObjectName
+
+
+
+
+
+
+
+
+ PortNbr
-
-
-
-
-
- The only supported value is w7.
-
-
-
-
-
-
-
-
-
- Application ID for DM Account MO
-
- text/plain
-
+
+
+
+
+
+ Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer.
+
+
+
+
+
+
+
+
+
+ Port
+
+
+
+
+
+
-
- ServerID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Server Identifier
-
- text/plain
-
-
-
-
- Name
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Displayable name for the Management Server
-
- text/plain
-
-
-
-
- PrefConRef
-
-
-
-
-
-
- The only supported values include the NAPID of a bootstrapped NAP management object or a connection GUID used by connection manager. If this node is missing, the device will use the default connection provided by connection manager.
-
-
-
-
-
-
-
-
-
- Reference to preferred connectivity
-
- text/plain
-
-
-
-
- AppAddr
-
-
-
-
-
- Only the first address provisioned is used.
-
-
-
-
-
-
-
-
-
- A collection of references to DM server address
-
-
-
-
-
- *
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The "name" node for AppAddr object
-
-
-
-
-
- Addr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Management Server Address
-
- text/plain
-
-
-
-
- AddrType
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Management Server Address Type
-
- text/plain
-
-
-
-
- Port
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A collection of all Port objects
-
-
-
-
-
- *
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The "name" node for a Port object
-
-
-
-
-
- PortNbr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Port
-
- text/plain
-
-
-
-
-
-
-
-
- AAuthPref
-
-
-
-
-
-
- Supported values: BASIC, DIGEST
-
-
-
-
-
-
-
-
-
- Application Authentication Type preference
-
- text/plain
-
-
-
-
- AppAuth
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A collection of all references to multiple Application Authentication objects
-
-
-
-
-
- *
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The "name" node for multiple Application Authentication objects
-
-
-
-
-
- AAuthLevel
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Application Authentication level
-
- text/plain
-
-
-
-
- AAuthType
-
-
-
-
-
-
- If AAuthLevel is CLCRED, the supported types include BASIC and DIGEST. If AAuthLevel is SRVCRED, the only supported type is DIGEST.
-
-
-
-
-
-
-
-
-
- Application Authentication Type
-
- text/plain
-
-
-
-
- AAuthName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Application Authentication Name
-
- text/plain
-
-
-
-
- AAuthSecret
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Application Authentication Secret
-
- text/plain
-
-
-
-
- AAuthData
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Application Authentication Data
-
- text/plain
-
-
-
-
-
-
- Ext
-
-
-
-
-
-
-
-
-
-
-
-
-
- Vendor specific information
-
-
-
-
-
- Microsoft
-
-
-
-
-
-
-
-
-
-
-
-
-
- The collection of Microsoft specific settings
-
-
-
-
-
- Role
-
-
-
-
-
- If this node is unspecified, its default value is the access role of the session that created the server account. The value for this node must be a subset of the roles used in creating this server account.
-
-
-
-
-
-
-
-
-
- The security role mask that the DM session should run with
-
- text/plain
-
-
-
-
- ProtoVer
-
-
-
-
-
-
- This node value corresponds to what the client would put in the VerDTD element of an OMA-DM package. No default value is assumed. The only valid value for this node is 1.1 or 1.2.
-
-
-
-
-
-
-
-
-
- The OMA-DM protocol version that the client should use in communicating with the server
-
- text/plain
-
-
-
-
- DefaultEncoding
-
-
-
-
-
-
- This node specifies the encoding that the OMA-DM client will use to encode its first package. Valid values include "application/vnd.syncml.dm+xml" (for XML) and "application/vnd.syncml.dm+wbxml" (for WBXML). If this node is left unspecified, the OMA-DM client defaults to "application/vnd.syncml.dm+xml".
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UseHwDevID
-
-
-
-
-
-
- A value of true indicates that, during an OMA-DM session with this server, the value of the ./DevInfo/DevId node is the hardware ID of device (e.g, IMEI for a GSM device, ESN for a CDMA Device, hashed UUID for a non-radio device). The default value of false indicates that the value of ./DevInfo/DevId node is a hash of the UUID of the device.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ConnRetryFreq
-
-
-
-
-
-
- This node specifies how many times DM client will retry a connection to the server if the connection fails. The default value is 3 retries.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InitialBackOffTime
-
-
-
-
-
-
- This node specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait time grows exponentially. The default value is 16000 milliseconds.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MaxBackOffTime
-
-
-
-
-
-
- This node specifies the maximum number of milliseconds to wait before attempting a connection retry. The default value is 86400000.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BackCompatRetryDisabled
-
-
-
-
-
-
- This node specifies whether to disable the ability of the DM client to communicate with a down-level server.
+
+
+
+
+ AAuthPref
+
+
+
+
+
+
+ Specifies the application authentication preference. Supported values: BASIC, DIGEST. If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first.
+
+
+
+
+
+
+
+
+
+ Application Authentication Type preference
+
+
+
+
+
+ BASIC
+ The client attempts BASIC authentication.
+
+
+ DIGEST
+ The client attempts MD5 authentication.
+
+
+
+
+
+ AppAuth
+
+
+
+
+
+ Defines authentication settings.
+
+
+
+
+
+
+
+
+
+ A collection of all references to multiple Application Authentication objects
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines one set of authentication settings. When mapping the w7 APPLICATION configuration service provider to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
+
+
+
+
+
+
+
+
+
+ ObjectName
+
+
+
+
+
+
+
+
+
+
+ AAuthLevel
+
+
+
+
+
+
+ Specifies the application authentication level. A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level.
+
+
+
+
+
+
+
+
+
+ Application Authentication level
+
+
+
+
+
+ CLCRED
+ The credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level.
+
+
+ SRVCRED
+ The credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level.
+
+
+
+
+
+ AAuthType
+
+
+
+
+
+
+ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types include BASIC and DIGEST. If AAuthLevel is SRVCRED, the only supported type is DIGEST.
+
+
+
+
+
+
+
+
+
+ Application Authentication Type
+
+
+
+
+
+ BASIC
+ BASIC
+
+
+ DIGEST
+ DIGEST
+
+
+
+
+
+
+ DIGEST
+ DIGEST
+
+
+
+ Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel
+
+
+ SRVCRED
+ SRVCRED
+
+
+
+
+
+
+
+
+ AAuthName
+
+
+
+
+
+
+ Specifies the authentication name.
+
+
+
+
+
+
+
+
+
+ Application Authentication Name
+
+
+
+
+
+
+
+
+ AAuthSecret
+
+
+
+
+
+ Specifies the password or secret used for authentication.
+
+
+
+
+
+
+
+
+
+ Application Authentication Secret
+
+
+
+
+
+
+
+
+ AAuthData
+
+
+
+
+
+ Specifies the next nonce used for authentication. "Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks.
+
+
+
+
+
+
+
+
+
+ Application Authentication Data
+
+
+
+
+
+
+
+
+
+
+ Ext
+
+
+
+
+ Defines a set of extended parameters. This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created.
+
+
+
+
+
+
+
+
+
+ Vendor specific information
+
+
+
+
+
+ Microsoft
+
+
+
+
+ Defines a set of Microsoft-specific extended parameters. This element is created automatically when the OMA DM account is created.
+
+
+
+
+
+
+
+
+
+ The collection of Microsoft specific settings
+
+
+
+
+
+ Role
+
+
+
+
+
+ If this node is unspecified, its default value is the access role of the session that created the server account. The value for this node must be a subset of the roles used in creating this server account.
+
+
+
+
+
+
+
+
+
+ The security role mask that the DM session should run with
+
+
+
+
+
+ 4
+ SECROLE_OPERATOR
+
+
+ 8
+ SECROLE_MANAGER
+
+
+ 16
+ SECROLE_USER_AUTH
+
+
+ 128
+ SECROLE_OPERATOR_TPS
+
+
+
+
+
+ ProtoVer
+
+
+
+
+
+
+ This node value corresponds to what the client would put in the VerDTD element of an OMA-DM package. No default value is assumed. The only valid value for this node is 1.1 or 1.2.
+
+
+
+
+
+
+
+
+
+ The OMA-DM protocol version that the client should use in communicating with the server
+
+
+
+
+
+ 1.1
+ 1.1
+
+
+ 1.2
+ 1.2
+
+
+
+
+
+ DefaultEncoding
+
+
+
+
+
+
+ This node specifies the encoding that the OMA-DM client will use to encode its first package. Valid values include "application/vnd.syncml.dm+xml" (for XML) and "application/vnd.syncml.dm+wbxml" (for WBXML). If this node is left unspecified, the OMA-DM client defaults to "application/vnd.syncml.dm+xml".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ application/vnd.syncml.dm+xml
+ XML is used
+
+
+ application/vnd.syncml.dm+wbxml
+ WBXML is used
+
+
+
+
+
+ UseHwDevID
+
+
+
+
+
+
+ 0
+ A value of true indicates that, during an OMA-DM session with this server, the value of the ./DevInfo/DevId node is the hardware ID of device (e.g, IMEI for a GSM device, ESN for a CDMA Device, hashed UUID for a non-radio device). The default value of false indicates that the value of ./DevInfo/DevId node is a hash of the UUID of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ An application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID.
+
+
+ 1
+ The hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server.
+
+
+
+
+
+ ConnRetryFreq
+
+
+
+
+
+
+ 3
+ This node specifies how many times DM client will retry a connection to the server if the connection fails. The default value is 3 retries.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InitialBackOffTime
+
+
+
+
+
+
+ 16000
+ This node specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait time grows exponentially. The default value is 16000 milliseconds.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MaxBackOffTime
+
+
+
+
+
+
+ 86400000
+ This node specifies the maximum number of milliseconds to wait before attempting a connection retry. The default value is 86400000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BackCompatRetryDisabled
+
+
+
+
+
+
+ 0
+ This node specifies whether to disable the ability of the DM client to communicate with a down-level server.
Possible Values:
false (default) -- Compatibility with down-level servers is enabled
true -- Compatibility with down-level servers is disabled
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UseNonceResync
-
-
-
-
-
-
- This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce resynchronization is disabled and authentication of the server notification fails, the notification is dropped.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Backward-compatible retries are enabled.
+
+
+ 1
+ Backward-compatible retries are disabled.
+
+
+
+
+
+ UseNonceResync
+
+
+
+
+
+
+ 0
+ This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce resynchronization is disabled and authentication of the server notification fails, the notification is dropped.
Possible Values:
false (default) : Nonce resynchronization is disabled.
true : Nonce resynchronization is enabled.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CRLCheck
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- CRLCheck
-
- text/plain
-
-
-
-
- DisableOnRoaming
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DisableOnRoaming
-
- text/plain
-
-
-
-
- SSLCLIENTCERTSEARCHCRITERIA
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SSLCLIENTCERTSEARCHCRITERIA
-
- text/plain
-
-
-
-
- InitiateSession
-
-
-
-
-
- When this node is added, a session is started with the MDM server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ The client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails.
+
+
+ 1
+ The client initiates a DM session if the backup server nonce is received after authentication failed.
+
+
+
+
+
+ CRLCheck
+
+
+
+
+
+
+ Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation.
+
+
+
+
+
+
+
+
+
+ CRLCheck
+
+
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ DisableOnRoaming
+
+
+
+
+
+
+ Determines whether the OMA DM client should be launched when roaming.
+
+
+
+
+
+
+
+
+
+ DisableOnRoaming
+
+
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ SSLCLIENTCERTSEARCHCRITERIA
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SSLCLIENTCERTSEARCHCRITERIA
+
+
+
+
+
+
+
+
+ InitiateSession
+
+
+
+
+
+ When this node is added, a session is started with the MDM server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+
+
+
+
-
```
-## Related topics
-
-
-[DMAcc configuration service provider](dmacc-csp.md)
-
-
-
-
-
-
-
-
-
+## Related articles
+[DMAcc configuration service provider reference](dmacc-csp.md)
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index a1d4415f08..bdae4f4a67 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,245 +1,870 @@
---
title: DMClient CSP
-description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings.
-ms.reviewer:
+description: Learn more about the DMClient CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 11/01/2017
+ms.topic: reference
---
+
+
+
# DMClient CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
+
-The following information shows the DMClient CSP in tree format.
+
+The following list shows the DMClient configuration service provider nodes:
-```console
-./Vendor/MSFT
-DMClient
-----Provider
---------ProviderID
-------------EntDeviceName
-------------ExchangeID
-------------EntDMID
-------------SignedEntDMID
-------------CertRenewTimeStamp
-------------PublisherDeviceID
-------------ManagementServiceAddress
-------------UPN
-------------HelpPhoneNumber
-------------HelpWebsite
-------------HelpEmailAddress
-------------RequireMessageSigning
-------------SyncApplicationVersion
-------------MaxSyncApplicationVersion
-------------Unenroll
-------------AADResourceID
-------------AADDeviceID
-------------AADSendDeviceToken
-------------ForceAadToken
-------------EnrollmentType
-------------EnableOmaDmKeepAliveMessage
-------------HWDevID
-------------ManagementServerAddressList
-------------CommercialID
-------------ConfigLock
-----------------Lock
-----------------UnlockDuration
-----------------SecureCore
-------------Push
-----------------PFN
-----------------ChannelURI
-----------------Status
-------------Poll
-----------------IntervalForFirstSetOfRetries
-----------------NumberOfFirstRetries
-----------------IntervalForSecondSetOfRetries
-----------------NumberOfSecondRetries
-----------------IntervalForRemainingScheduledRetries
-----------------NumberOfRemainingScheduledRetries
-----------------PollOnLogin
-----------------AllUsersPollOnFirstLogin
-------------LinkedEnrollment
-----------------Priority
-----------------Enroll
-----------------Unenroll
-----------------EnrollStatus
-----------------LastError
-------------Recovery
-----------------AllowRecovery
-----------------RecoveryStatus
-----------------InitiateRecovery
-------------MultipleSession
-----------------NumAllowedConcurrentUserSessionForBackgroundSync
-----------------NumAllowedConcurrentUserSessionAtUserLogonSync
-----------------IntervalForScheduledRetriesForUserSession
-----------------NumberOfScheduledRetriesForUserSession
-----Unenroll
-----UpdateManagementServiceAddress
+- ./Device/Vendor/MSFT/DMClient
+ - [HWDevID](#devicehwdevid)
+ - [Provider](#deviceprovider)
+ - [{ProviderID}](#deviceproviderproviderid)
+ - [AADDeviceID](#deviceproviderprovideridaaddeviceid)
+ - [AADResourceID](#deviceproviderprovideridaadresourceid)
+ - [AADSendDeviceToken](#deviceproviderprovideridaadsenddevicetoken)
+ - [CertRenewTimeStamp](#deviceproviderprovideridcertrenewtimestamp)
+ - [CommercialID](#deviceproviderprovideridcommercialid)
+ - [ConfigLock](#deviceproviderprovideridconfiglock)
+ - [Lock](#deviceproviderprovideridconfiglocklock)
+ - [SecureCore](#deviceproviderprovideridconfiglocksecurecore)
+ - [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration)
+ - [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage)
+ - [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext)
+ - [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref)
+ - [HyperlinkText](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinktext)
+ - [Title](#deviceproviderprovideridcustomenrollmentcompletepagetitle)
+ - [EnableOmaDmKeepAliveMessage](#deviceproviderprovideridenableomadmkeepalivemessage)
+ - [EnhancedAppLayerSecurity](#deviceproviderprovideridenhancedapplayersecurity)
+ - [Cert0](#deviceproviderprovideridenhancedapplayersecuritycert0)
+ - [Cert1](#deviceproviderprovideridenhancedapplayersecuritycert1)
+ - [SecurityMode](#deviceproviderprovideridenhancedapplayersecuritysecuritymode)
+ - [UseCertIfRevocationCheckOffline](#deviceproviderprovideridenhancedapplayersecurityusecertifrevocationcheckoffline)
+ - [EnrollmentType](#deviceproviderprovideridenrollmenttype)
+ - [EntDeviceName](#deviceproviderprovideridentdevicename)
+ - [EntDMID](#deviceproviderprovideridentdmid)
+ - [ExchangeID](#deviceproviderprovideridexchangeid)
+ - [FirstSyncStatus](#deviceproviderprovideridfirstsyncstatus)
+ - [AllowCollectLogsButton](#deviceproviderprovideridfirstsyncstatusallowcollectlogsbutton)
+ - [BlockInStatusPage](#deviceproviderprovideridfirstsyncstatusblockinstatuspage)
+ - [CustomErrorText](#deviceproviderprovideridfirstsyncstatuscustomerrortext)
+ - [ExpectedModernAppPackages](#deviceproviderprovideridfirstsyncstatusexpectedmodernapppackages)
+ - [ExpectedMSIAppPackages](#deviceproviderprovideridfirstsyncstatusexpectedmsiapppackages)
+ - [ExpectedNetworkProfiles](#deviceproviderprovideridfirstsyncstatusexpectednetworkprofiles)
+ - [ExpectedPFXCerts](#deviceproviderprovideridfirstsyncstatusexpectedpfxcerts)
+ - [ExpectedPolicies](#deviceproviderprovideridfirstsyncstatusexpectedpolicies)
+ - [ExpectedSCEPCerts](#deviceproviderprovideridfirstsyncstatusexpectedscepcerts)
+ - [IsSyncDone](#deviceproviderprovideridfirstsyncstatusissyncdone)
+ - [ServerHasFinishedProvisioning](#deviceproviderprovideridfirstsyncstatusserverhasfinishedprovisioning)
+ - [SkipDeviceStatusPage](#deviceproviderprovideridfirstsyncstatusskipdevicestatuspage)
+ - [SkipUserStatusPage](#deviceproviderprovideridfirstsyncstatusskipuserstatuspage)
+ - [TimeOutUntilSyncFailure](#deviceproviderprovideridfirstsyncstatustimeoutuntilsyncfailure)
+ - [WasDeviceSuccessfullyProvisioned](#deviceproviderprovideridfirstsyncstatuswasdevicesuccessfullyprovisioned)
+ - [ForceAadToken](#deviceproviderprovideridforceaadtoken)
+ - [HelpEmailAddress](#deviceproviderprovideridhelpemailaddress)
+ - [HelpPhoneNumber](#deviceproviderprovideridhelpphonenumber)
+ - [HelpWebsite](#deviceproviderprovideridhelpwebsite)
+ - [HWDevID](#deviceproviderprovideridhwdevid)
+ - [LinkedEnrollment](#deviceproviderprovideridlinkedenrollment)
+ - [Enroll](#deviceproviderprovideridlinkedenrollmentenroll)
+ - [EnrollStatus](#deviceproviderprovideridlinkedenrollmentenrollstatus)
+ - [LastError](#deviceproviderprovideridlinkedenrollmentlasterror)
+ - [Priority](#deviceproviderprovideridlinkedenrollmentpriority)
+ - [Unenroll](#deviceproviderprovideridlinkedenrollmentunenroll)
+ - [ManagementServerAddressList](#deviceproviderprovideridmanagementserveraddresslist)
+ - [ManagementServerToUpgradeTo](#deviceproviderprovideridmanagementservertoupgradeto)
+ - [ManagementServiceAddress](#deviceproviderprovideridmanagementserviceaddress)
+ - [MaxSyncApplicationVersion](#deviceproviderprovideridmaxsyncapplicationversion)
+ - [MultipleSession](#deviceproviderprovideridmultiplesession)
+ - [IntervalForScheduledRetriesForUserSession](#deviceproviderprovideridmultiplesessionintervalforscheduledretriesforusersession)
+ - [NumAllowedConcurrentUserSessionAtUserLogonSync](#deviceproviderprovideridmultiplesessionnumallowedconcurrentusersessionatuserlogonsync)
+ - [NumAllowedConcurrentUserSessionForBackgroundSync](#deviceproviderprovideridmultiplesessionnumallowedconcurrentusersessionforbackgroundsync)
+ - [NumberOfScheduledRetriesForUserSession](#deviceproviderprovideridmultiplesessionnumberofscheduledretriesforusersession)
+ - [NumberOfDaysAfterLostContactToUnenroll](#deviceproviderprovideridnumberofdaysafterlostcontacttounenroll)
+ - [Poll](#deviceproviderprovideridpoll)
+ - [AllUsersPollOnFirstLogin](#deviceproviderprovideridpollalluserspollonfirstlogin)
+ - [IntervalForFirstSetOfRetries](#deviceproviderprovideridpollintervalforfirstsetofretries)
+ - [IntervalForRemainingScheduledRetries](#deviceproviderprovideridpollintervalforremainingscheduledretries)
+ - [IntervalForSecondSetOfRetries](#deviceproviderprovideridpollintervalforsecondsetofretries)
+ - [NumberOfFirstRetries](#deviceproviderprovideridpollnumberoffirstretries)
+ - [NumberOfRemainingScheduledRetries](#deviceproviderprovideridpollnumberofremainingscheduledretries)
+ - [NumberOfSecondRetries](#deviceproviderprovideridpollnumberofsecondretries)
+ - [PollOnLogin](#deviceproviderprovideridpollpollonlogin)
+ - [PublisherDeviceID](#deviceproviderprovideridpublisherdeviceid)
+ - [Push](#deviceproviderprovideridpush)
+ - [ChannelURI](#deviceproviderprovideridpushchanneluri)
+ - [PFN](#deviceproviderprovideridpushpfn)
+ - [Status](#deviceproviderprovideridpushstatus)
+ - [Recovery](#deviceproviderprovideridrecovery)
+ - [AllowRecovery](#deviceproviderprovideridrecoveryallowrecovery)
+ - [InitiateRecovery](#deviceproviderprovideridrecoveryinitiaterecovery)
+ - [RecoveryStatus](#deviceproviderprovideridrecoveryrecoverystatus)
+ - [RequireMessageSigning](#deviceproviderprovideridrequiremessagesigning)
+ - [SignedEntDMID](#deviceproviderprovideridsignedentdmid)
+ - [SyncApplicationVersion](#deviceproviderprovideridsyncapplicationversion)
+ - [Unenroll](#deviceproviderprovideridunenroll)
+ - [UPN](#deviceproviderprovideridupn)
+ - [Unenroll](#deviceunenroll)
+ - [UpdateManagementServiceAddress](#deviceupdatemanagementserviceaddress)
+- ./User/Vendor/MSFT/DMClient
+ - [Provider](#userprovider)
+ - [{ProviderID}](#userproviderproviderid)
+ - [FirstSyncStatus](#userproviderprovideridfirstsyncstatus)
+ - [AllowCollectLogsButton](#userproviderprovideridfirstsyncstatusallowcollectlogsbutton)
+ - [CustomErrorText](#userproviderprovideridfirstsyncstatuscustomerrortext)
+ - [ExpectedModernAppPackages](#userproviderprovideridfirstsyncstatusexpectedmodernapppackages)
+ - [ExpectedMSIAppPackages](#userproviderprovideridfirstsyncstatusexpectedmsiapppackages)
+ - [ExpectedNetworkProfiles](#userproviderprovideridfirstsyncstatusexpectednetworkprofiles)
+ - [ExpectedPFXCerts](#userproviderprovideridfirstsyncstatusexpectedpfxcerts)
+ - [ExpectedPolicies](#userproviderprovideridfirstsyncstatusexpectedpolicies)
+ - [ExpectedSCEPCerts](#userproviderprovideridfirstsyncstatusexpectedscepcerts)
+ - [IsSyncDone](#userproviderprovideridfirstsyncstatusissyncdone)
+ - [ServerHasFinishedProvisioning](#userproviderprovideridfirstsyncstatusserverhasfinishedprovisioning)
+ - [WasDeviceSuccessfullyProvisioned](#userproviderprovideridfirstsyncstatuswasdevicesuccessfullyprovisioned)
+
+
+
+## Device/HWDevID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/HWDevID
```
+
-**./Vendor/MSFT**
-All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
+
+
+Returns the hardware device ID.
+
-**DMClient**
-Root node for the CSP.
+
+
+
-**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node.
+
+**Description framework properties**:
-**HWDevID**
-Added in Windows 10, version 1703. Returns the hardware device ID.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Supported operation is Get. Value type is string.
+
+
+
-**Provider**
-Required. The root node for all settings that belong to a single management server. Scope is permanent.
+
-Supported operation is Get.
+
+## Device/Provider
-**Provider/***ProviderID*
-Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesn’t require XML/URI escaping.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-Supported operations are Get and Add.
-
-**Provider/*ProviderID*/EntDeviceName**
-Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
-
-Supported operations are Get and Add.
-
-**Provider/*ProviderID*/EntDMID**
-Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
-
-Supported operations are Get and Add.
-
-> [!NOTE]
-> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
-This node is required and must be set by the server before the client certificate renewal is triggered.
-
-**Provider/*ProviderID*/ExchangeID**
-Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
-
-- A device that's managed by Exchange.
-- A device that's natively managed by a dedicated management server.
-
-> [!NOTE]
-> In some cases for the desktop, this node will return "not found" until the user sets up their email.
-
-Supported operation is Get.
-
-The following XML is a Get command example:
-
-```xml
-
- 12
-
-
- ./Vendor/MSFT/DMClient/Provider//ExchangeID
-
-
-
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider
```
+
-**Provider/*ProviderID*/SignedEntDMID**
-Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
+
+
+The root node for all settings that belong to a single management server.
+
-Supported operation is Get.
+
+
+
-**Provider/*ProviderID*/CertRenewTimeStamp**
-Optional. The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**Provider/*ProviderID*/ManagementServiceAddress**
-Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server.
+
+
+
-> [!NOTE]
-> When the **ManagementServerAddressList** value is set, the device ignores the value.
+
-The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
+
+### Device/Provider/{ProviderID}
-Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there's only a single URL, then the <> aren't required. This feature is supported on Windows client devices.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}
+```
+
-Supported operations are Add, Get, and Replace.
+
+
+This node contains the URI-encoded value of the bootstrapped device management account's Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn't require XML/URI escaping.
+
-**Provider/*ProviderID*/UPN**
-Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user's email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
+
+
+
-Supported operations are Get and Replace.
+
+**Description framework properties**:
-**Provider/*ProviderID*/HelpPhoneNumber**
-Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
-Supported operations are Get, Replace, and Delete.
+
+
+
-**Provider/*ProviderID*/HelpWebsite**
-Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support.
+
-Supported operations are Get, Replace, and Delete
+
+#### Device/Provider/{ProviderID}/AADDeviceID
-**Provider/*ProviderID*/HelpEmailAddress**
-Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-Supported operations are Get, Replace, and Delete.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADDeviceID
+```
+
-**Provider/*ProviderID*/RequireMessageSigning**
-Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature.
+
+
+Device ID used for AAD device registration.
+
-Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
+
+
+
-When enabled, the MDM provider should:
+
+**Description framework properties**:
-- Validate the signature and the timestamp using the device identify certificate enrolled as part of Mobile Device Enrollment protocol (MS-MDE).
-- Ensure the certificate and time are valid.
-- Verify that the signature is trusted by the MDM provider.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Supported operations are Get, Replace, and Delete.
+
+
+
-**Provider/*ProviderID*/SyncApplicationVersion**
-Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0.
+
-> [!NOTE]
-> This node is only supported in Windows 10 and later.
+
+#### Device/Provider/{ProviderID}/AADResourceID
-Once you set the value to 2.0, it won't go back to 1.0.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-Supported operations are Get, Replace, and Delete.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADResourceID
+```
+
-**Provider/*ProviderID*/MaxSyncApplicationVersion**
-Optional. Used by the client to indicate the latest DM session version that it supports. Default is 2.0.
-
-When you query this node, a Windows 10 client will return 2.0 and a Windows 8.1 client will return an error code (404 node not found).
-
-Supported operation is Get.
-
-**Provider/*ProviderID*/AADResourceID**
-Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
+
+
+This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+
+
+
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../azure-active-directory-integration-with-mdm.md).
+
-**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
-Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
+
+**Description framework properties**:
-When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
-To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. Send a SyncML message with a specific device alert element in the body until the client can respond back to the server with the requested information.
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/AADSendDeviceToken
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADSendDeviceToken
+```
+
+
+
+
+For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Do not send Device Token if User Token cannot be obtained. |
+| true | Send Device Token if User Token cannot be obtained. |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/CertRenewTimeStamp
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CertRenewTimeStamp
+```
+
+
+
+
+The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/CommercialID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CommercialID
+```
+
+
+
+
+Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/ConfigLock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock
+```
+
+
+
+
+
+
+
+
+This node enables [Config Lock](../config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
+
+> [!NOTE]
+> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/ConfigLock/Lock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/Lock
+```
+
+
+
+
+This node specifies how the client will perform the lock mode for SecureCore PC. 0: unlock; 1: lock. The default value is 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Unlock. |
+| 1 | Lock. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/ConfigLock/SecureCore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/SecureCore
+```
+
+
+
+
+The node returns the boolean value whether the device is a SecureCore PC.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/ConfigLock/UnlockDuration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/UnlockDuration
+```
+
+
+
+
+This node, when it is set, tells the client to set how many minutes the device should be temporarily unlocked from SecureCore settings protection. The default value is 480.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 480 |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage
+```
+
+
+
+
+These nodes provision custom text for the enrollment page.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/BodyText
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/BodyText
+```
+
+
+
+
+Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkHref
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkHref
+```
+
+
+
+
+Specifies the URL that is shown at the end of the MDM enrollment flow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkText
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkText
+```
+
+
+
+
+Specifies the display text for the URL that is shown at the end of the MDM enrollment flow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/Title
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/Title
+```
+
+
+
+
+Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/EnableOmaDmKeepAliveMessage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnableOmaDmKeepAliveMessage
+```
+
+
+
+
+A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending. To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Enable message. |
+| true | Disable message. |
+
+
+
+
+**Example**:
Here's an example of DM message sent by the device when it's in pending state:
@@ -271,32 +896,1603 @@ Here's an example of DM message sent by the device when it's in pending state:
```
+
-**Provider/*ProviderID*/AADDeviceID**
-Added in Windows 10, version 1607. Returns the device ID for the Azure AD device registration.
+
-Supported operation is Get.
+
+#### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity
-**Provider/*ProviderID*/EnrollmentType**
-Added in Windows 10, version 1607. Returns the enrollment type (Device or Full).
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-Supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity
+```
+
-**Provider/*ProviderID*/HWDevID**
-Added in Windows 10, version 1607. Returns the hardware device ID.
+
+
+
-Supported operation is Get.
+
+
+
-**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization.
+
+**Description framework properties**:
-Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**Provider/*ProviderID*/ManagementServerAddressList**
-Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there's only one, the angle brackets (<>) aren't required.
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert0
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert0
+```
+
+
+
+
+The node contains the primary certificate - the public key to use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert1
+```
+
+
+
+
+The node contains the secondary certificate - the public key to use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/SecurityMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/SecurityMode
+```
+
+
+
+
+This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | No op. |
+| 1 | Sign only. |
+| 2 | Encrypt only. |
+| 3 | Sign and encrypt. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline
+```
+
+
+
+
+This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | False. |
+| true | True. |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/EnrollmentType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnrollmentType
+```
+
+
+
+
+Type of MDM enrollment (Device or Full).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/EntDeviceName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EntDeviceName
+```
+
+
+
+
+Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/EntDMID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EntDMID
+```
+
+
+
+
+Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+
+
+
+
> [!NOTE]
-> The < and > should be escaped.
+> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP's **USEHWDEVID** node by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server. This node is required and must be set by the server before the client certificate renewal is triggered.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/ExchangeID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ExchangeID
+```
+
+
+
+
+Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
+
+
+
+
+> [!NOTE]
+> In some cases, this node will return "not found" until the user sets up their email.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+**Example**:
+
+```xml
+
+ 12
+
+
+ ./Vendor/MSFT/DMClient/Provider//ExchangeID
+
+
+
+```
+
+
+
+
+
+#### Device/Provider/{ProviderID}/FirstSyncStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton
+```
+
+
+
+
+This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not show the Collect Logs button on the progress page. |
+| true | Show the Collect Logs button on the progress page. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/BlockInStatusPage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/BlockInStatusPage
+```
+
+
+
+
+Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Flag | Description |
+|:--|:--|
+| 0x0 | Allow the user to exit the page before provisioning completes. |
+| 0x1 | Block the user on the page and show the Reset PC button on failure. |
+| 0x2 | Block the user on the page and show the Try Again button on failure. |
+| 0x4 | Block the user on the page and show the Continue Anyway button on failure. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText
+```
+
+
+
+
+This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages
+```
+
+
+
+
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages
+```
+
+
+
+
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles
+```
+
+
+
+
+This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts
+```
+
+
+
+
+This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies
+```
+
+
+
+
+This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts
+```
+
+
+
+
+This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone
+```
+
+
+
+
+This node, when doing a get, tells the server if the "First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | The device is not finished provisioning. |
+| true | The device has finished provisoining. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning
+```
+
+
+
+
+This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can "change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Server has not finished provisioning. |
+| true | Server has finished provisioning. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/SkipDeviceStatusPage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/SkipDeviceStatusPage
+```
+
+
+
+
+Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Do not skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| true (Default) | Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/SkipUserStatusPage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/SkipUserStatusPage
+```
+
+
+
+
+Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Do not skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| true (Default) | Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/TimeOutUntilSyncFailure
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/TimeOutUntilSyncFailure
+```
+
+
+
+
+This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[1-1440]` |
+| Default Value | 60 |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned
+```
+
+
+
+
+Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | The device has failed to provision the device. |
+| 1 | The device has successfully provisioned the device. |
+| 2 | Provisioning is in progress. |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/ForceAadToken
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1766] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1766] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1766] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.739] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ForceAadToken
+```
+
+
+
+
+Force device to send device AAD token during check-in as a separate header.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | ForceAadTokenNotDefined: the value is not defined(default). |
+| 1 | AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during check-in as a separate header section(not as Bearer token). |
+| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during check-in as a separate header section(not as Bearer toekn). |
+| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. |
+| 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/HelpEmailAddress
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpEmailAddress
+```
+
+
+
+
+The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/HelpPhoneNumber
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpPhoneNumber
+```
+
+
+
+
+The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/HelpWebsite
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpWebsite
+```
+
+
+
+
+The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/HWDevID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HWDevID
+```
+
+
+
+
+Returns the hardware device ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/LinkedEnrollment
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment
+```
+
+
+
+
+The interior node for linked enrollment.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/LinkedEnrollment/Enroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Enroll
+```
+
+
+
+
+Trigger to enroll for the Linked Enrollment.
+
+
+
+
+This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/LinkedEnrollment/EnrollStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/EnrollStatus
+```
+
+
+
+
+Returns the current enrollment or un-enrollment status of the linked enrollment.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Undefined. |
+| 1 | Enrollment Not started. |
+| 2 | Enrollment In Progress. |
+| 3 | Enrollment Failed. |
+| 4 | Enrollment Succeeded. |
+| 5 | Unenrollment Not started. |
+| 6 | UnEnrollment In Progress. |
+| 7 | UnEnrollment Failed. |
+| 8 | UnEnrollment Succeeded. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/LinkedEnrollment/LastError
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/LastError
+```
+
+
+
+
+return the last error for enroll/unenroll.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/LinkedEnrollment/Priority
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Priority
+```
+
+
+
+
+Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | The main enrollment has priority over linked enrollment. |
+| 1 | The linked enrollment has priority over the main enrollment. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/LinkedEnrollment/Unenroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Unenroll
+```
+
+
+
+
+Trigger Unenroll for the Linked Enrollment.
+
+
+
+
+This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/ManagementServerAddressList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServerAddressList
+```
+
+
+
+
+The list of management server URLs in the format `` `` ``, and so on. If there is only one, the angle brackets (<>) are not required. The < and > should be escaped. If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+**Example**:
```xml
@@ -311,525 +2507,1285 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
```
+
-If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value.
+
-When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
+
+#### Device/Provider/{ProviderID}/ManagementServerToUpgradeTo
-Supported operations are Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Value type is string.
-
-**Provider/*ProviderID*/ManagementServerToUpgradeTo**
-Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is string.
-
-**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
-Optional. Number of days after last successful sync to unenroll.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is integer.
-
-**Provider/*ProviderID*/AADSendDeviceToken**
-
-Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is bool.
-
-**Provider/*ProviderID*/ForceAadToken**
-The value type is integer/enum.
-
-The value is "1" and it means client should always send Azure Active Directory device token during check-in/sync.
-
-**Provider/*ProviderID*/Poll**
-Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
-
-Supported operations are Get and Add.
-
-There are three schedules managed under the Poll node. They enable a rich polling schedule experience to provide greater flexibility in managing the way devices poll the management server. There are various ways that polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules to restore the polling schedules back to a valid configuration.
-
-If there's no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
-
-**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).**
-
-|Schedule name|Schedule set by the server|Actual value queried on device|
-|--- |--- |--- |
-|IntervalForFirstSetOfRetries|15|15|
-|NumberOfFirstRetries|5|5|
-|IntervalForSecondSetOfRetries|60|60|
-|NumberOfSecondRetries|10|10|
-|IntervalForRemainingScheduledRetries|1440|1440|
-|NumberOfRemainingScheduledRetries|0|0|
-
-**Valid poll schedule: initial enrollment only [no infinite schedule]**
-
-|Schedule name|Schedule set by the server|Actual value queried on device|
-|--- |--- |--- |
-|IntervalForFirstSetOfRetries|15|15|
-|NumberOfFirstRetries|5|5|
-|IntervalForSecondSetOfRetries|60|60|
-|NumberOfSecondRetries|10|10|
-|IntervalForRemainingScheduledRetries|0|0|
-|NumberOfRemainingScheduledRetries|0|0|
-
-**Invalid poll schedule: disable all poll schedules**
-
-> [!NOTE]
-> Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero.
-
-|Schedule name|Schedule set by the server|Actual value queried on device|
-|--- |--- |--- |
-|IntervalForFirstSetOfRetries|0|0|
-|NumberOfFirstRetries|0|0|
-|IntervalForSecondSetOfRetries|0|0|
-|NumberOfSecondRetries|0|0|
-|IntervalForRemainingScheduledRetries|0|0|
-|NumberOfRemainingScheduledRetries|0|0|
-
-**Invalid poll schedule: two infinite schedules**
-
-|Schedule name|Schedule set by server|Actual schedule set on device|Actual experience|
-|--- |--- |--- |--- |
-|IntervalForFirstSetOfRetries|15|15|Device polls|
-|NumberOfFirstRetries|5|5|Device polls|
-|IntervalForSecondSetOfRetries|1440|1440|Device polls the server once in 24 hours|
-|NumberOfSecondRetries|0|0|Device polls the server once in 24 hours|
-|IntervalForRemainingScheduledRetries|1440|0|Third schedule is disabled|
-|NumberOfRemainingScheduledRetries|0|0|Third schedule is disabled|
-
-If the device was previously enrolled in MDM with polling schedule configured using the registry key values directly, the MDM provider that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters using the DMClient CSP
-
-When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure.
-
-**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
-Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
-
-Supported operations are Get and Replace.
-
-The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP.
-
-**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
-Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10.
-
-Supported operations are Get and Replace.
-
-The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously used the Registry CSP.
-
-The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule.
-
-**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
-Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `//Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled.
-
-Supported operations are Get and Replace.
-
-The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP.
-
-**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
-Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
-
-Supported operations are Get and Replace.
-
-The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously used the Registry CSP.
-
-The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
-
-**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
-Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
-
-Supported operations are Get and Replace.
-
-The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP.
-
-**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
-Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
-
-Supported operations are Get and Replace.
-
-The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP.
-
-The RemainingScheduledRetries is used for the long run device polling schedule.
-
-**Provider/*ProviderID*/Poll/PollOnLogin**
-Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
-
-Supported operations are Add, Get, and Replace.
-
-**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
-Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
-
-Supported operations are Add, Get, and Replace.
-
-**Provider/*ProviderID*/LinkedEnrollment/Priority**
-This node is an integer, value is "0" or "1".
-
-Default is 1, meaning the MDM enrollment is the “winning” authority for conflicting policies/resources. Value 1 means MMP-C enrollment is the “winning” one.
-Support operations are Get and Set.
-
-**Provider/*ProviderID*/LinkedEnrollment/Enroll**
-This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed.
-
-Support operation is Exec.
-
-**Provider/*ProviderID*/LinkedEnrollment/Unenroll**
-This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back(rollback details will be covered later).
-
-Support operation is Exec.
-
-**Provider/*ProviderID*/LinkedEnrollment/EnrollStatus**
-
-This node can be used to check both enroll and unenroll statuses.
-This will return the enroll action status and is defined as an enum class LinkedEnrollmentStatus. The values are as follows:
-
-- Undefined = 0
-- EnrollmentNotStarted = 1
-- InProgress = 2
-- Failed = 3
-- Succeeded = 4
-- UnEnrollmentQueued = 5
-- UnEnrollmentSucceeded = 8
-
-Support operation is Get only.
-
-**Provider/*ProviderID*/LinkedEnrollment/LastError**
-
-This specifies the Hresult to report the enrollment/unenroll results.
-
-**Provider/*ProviderID*/Recovery/AllowRecovery**
-
-This node determines whether or not the client will automatically initiate an MDM Recovery operation when it detects issues with the MDM certificate.
-
-Supported operations are Get, Add, Replace and Delete.
-
-The supported values for this node are 1-true (allow) and 0-false(not allow). Default value is 0.
-
-**Provider/*ProviderID*/Recovery/RecoveryStatus**
-
-This node tracks the status of a Recovery request from the InitiateRecovery node. The values are as follows:
-
-0 - No Recovery request has been processed.
-1 - Recovery is in Process.
-2 - Recovery has finished successfully.
-3 - Recovery has failed to start because TPM is not available.
-4 - Recovery has failed to start because Azure Active Directory keys are not protected by the TPM.
-5 - Recovery has failed to start because the MDM keys are already protected by the TPM.
-6 - Recovery has failed to start because the TPM is not ready for attestation.
-7 - Recovery has failed because the client cannot authenticate to the server.
-8 - Recovery has failed because the server has rejected the client's request.
-
-Supported operation is Get only.
-
-**Provider/*ProviderID*/Recovery/InitiateRecovery**
-
-This node initiates an MDM Recovery operation on the client.
-
-If initiated with argument 0, it triggers MDM Recovery, no matter the state of the device.
-
-If initiated with argument 1, it triggers only if the MDM certificate’s private key isn’t already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation.
-
-Supported operation is Exec only.
-
-**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync**
-
-Optional. This node specifies maximum number of concurrent user sync sessions in background.
-
-The default value is dynamically decided by the client based on CPU usage.
-
-The values are as follows:
-0 = none
-1 = sequential
-anything else = parallel
-
-Supported operations are Get, Add, Replace and Delete.
-
-Value type is integer. Only applicable for Windows Enterprise multi-session.
-
-
-**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync**
-Optional. This node specifies maximum number of concurrent user sync sessions at User Login.
-
-The default value is dynamically decided by the client based on CPU usage.
-
-The values are as follows:
-0 = none
-1 = sequential
-anything else = parallel.
-
-Supported operations are Get, Add, Replace and Delete.
-
-Value type is integer. Only applicable for Windows Enterprise multi-session.
-
-**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession**
-Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `//Poll/NumberOfScheduledRetriesForUserSession`.
-
-If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled.
-
-This configuration is only applicable for Windows Multi-session Editions.
-
-Supported operations are Get and Replace.
-
-**Provider/*ProviderID*/MultipleSession/NumberOfScheduledRetriesForUserSession**
-Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server.
-
-If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times.
-
-The default value is 0. This configuration is only applicable for Windows Multi-session Editions.
-
-Supported operations are Get and Replace.
-
-**Provider/*ProviderID*/ConfigLock**
-
-Optional. This node enables [Config Lock](../config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
-
-Default = Locked
-
-> [!Note]
-> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
-
-**Provider/*ProviderID*/ConfigLock/Lock**
-
-The supported values for this node are 0-unlock, 1-lock.
-
-Supported operations are Add, Delete, Get.
-
-**Provider/*ProviderID*/ConfigLock/UnlockDuration**
-
-The supported values for this node are 1 to 480 (in min).
-
-Supported operations are Add, Delete, Get.
-
-**Provider/*ProviderID*/ConfigLock/SecureCore**
-
-The supported values for this node are false or true.
-
-Supported operation is Get only.
-
-**Provider/*ProviderID*/Push**
-Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
-
-Supported operations are Add and Delete.
-
-**Provider/*ProviderID*/Push/PFN**
-Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing.
-
-Supported operations are Add, Get, and Replace.
-
-**Provider/*ProviderID*/Push/ChannelURI**
-Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
-
-Supported operation is Get.
-
-**Provider/*ProviderID*/Push/Status**
-Required. An integer that maps to a known error state or condition on the system.
-
-Supported operation is Get.
-
-The status error mapping is listed below.
-
-|Status|Description|
-|--- |--- |
-|0|Success|
-|1|Failure: invalid PFN|
-|2|Failure: invalid or expired device authentication with Microsoft account|
-|3|Failure: WNS client registration failed due to an invalid or revoked PFN|
-|4|Failure: no Channel URI assigned|
-|5|Failure: Channel URI has expired|
-|6|Failure: Channel URI failed to be revoked|
-|7|Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.|
-|8|Unknown error|
-
-**Provider/*ProviderID*/CustomEnrollmentCompletePage**
-Optional. Added in Windows 10, version 1703.
-
-Supported operations are Add, Delete, and Get.
-
-**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title**
-Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is string.
-
-**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText**
-Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is string.
-
-**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
-Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is string.
-
-**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
-Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is string.
-
-**Provider/*ProviderID*/FirstSyncStatus**
-Optional node. Added in Windows 10, version 1709.
-
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is string.
-
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is string.
-
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Value type is string.
-
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
-
-``` syntax
-./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
-./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServerToUpgradeTo
```
+
-This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
+
+
+Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device.
+
-Supported operations are Add, Delete, Get, and Replace.
+
+
+
-Value type is string.
+
+**Description framework properties**:
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-Supported operations are Add, Delete, Get, and Replace.
+
+
+
-Value type is string.
+
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+
+#### Device/Provider/{ProviderID}/ManagementServiceAddress
-Supported operations are Add, Delete, Get, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-Value type is string.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServiceAddress
+```
+
-**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure**
-Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
+
+
+The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server. The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION](w7-application-csp.md) configuration service provider. Starting in Windows 10, version 1511, this node supports multiple server addresses in the format `` `` ``. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices. During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
+
-Supported operations are Get and Replace.
+
+
+> [!NOTE]
+> When the **ManagementServerAddressList** value is set, the device ignores the value.
+
-Value type is integer.
+
+**Description framework properties**:
-**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
-Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Dependency [ManageServerAddressListBlock] | Dependency Type: `Not` Dependency URI: `Device/Vendor/MSFT/DMClient/Provider/[ProviderID]/ManagementServerAddressList` Dependency Allowed Value Type: `None` |
+
-Supported operations are Get and Replace.
+
+
+
-Value type is boolean.
+
-**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
-Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+
+#### Device/Provider/{ProviderID}/MaxSyncApplicationVersion
-Supported operations are Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-Value type is boolean.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MaxSyncApplicationVersion
+```
+
-**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
-Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+
+
+Used by the client to indicate the latest DM session version that it supports.
+
-Supported operations are Get and Replace.
+
+
+
-Value type is integer.
+
+**Description framework properties**:
-**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
-Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Supported operations are Get and Replace.
+
+
+
-Value type is integer.
+
-**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
-Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
+
+#### Device/Provider/{ProviderID}/MultipleSession
-Supported operations are Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :x: Pro :x: Enterprise :x: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-Value type is bool.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession
+```
+
-**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
-Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
+
+> [!NOTE]
+> Only applicable for Windows Enterprise multi-session.
+
-Value type is string.
+
+**Description framework properties**:
-**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
-Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported operations are Get and Replace.
+
+
+
-Value type is bool.
+
-**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
-Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
+
+##### Device/Provider/{ProviderID}/MultipleSession/IntervalForScheduledRetriesForUserSession
-Supported operations are Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :x: Pro :x: Enterprise :x: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-Value type is bool.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/IntervalForScheduledRetriesForUserSession
+```
+
-**Provider/*ProviderID*/EnhancedAppLayerSecurity**
-Required node. Added in Windows 10, version 1709.
+
+
+The waiting time (in minutes) for the initial set of retries as specified by the number of retries in NumberOfScheduledRetriesForUserSession. If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. Default value is 1440. If the value is 0, this schedule is disabled.
+
-Supported operation is Get.
+
+
+> [!NOTE]
+> Only applicable for Windows Enterprise multi-session.
+
-**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
-Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+
+**Description framework properties**:
-Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
-Value type is integer.
+
+
+
-**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
-Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
+
-Supported operations are Add, Get, Replace, and Delete.
+
+##### Device/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync
-Value type is boolean.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :x: Pro :x: Enterprise :x: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0**
-Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use.
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync
+```
+
-Supported operations are Add, Get, Replace, and Delete.
+
+
+Optional. Maximum number of concurrent user sync sessions at User Login. Default value is 25. 0 none, 1 sequential, anything else: parallel.
+
-Value type is string.
+
+
+> [!NOTE]
+> Only applicable for Windows Enterprise multi-session.
+
-**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1**
-Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use.
+
+**Description framework properties**:
-Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
-Value type is string.
+
+
+
-**Provider/*ProviderID*/Unenroll**
-Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent.
+
-Supported operations are Get and Exec.
+
+##### Device/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync
-<LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :x: Pro :x: Enterprise :x: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync
+```
+
+
+
+
+Optional. Maximum number of concurrent user sync sessions in background. Default value is 25. 0 none, 1 sequential, anything else: parallel.
+
+
+
+
+> [!NOTE]
+> Only applicable for Windows Enterprise multi-session.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/MultipleSession/NumberOfScheduledRetriesForUserSession
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :x: Pro :x: Enterprise :x: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumberOfScheduledRetriesForUserSession
+```
+
+
+
+
+The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is 0 and IntervalForScheduledRetriesForUserSession is not 0, then the schedule will be set to repeat for an infinite number of times.
+
+
+
+
+> [!NOTE]
+> Only applicable for Windows Enterprise multi-session.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/NumberOfDaysAfterLostContactToUnenroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/NumberOfDaysAfterLostContactToUnenroll
+```
+
+
+
+
+Number of days after last successful sync to unenroll.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/Poll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll
+```
+
+
+
+
+Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration. If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Poll/AllUsersPollOnFirstLogin
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/AllUsersPollOnFirstLogin
+```
+
+
+
+
+Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Polling is disabled on first login. |
+| true | Polling is enabled on first login. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Poll/IntervalForFirstSetOfRetries
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForFirstSetOfRetries
+```
+
+
+
+
+The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /``/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Poll/IntervalForRemainingScheduledRetries
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForRemainingScheduledRetries
+```
+
+
+
+
+The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /``/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Poll/IntervalForSecondSetOfRetries
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForSecondSetOfRetries
+```
+
+
+
+
+The waiting time (in minutes) for the second set of retries as specified by the number of retries in /``/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Poll/NumberOfFirstRetries
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfFirstRetries
+```
+
+
+
+
+The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10. The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Poll/NumberOfRemainingScheduledRetries
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfRemainingScheduledRetries
+```
+
+
+
+
+The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Poll/NumberOfSecondRetries
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfSecondRetries
+```
+
+
+
+
+The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Poll/PollOnLogin
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/PollOnLogin
+```
+
+
+
+
+Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Polling is disabled on first login. |
+| true | Polling is enabled on first login. |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/PublisherDeviceID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/PublisherDeviceID
+```
+
+
+
+
+The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/``/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises' applications, each enterprise is identified differently.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/Push
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push
+```
+
+
+
+
+Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Push/ChannelURI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/ChannelURI
+```
+
+
+
+
+A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Push/PFN
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/PFN
+```
+
+
+
+
+A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Push/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/Status
+```
+
+
+
+
+An integer that maps to a known error state or condition on the system. Valid values are: 0 - Success, 1 - Failure: invalid PFN, 2 - Failure: invalid or expired device authentication with MSA, 3 - Failure: WNS client registration failed due to an invalid or revoked PFN, 4 - Failure: no Channel URI assigned, 5 - Failure: Channel URI has expired, 6 - Failure: Channel URI failed to be revoked, 7 - Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations, 8 - Unknown error.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/Recovery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery
+```
+
+
+
+
+Parent node for Recovery nodes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Recovery/AllowRecovery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/AllowRecovery
+```
+
+
+
+
+This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | MDM Recovery is allowed. |
+| 0 (Default) | MDM Recovery is not allowed. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Recovery/InitiateRecovery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/InitiateRecovery
+```
+
+
+
+
+This node initiates a recovery action. The server can specify prerequisites before the action is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Exec |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Initiate MDM Recovery. |
+| 1 | Initiate Recovery if Keys are not already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. |
+
+
+
+
+
+
+
+
+
+##### Device/Provider/{ProviderID}/Recovery/RecoveryStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/RecoveryStatus
+```
+
+
+
+
+This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM is not available. 4 - Recovery has failed to start because AAD keys are not protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM is not ready for attestation. 7 - Recovery has failed because the client cannot authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/RequireMessageSigning
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/RequireMessageSigning
+```
+
+
+
+
+Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature. When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | The device management client does not include authentication information in the management session HTTP header. |
+| true | The client authentication information is provided in the management session HTTP header. |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/SignedEntDMID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/SignedEntDMID
+```
+
+
+
+
+Character string that contains the device ID. This node and the nodes CertRenewTimeStamp can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the EntDMID with the old client certificate during the certificate renewal process and saves the signature locally.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/SyncApplicationVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/SyncApplicationVersion
+```
+
+
+
+
+Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
+
+
+
+
+> [!NOTE]
+> Once you set the value to 2.0, it won't go back to 1.0.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^(\d\.)?(\d)$` |
+| Default Value | 1.0 |
+
+
+
+
+
+
+
+
+
+#### Device/Provider/{ProviderID}/Unenroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Unenroll
+```
+
+
+
+
+The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element.
+
+
+
+
+> [!NOTE]
+> `./Vendor/MSFT/DMClient/Unenroll` is supported for backward compatibility.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec, Get |
+
+
+
+
+**Example**:
The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device.
@@ -848,7 +3804,724 @@ The following SyncML shows how to remotely unenroll the device. This command sho
```
+
+
+
+
+
+#### Device/Provider/{ProviderID}/UPN
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/UPN
+```
+
+
+
+
+Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+## Device/Unenroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/Unenroll
+```
+
+
+
+
+The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+## Device/UpdateManagementServiceAddress
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/DMClient/UpdateManagementServiceAddress
+```
+
+
+
+
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+
+
+
+
+
+
+## User/Provider
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider
+```
+
+
+
+
+The root node for all settings that belong to a single management server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/Provider/{ProviderID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}
+```
+
+
+
+
+This node contains the URI-encoded value of the bootstrapped device management account's Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn't require XML/URI escaping.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### User/Provider/{ProviderID}/FirstSyncStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton
+```
+
+
+
+
+This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not show the Collect Logs button on the progress page. |
+| true | Show the Collect Logs button on the progress page. |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText
+```
+
+
+
+
+This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages
+```
+
+
+
+
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages
+```
+
+
+
+
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles
+```
+
+
+
+
+This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts
+```
+
+
+
+
+This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies
+```
+
+
+
+
+This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts
+```
+
+
+
+
+This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `\xF000`) |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone
+```
+
+
+
+
+This node, when doing a get, tells the server if the "First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | The user is not finished provisioning. |
+| true | The user has finished provisoining. |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning
+```
+
+
+
+
+This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can "change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Server has not finished provisioning. |
+| true | Server has finished provisioning. |
+
+
+
+
+
+
+
+
+
+##### User/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned
+```
+
+
+
+
+Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | The device has failed to provision the user. |
+| 1 | The device has successfully provisioned the user. |
+| 2 | Provisioning is in progress. |
+
+
+
+
+
+
+
+
+
+
+
+
+
## Related articles
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 4f66124b30..b5ef6feff0 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1,1906 +1,916 @@
---
title: DMClient DDF file
-description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# DMClient DDF file
-
-This topic shows the OMA DM device description framework (DDF) for the **DMClient** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1803.
+The following XML file contains the device description framework (DDF) for the DMClient configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ DMClient
+ ./User/Vendor/MSFT
+
+
+
+
+ Root node for the CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10240
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Provider
+
+
+
+
+ The root node for all settings that belong to a single management server.
+
+
+
+
+
+
+
+
+
+
+
+
+
- DMClient
- ./User/Vendor/MSFT
+
+
+
+
+ This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping.
-
+
-
+
+ ProviderID
- com.microsoft/1.5/MDM/DMClient
+
+
+
+
+
+
- Provider
+ FirstSyncStatus
+
+
-
+
-
+
-
+
+
+ 10.0.16299
+ 1.4
+
-
+ ExpectedPolicies
+
+ This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
-
+
-
+
- text/plain
+
+
+
+
+
+
+
+ ExpectedNetworkProfiles
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedMSIAppPackages
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedModernAppPackages
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedPFXCerts
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedSCEPCerts
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerHasFinishedProvisioning
+
+
+
+
+
+ This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Server has not finished provisioning
+
+
+ true
+ Server has finished provisioning
+
+
+
+
+
+ IsSyncDone
+
+
+
+
+
+ This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ The user is not finished provisioning
+
+
+ true
+ The user has finished provisoining.
+
+
+
+
+
+ WasDeviceSuccessfullyProvisioned
+
+
+
+
+
+ Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ The device has failed to provision the user
+
+
+ 1
+ The device has successfully provisioned the user.
+
+
+ 2
+ Provisoining is in progress.
+
+
+
+
+
+ AllowCollectLogsButton
+
+
+
+
+
+ false
+ This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.5
+
+
+
+ false
+ Do not show the Collect Logs button on the progress page.
+
+
+ true
+ Show the Collect Logs button on the progress page.
+
+
+
+
+
+ CustomErrorText
+
+
+
+
+
+ This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.5
+
+
+
-
- FirstSyncStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ExpectedPolicies
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedNetworkProfiles
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedMSIAppPackages
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedModernAppPackages
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedPFXCerts
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedSCEPCerts
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ServerHasFinishedProvisioning
-
-
-
-
-
- This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsSyncDone
-
-
-
-
-
- This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WasDeviceSuccessfullyProvisioned
-
-
-
-
-
- Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowCollectLogsButton
-
-
-
-
-
- false
- This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis).
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomErrorText
-
-
-
-
-
-
-
- This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+ DMClient
+ ./Device/Vendor/MSFT
+
+
+
+
+ Root node for the CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10240
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Provider
+
+
+
+
+ The root node for all settings that belong to a single management server.
+
+
+
+
+
+
+
+
+
+
+
+
+
- DMClient
- ./Device/Vendor/MSFT
+
+
+
+
+ This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping.
-
+
-
+
+ ProviderID
- com.microsoft/1.4/MDM/DMClient
+
+
+
+
+
+
- Provider
+ EntDeviceName
+
+
+
+
+
+
+
+ Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExchangeID
+
+
+
+
+
+
+
+ Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EntDMID
+
+
+
+
+
+
+
+ Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SignedEntDMID
+
+
+
+
+
+
+
+ Character string that contains the device ID. This node and the nodes CertRenewTimeStamp can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the EntDMID with the old client certificate during the certificate renewal process and saves the signature locally.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CertRenewTimeStamp
+
+
+
+
+
+
+
+ The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PublisherDeviceID
+
+
+
+
+
+
+
+ /EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises’ applications, each enterprise is identified differently.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ManagementServiceAddress
+
+
+
+
+
+ . If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices. During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Device/Vendor/MSFT/DMClient/Provider/[ProviderID]/ManagementServerAddressList
+
+
+
+
+
+
+
+
+ UPN
+
+
+
+
+
+
+ Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HelpPhoneNumber
+
+
+
+
+
+
+
+ The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HelpWebsite
+
+
+
+
+
+
+
+ The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HelpEmailAddress
+
+
+
+
+
+
+
+ The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RequireMessageSigning
+
+
+
+
+
+
+
+ false
+ Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature. When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ The device management client does not include authentication information in the management session HTTP header.
+
+
+ true
+ The client authentication information is provided in the management session HTTP header.
+
+
+
+
+
+ SyncApplicationVersion
+
+
+
+
+
+
+
+ 1.0
+ Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^(\d\.)?(\d)$
+
+
+
+
+ MaxSyncApplicationVersion
+ Used by the client to indicate the latest DM session version that it supports.
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- EntDeviceName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExchangeID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EntDMID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SignedEntDMID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CertRenewTimeStamp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- PublisherDeviceID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- ManagementServiceAddress
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UPN
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HelpPhoneNumber
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HelpWebsite
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HelpEmailAddress
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RequireMessageSigning
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SyncApplicationVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MaxSyncApplicationVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Unenroll
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AADResourceID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AADDeviceID
-
-
-
-
- Device ID used for AAD device registration
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnrollmentType
-
-
-
-
- Type of MDM enrollment
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnableOmaDmKeepAliveMessage
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HWDevID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ManagementServerAddressList
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CommercialID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ManagementServerToUpgradeTo
-
-
-
-
-
-
-
- Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NumberOfDaysAfterLostContactToUnenroll
-
-
-
-
-
-
-
- Number of days after last successful sync to unenroll
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AADSendDeviceToken
-
-
-
-
-
-
-
- Send the device Azure Active Directory token, if the user one can't be returned
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Push
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- PFN
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ChannelURI
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Poll
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IntervalForFirstSetOfRetries
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NumberOfFirstRetries
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IntervalForSecondSetOfRetries
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NumberOfSecondRetries
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IntervalForRemainingScheduledRetries
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NumberOfRemainingScheduledRetries
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PollOnLogin
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllUsersPollOnFirstLogin
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CustomEnrollmentCompletePage
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Title
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BodyText
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HyperlinkHref
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HyperlinkText
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- FirstSyncStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ExpectedPolicies
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedNetworkProfiles
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000".
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedMSIAppPackages
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedModernAppPackages
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedPFXCerts
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedSCEPCerts
-
-
-
-
-
-
-
- This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TimeOutUntilSyncFailure
-
-
-
-
-
- This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ServerHasFinishedProvisioning
-
-
-
-
-
- This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsSyncDone
-
-
-
-
-
- This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WasDeviceSuccessfullyProvisioned
-
-
-
-
-
- Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockInStatusPage
-
-
-
-
-
- 0
- Device Only. This node determines whether or not the MDM progress page is blocking in the Azure Active Directory-joined or DJ++ case, as well as which remediation options are available.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowCollectLogsButton
-
-
-
-
-
- false
- This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomErrorText
-
-
-
-
-
-
-
- This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SkipDeviceStatusPage
-
-
-
-
-
- true
- Device only. This node decides whether or not the MDM device progress page skips after Azure Active Directory-joined or Hybrid Azure AD-joined in OOBE.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SkipUserStatusPage
-
-
-
-
-
- false
- Device only. This node decides wheter or not the MDM user progress page skips after Azure Active Directory-joined or DJ++ after user login.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- EnhancedAppLayerSecurity
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SecurityMode
-
-
-
-
-
-
-
- This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UseCertIfRevocationCheckOffline
-
-
-
-
-
-
-
- This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Cert0
-
-
-
-
-
-
-
- The node contains the primary certificate - the public key to use.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Cert1
-
-
-
-
-
-
-
- The node contains the secondary certificate - the public key to use.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Unenroll
@@ -1909,6 +919,7 @@ The XML below is for Windows 10, version 1803.
+ tag under the element.]]>
@@ -1919,17 +930,19 @@ The XML below is for Windows 10, version 1803.
- text/plain
+
- UpdateManagementServiceAddress
+ AADResourceID
+
+ This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
@@ -1940,8 +953,97 @@ The XML below is for Windows 10, version 1803.
- text/plain
+
+
+
+
+
+
+ AADDeviceID
+
+
+
+
+ Device ID used for AAD device registration
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+ EnrollmentType
+
+
+
+
+ Type of MDM enrollment (Device or Full).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+ EnableOmaDmKeepAliveMessage
+
+
+
+
+
+ false
+ A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending. To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.1
+
+
+
+ false
+ Enable message
+
+
+ true
+ Disable message
+
+
@@ -1950,6 +1052,7 @@ The XML below is for Windows 10, version 1803.
+ Returns the hardware device ID.
@@ -1960,10 +1063,1968 @@ The XML below is for Windows 10, version 1803.
- text/plain
+
+
+ 10.0.14393
+ 1.2
+
+
+ ManagementServerAddressList
+
+
+
+
+
+ , and so on. If there is only one, the angle brackets (<>) are not required. The < and > should be escaped. If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ CommercialID
+
+
+
+
+
+
+
+ Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ ManagementServerToUpgradeTo
+
+
+
+
+
+
+
+ Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.3
+
+
+
+
+
+
+ NumberOfDaysAfterLostContactToUnenroll
+
+
+
+
+
+
+
+ Number of days after last sucessful sync to unenroll
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.4
+
+
+
+
+
+
+ AADSendDeviceToken
+
+
+
+
+
+
+
+ For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.5
+
+
+
+ false
+ Do not send Device Token if User Token cannot be obtained.
+
+
+ true
+ Send Device Token if User Token cannot be obtained.
+
+
+
+
+
+ ForceAadToken
+
+
+
+
+
+
+
+ Force device to send device AAD token during checkin as a separate header.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621, 10.0.22000.739, 10.0.19044.1766, 10.0.19043.1766, 10.0.19042.1766
+ 1.6
+
+
+
+ 0
+ ForceAadTokenNotDefined: the value is not defined(default)
+
+
+ 1
+ AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during checkin as a separate header section(not as Bearer token).
+
+
+ 2
+ Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer toekn).
+
+
+ 4
+ SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token.
+
+
+ 8
+ Reserved for future. ForceAadTokenMaxAllowed: max value allowed.
+
+
+
+
+
+ Push
+
+
+
+
+
+
+ Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFN
+
+
+
+
+
+
+
+ A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChannelURI
+
+
+
+
+ A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ An integer that maps to a known error state or condition on the system. Valid values are: 0 - Success, 1 - Failure: invalid PFN, 2 - Failure: invalid or expired device authentication with MSA, 3 - Failure: WNS client registration failed due to an invalid or revoked PFN, 4 - Failure: no Channel URI assigned, 5 - Failure: Channel URI has expired, 6 - Failure: Channel URI failed to be revoked, 7 - Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations, 8 - Unknown error
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Poll
+
+
+
+
+
+
+ Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration. If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IntervalForFirstSetOfRetries
+
+
+
+
+
+
+
+ /Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NumberOfFirstRetries
+
+
+
+
+
+
+
+ The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10. The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IntervalForSecondSetOfRetries
+
+
+
+
+
+
+
+ /Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NumberOfSecondRetries
+
+
+
+
+
+
+
+ The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IntervalForRemainingScheduledRetries
+
+
+
+
+
+
+
+ /Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NumberOfRemainingScheduledRetries
+
+
+
+
+
+
+
+ The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PollOnLogin
+
+
+
+
+
+
+
+ false
+ Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Polling is disabled on first login
+
+
+ true
+ Polling is enabled on first login.
+
+
+
+
+
+ AllUsersPollOnFirstLogin
+
+
+
+
+
+
+
+ false
+ Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Polling is disabled on first login
+
+
+ true
+ Polling is enabled on first login.
+
+
+
+
+
+
+ CustomEnrollmentCompletePage
+
+
+
+
+
+
+ These nodes provision custom text for the enrollment page.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.3
+
+
+
+ Title
+
+
+
+
+
+
+
+ Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BodyText
+
+
+
+
+
+
+
+ Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HyperlinkHref
+
+
+
+
+
+
+
+ Specifies the URL that is shown at the end of the MDM enrollment flow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HyperlinkText
+
+
+
+
+
+
+
+ Specifies the display text for the URL that is shown at the end of the MDM enrollment flow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FirstSyncStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.4
+
+
+
+ ExpectedPolicies
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedNetworkProfiles
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedMSIAppPackages
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedModernAppPackages
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedPFXCerts
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedSCEPCerts
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TimeOutUntilSyncFailure
+
+
+
+
+
+ 60
+ This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-1440]
+
+
+
+
+ ServerHasFinishedProvisioning
+
+
+
+
+
+ This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Server has not finished provisioning
+
+
+ true
+ Server has finished provisioning
+
+
+
+
+
+ IsSyncDone
+
+
+
+
+
+ This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ The device is not finished provisioning
+
+
+ true
+ The device has finished provisoining.
+
+
+
+
+
+ WasDeviceSuccessfullyProvisioned
+
+
+
+
+
+ Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ The device has failed to provision the device
+
+
+ 1
+ The device has successfully provisioned the device.
+
+
+ 2
+ Provisoining is in progress.
+
+
+
+
+
+ BlockInStatusPage
+
+
+
+
+
+ 0
+ Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.5
+
+
+
+ 0x0
+ Allow the user to exit the page before provisioning completes.
+
+
+ 0x1
+ Block the user on the page and show the Reset PC button on failure.
+
+
+ 0x2
+ Block the user on the page and show the Try Again button on failure.
+
+
+ 0x4
+ Block the user on the page and show the Continue Anyway button on failure.
+
+
+
+
+
+ AllowCollectLogsButton
+
+
+
+
+
+ false
+ This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.5
+
+
+
+ false
+ Do not show the Collect Logs button on the progress page.
+
+
+ true
+ Show the Collect Logs button on the progress page.
+
+
+
+
+
+ CustomErrorText
+
+
+
+
+
+
+
+ This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.5
+
+
+
+
+
+
+ SkipDeviceStatusPage
+
+
+
+
+
+ true
+ Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.5
+
+
+
+ false
+ Do not skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE
+
+
+ true
+ Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE
+
+
+
+
+
+ SkipUserStatusPage
+
+
+
+
+
+ true
+ Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.5
+
+
+
+ false
+ Do not skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE.
+
+
+ true
+ Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE
+
+
+
+
+
+
+ EnhancedAppLayerSecurity
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.4
+
+
+
+ SecurityMode
+
+
+
+
+
+
+
+ 0
+ This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ no op
+
+
+ 1
+ sign only
+
+
+ 2
+ encrypt only
+
+
+ 3
+ sign and encrypt
+
+
+
+
+
+ UseCertIfRevocationCheckOffline
+
+
+
+
+
+
+
+ false
+ This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ Cert0
+
+
+
+
+
+
+
+ The node contains the primary certificate - the public key to use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Cert1
+
+
+
+
+
+
+
+ The node contains the secondary certificate - the public key to use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigLock
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ Lock
+
+
+
+
+
+
+
+ 0
+ This node specifies how the client will perform the lock mode for SecureCore PC. 0: unlock; 1: lock. The default value is 0.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Unlock
+
+
+ 1
+ Lock
+
+
+
+
+
+ UnlockDuration
+
+
+
+
+
+
+
+ 480
+ This node, when it is set, tells the client to set how many minutes the device should be temporarily unlocked from SecureCore settings protection. The default value is 480.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SecureCore
+
+
+
+
+ The node returns the boolean value whether the device is a SecureCore PC.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LinkedEnrollment
+
+
+
+
+ The interior node for linked enrollment
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621, 10.0.22000.918, 10.0.19044.2193, 10.0.19043.2193, 10.0.19042.2193
+ 1.6
+
+
+
+ Priority
+
+
+
+
+
+
+
+ Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ The main enrollment has priority over linked enrollment.
+
+
+ 1
+ The linked enrollment has priority over the main enrollment.
+
+
+
+
+
+ LastError
+
+
+
+
+ return the last error for enroll/unenroll.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnrollStatus
+
+
+
+
+ Returns the current enrollment or un-enrollment status of the linked enrollment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Undefined
+
+
+ 1
+ Enrollment Not started.
+
+
+ 2
+ Enrollment In Progress.
+
+
+ 3
+ Enrollment Failed.
+
+
+ 4
+ Enrollment Succeeded.
+
+
+ 5
+ Unenrollment Not started.
+
+
+ 6
+ UnEnrollment In Progress.
+
+
+ 7
+ UnEnrollment Failed.
+
+
+ 8
+ UnEnrollment Succeeded.
+
+
+
+
+
+ Enroll
+
+
+
+
+ Trigger to enroll for the Linked Enrollment
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Unenroll
+
+
+
+
+ Trigger Unenroll for the Linked Enrollment
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MultipleSession
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+ 0xAF
+
+
+
+ NumAllowedConcurrentUserSessionForBackgroundSync
+
+
+
+
+
+
+
+ Optional. Maximum number of concurrent user sync sessions in background. Default value is 25. 0 none, 1 sequential, anything else: parallel.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NumAllowedConcurrentUserSessionAtUserLogonSync
+
+
+
+
+
+
+
+ Optional. Maximum number of concurrent user sync sessions at User Login. Default value is 25. 0 none, 1 sequential, anything else: parallel.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IntervalForScheduledRetriesForUserSession
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NumberOfScheduledRetriesForUserSession
+
+
+
+
+
+
+
+ The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is 0 and IntervalForScheduledRetriesForUserSession is not 0, then the schedule will be set to repeat for an infinite number of times.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Recovery
+
+
+
+
+ Parent node for Recovery nodes
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621, 10.0.22000.1165
+ 1.6
+
+
+
+ AllowRecovery
+
+
+
+
+
+ 0
+ This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ MDM Recovery is allowed.
+
+
+ 0
+ MDM Recovery is not allowed.
+
+
+ LastWrite
+
+
+
+ InitiateRecovery
+
+
+
+
+ 0
+ This node initiates a recovery action. The server can specify prerequisites before the action is taken.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Initiate MDM Recovery
+
+
+ 1
+ Initiate Recovery if Keys are not already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation.
+
+
+
+
+
+ RecoveryStatus
+
+
+
+
+ 0
+ This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM is not available. 4 - Recovery has failed to start because AAD keys are not protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM is not ready for attestation. 7 - Recovery has failed because the client cannot authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Unenroll
+
+
+
+
+
+ > tag under the element. Scope is permanent.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UpdateManagementServiceAddress
+
+
+
+
+
+ For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HWDevID
+
+
+
+
+ Returns the hardware device ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
```
+
+## Related articles
+
+[DMClient configuration service provider reference](dmclient-csp.md)
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 35f29d23a7..7f96c29f4f 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -1,7 +1,7 @@
---
title: EAP configuration
description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -19,45 +19,45 @@ This article provides a step-by-step guide for creating an Extensible Authentica
To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
-1. Run rasphone.exe.
+1. Run rasphone.exe.
-1. If you don't currently have a VPN connection and you see the following message, select **OK**.
+1. If you don't currently have a VPN connection and you see the following message, select **OK**.
-1. In the wizard, select **Workplace network**.
+1. In the wizard, select **Workplace network**.
-1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters.
+1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters.
-1. Create a fake VPN connection. In the UI shown here, select **Properties**.
+1. Create a fake VPN connection. In the UI shown here, select **Properties**.
-1. In the **Test Properties** dialog, select the **Security** tab.
+1. In the **Test Properties** dialog, select the **Security** tab.
-1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
+1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
-1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
+1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
-1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
+1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
```powershell
Get-VpnConnection -Name Test
```
- Here's an example output.
+ Here's an example output.
``` syntax
Name : Test
@@ -88,26 +88,46 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
Here's an example output.
```xml
- 1300013truefalsefalsetrue
- true
+
+
+ 13
+ 0
+ 0
+ 0
+
+
+
+ 13
+
+
+
+ true
+
+
+
+ false
+
+
+ false
+ true
+ true
+
+
+
+
+
+
+
+
+
+
```
> [!NOTE]
> You should check with Mobile Device Management (MDM) vendor, if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- > - C:\\Windows\\schemas\\EAPHost
- > - C:\\Windows\\schemas\\EAPMethods
-
+ >
+ > - C:\\Windows\\schemas\\EAPHost
+ > - C:\\Windows\\schemas\\EAPMethods
## EAP certificate filtering
@@ -115,15 +135,15 @@ In your deployment, if you have multiple certificates provisioned on the device
Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
-- The user might be prompted to select the certificate.
-- The wrong certificate might be auto-selected and cause an authentication failure.
+- The user might be prompted to select the certificate.
+- The wrong certificate might be auto-selected and cause an authentication failure.
A production ready deployment must have appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
-- For Wi-Fi, look for the `` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
-- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
+- For Wi-Fi, look for the `` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
+- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
For information about EAP settings, see .
@@ -135,23 +155,22 @@ For information about adding EKU to a certificate, see [!NOTE]
> For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.
-
```xml
@@ -254,36 +273,32 @@ The following XML sample explains the properties for the EAP TLS XML, including
> [!NOTE]
> The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd.
-
Alternatively, you can use the following procedure to create an EAP configuration XML:
-1. Follow steps 1 through 7 in the EAP configuration article.
-1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this value selects EAP TLS).
+1. Follow steps 1 through 7 in the EAP configuration article.
+1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this value selects EAP TLS).
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
-
-
-1. Select the **Properties** button underneath the drop-down menu.
-1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
+1. Select the **Properties** button underneath the drop-down menu.
+1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
-1. On the **Configure Certificate Selection** menu, adjust the filters as needed.
+1. On the **Configure Certificate Selection** menu, adjust the filters as needed.
-1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
-1. Close the rasphone dialog box.
-1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
+1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
+1. Close the rasphone dialog box.
+1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article.
-
## Related topics
[Configuration service provider reference](index.yml)
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index 31d99fa377..877d121472 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -1,336 +1,1479 @@
---
title: EMAIL2 CSP
-description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
-ms.reviewer:
+description: Learn more about the EMAIL2 CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.topic: reference
---
+
+
+
# EMAIL2 CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
-> [!Note]
+> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
-On Windows client, only per user configuration is supported.
-
-The following information shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
-
-```console
-./Vendor/MSFT
-EMAIL2
-----Account GUID
---------ACCOUNTICON
---------ACCOUNTTYPE
---------AUTHNAME
---------AUTHREQUIRED
---------AUTHSECRET
---------DOMAIN
---------DWNDAY
---------INSERVER
---------LINGER
---------KEEPMAX
---------NAME
---------OUTSERVER
---------REPLYADDR
---------SERVICENAME
---------SERVICETYPE
---------RETRIEVE
---------SERVERDELETEACTION
---------CELLULARONLY
---------SYNCINGCONTENTTYPES
---------CONTACTSSERVER
---------CALENDARSERVER
---------CONTACTSSERVERREQUIRESSL
---------CALENDARSERVERREQUIRESSL
---------CONTACTSSYNCSCHEDULE
---------CALENDARSYNCSCHEDULE
---------SMTPALTAUTHNAME
---------SMTPALTDOMAIN
---------SMTPALTENABLED
---------SMTPALTPASSWORD
---------TAGPROPS
-------------8128000B
-------------812C000B
-```
-
-After provisioning, the **Start** screen has a tile for the proprietary mail provider and there's also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
-
-Configuration data isn't encrypted when sent over the air (OTA). This is a potential security risk when sending sensitive configuration data, such as passwords.
-
> [!IMPORTANT]
> All Add and Replace commands need to be wrapped in an Atomic section.
+
-**EMAIL2**
-The configuration service provider root node.
+
+The following list shows the EMAIL2 configuration service provider nodes:
-Supported operation is Get.
+- ./User/Vendor/MSFT/EMAIL2
+ - [{Account GUID}](#account-guid)
+ - [ACCOUNTICON](#account-guidaccounticon)
+ - [ACCOUNTTYPE](#account-guidaccounttype)
+ - [AUTHNAME](#account-guidauthname)
+ - [AUTHREQUIRED](#account-guidauthrequired)
+ - [AUTHSECRET](#account-guidauthsecret)
+ - [CALENDARSERVER](#account-guidcalendarserver)
+ - [CALENDARSERVERREQUIRESSL](#account-guidcalendarserverrequiressl)
+ - [CALENDARSYNCSCHEDULE](#account-guidcalendarsyncschedule)
+ - [CELLULARONLY](#account-guidcellularonly)
+ - [CONTACTSSERVER](#account-guidcontactsserver)
+ - [CONTACTSSERVERREQUIRESSL](#account-guidcontactsserverrequiressl)
+ - [CONTACTSSYNCSCHEDULE](#account-guidcontactssyncschedule)
+ - [DOMAIN](#account-guiddomain)
+ - [DWNDAY](#account-guiddwnday)
+ - [INSERVER](#account-guidinserver)
+ - [KEEPMAX](#account-guidkeepmax)
+ - [LINGER](#account-guidlinger)
+ - [NAME](#account-guidname)
+ - [OUTSERVER](#account-guidoutserver)
+ - [REPLYADDR](#account-guidreplyaddr)
+ - [RETRIEVE](#account-guidretrieve)
+ - [SERVERDELETEACTION](#account-guidserverdeleteaction)
+ - [SERVICENAME](#account-guidservicename)
+ - [SERVICETYPE](#account-guidservicetype)
+ - [SMTPALTAUTHNAME](#account-guidsmtpaltauthname)
+ - [SMTPALTDOMAIN](#account-guidsmtpaltdomain)
+ - [SMTPALTENABLED](#account-guidsmtpaltenabled)
+ - [SMTPALTPASSWORD](#account-guidsmtpaltpassword)
+ - [SYNCINGCONTENTTYPES](#account-guidsyncingcontenttypes)
+ - [TAGPROPS](#account-guidtagprops)
+ - [8128000B](#account-guidtagprops8128000b)
+ - [812C000B](#account-guidtagprops812c000b)
+
-***GUID***
-Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case.
+
+## {Account GUID}
-Supported operations are Get, Add, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}
+```
+
+
+
+
+This is unique and identifies a particular account. Also, we can only have 6 additional email accounts. So, depending on how many are already there on the device, we can have from 1 to 6.
+
+
+
+
+A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case.
The braces {} around the GUID are required in the EMAIL2 configuration service provider.
- For OMA Client Provisioning, the braces can be sent literally. For example, ``
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D`
+
-**ACCOUNTICON**
-Optional. Returns the location of the icon associated with the account.
+
+**Description framework properties**:
-Supported operations are Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
-The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added.
+
+
+
-**ACCOUNTTYPE**
-Required. Specifies the type of account.
+
-Supported operations are Get, Add, Replace, and Delete.
+
+### {Account GUID}/ACCOUNTICON
-Valid values are:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-- Email: Normal email
-- VVM: Visual voice mail
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/ACCOUNTICON
+```
+
-**AUTHNAME**
-Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
+
+
+The location of the icon associated with the account. The account icon can be used as a tile in the Start list or an icon in the applications list under Settings, email & accounts. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{ScreenResolution}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{ScreenResolution}!%s.office.outlook.png. Custom icons can be added if desired.
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+
-**AUTHREQUIRED**
-Optional. Character string that specifies whether the outgoing server requires authentication.
+
+**Description framework properties**:
-Supported operations are Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-Value options are:
+
+
+
-- 0 - Server authentication isn't required.
-- 1 - Server authentication is required.
+
+
+
+### {Account GUID}/ACCOUNTTYPE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/ACCOUNTTYPE
+```
+
+
+
+
+Specifies the type of account. Valid values are: Email - normal email, VVM - visual voice mail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Email | Normal email. |
+| VVM | Visual voice mail. |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/AUTHNAME
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/AUTHNAME
+```
+
+
+
+
+Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/AUTHREQUIRED
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/AUTHREQUIRED
+```
+
+
+
+
+Character string that specifies whether the outgoing server requires authentication.
+1 for TRUE
+0 for FALSE(default).
> [!NOTE]
-> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
+> If this is not specified then SMTP authentication will not be done. Also, this is different from the SMTPALTENABLED. That is to specify different set of credentials for SMTP.
+
-**AUTHSECRET**
-Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
+
+
+
-Supported operations are Get, Add, Replace, and Delete.
+
+**Description framework properties**:
-**DOMAIN**
-Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-Supported operations are Get, Add, Replace, and Delete.
+
+**Allowed values**:
-**DWNDAY**
-Optional. Character string that specifies how many days' worth of email should be downloaded from the server.
+| Value | Description |
+|:--|:--|
+| 0 | Server authentication is not required. |
+| 1 | Server authentication is required. |
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+
-Value options:
+
-- -1: Specifies that all email currently on the server should be downloaded.
-- 7: Specifies that seven days’ worth of email should be downloaded.
-- 14: Specifies that 14 days’ worth of email should be downloaded.
-- 30: Specifies that 30 days’ worth of email should be downloaded.
+
+### {Account GUID}/AUTHSECRET
-**INSERVER**
-Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-- server name:port number
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/AUTHSECRET
+```
+
-Supported operations are Get, Add, and Replace.
+
+
+Character string that specifies the user's password. The same password is used for SMTP authentication.
+
-**LINGER**
-Optional. Character string that specifies the length of time between email send/receive updates in minutes.
+
+
+
-Supported operations are Get, Add, Replace, and Delete.
+
+**Description framework properties**:
-Value options:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-- 0 - Email updates must be performed manually
-- 15 (default) - Wait for 15 minutes between updates
-- 30 - Wait for 30 minutes between updates
-- 60 - Wait for 60 minutes between updates
-- 120 - Wait for 120 minutes between updates.
+
+
+
-**KEEPMAX**
-Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts.
+
-The limit is specified in KB.
+
+### {Account GUID}/CALENDARSERVER
-Value options are 0, 25, 50, 125, and 250.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-A value of 0 meaning that no limit will be enforced.
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/CALENDARSERVER
+```
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+Server for calendar sync if it is different from the email server.
+
-**NAME**
-Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters.
+
+
+
-Supported operations are Get, Add, Replace, and Delete.
+
+**Description framework properties**:
-**OUTSERVER**
-Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-- server name:port number
+
+
+
-Supported operations are Get, Add, Delete, and Replace.
+
-**REPLYADDR**
-Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
+
+### {Account GUID}/CALENDARSERVERREQUIRESSL
-Supported operations are Get, Add, Delete, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-**SERVICENAME**
-Required. Character string that specifies the name of the email service to create or edit (32 characters maximum).
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/CALENDARSERVERREQUIRESSL
+```
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+Indicates if the connection to the calendar server requires SSL.
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/CALENDARSYNCSCHEDULE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/CALENDARSYNCSCHEDULE
+```
+
+
+
+
+Sets the schedule for syncing calendar items.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/CELLULARONLY
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/CELLULARONLY
+```
+
+
+
+
+If this flag is set, the account only uses the cellular network and not Wi-Fi.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/CONTACTSSERVER
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/CONTACTSSERVER
+```
+
+
+
+
+Server for contact sync if it is different from the email server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/CONTACTSSERVERREQUIRESSL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/CONTACTSSERVERREQUIRESSL
+```
+
+
+
+
+Indicates if the connection to the contact server requires SSL.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/CONTACTSSYNCSCHEDULE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/CONTACTSSYNCSCHEDULE
+```
+
+
+
+
+Sets the schedule for syncing contact items.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/DOMAIN
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/DOMAIN
+```
+
+
+
+
+Character string that specifies the incoming server credentials domain. Limited to 255 characters.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/DWNDAY
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/DWNDAY
+```
+
+
+
+
+Character string that specifies how many days' worth of email should be downloaded from the server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| -1 | Specifies that all email currently on the server should be downloaded. |
+| 7 | Specifies that 7 days’ worth of email should be downloaded. |
+| 14 | Specifies that 14 days’ worth of email should be downloaded. |
+| 30 | Specifies that 30 days’ worth of email should be downloaded. |
+| 90 | Specifies that 90 days’ worth of email should be downloaded. |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/INSERVER
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/INSERVER
+```
+
+
+
+
+Character string that specifies how many days' worth of email should be downloaded from the server. server name:port number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/KEEPMAX
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/KEEPMAX
+```
+
+
+
+
+Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts. The limit is specified in KB.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| -1 | No limit is enforced. |
+| 0 | No attachment is downloaded. |
+| 25 | 25 KB. |
+| 50 | 50 KB. |
+| 100 | 100 KB. |
+| 250 | 250 KB. |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/LINGER
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/LINGER
+```
+
+
+
+
+Character string that specifies the length of time between email send/receive updates in minutes. 0 indicates that updates must be performed manually.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[(-1)-2147483647]` |
+| Default Value | 15 |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/NAME
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/NAME
+```
+
+
+
+
+Character string that specifies the name of the sender displayed on a sent email. It should be set to the user's name. Limited to 255 characters.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/OUTSERVER
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/OUTSERVER
+```
+
+
+
+
+Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is: server name:port number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/REPLYADDR
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/REPLYADDR
+```
+
+
+
+
+Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/RETRIEVE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/RETRIEVE
+```
+
+
+
+
+Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[(-1)-2147483647]` |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/SERVERDELETEACTION
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/SERVERDELETEACTION
+```
+
+
+
+
+Character string that specifies how message is deleted on server. The default action depends on the transport.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Delete message on the server. |
+| 2 | Keep the message on the server (delete to the Trash folder). |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/SERVICENAME
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/SERVICENAME
+```
+
+
+
+
+Character string that specifies the name of the email service to create or edit (32 characters maximum).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
> [!NOTE]
> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+
-**SERVICETYPE**
-Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
+
-Supported operations are Get, Add, Replace, and Delete.
+
+### {Account GUID}/SERVICETYPE
-> **Note** The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-**RETRIEVE**
-Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/SERVICETYPE
+```
+
-Value options are 512, 1024, 2048, 5120, 20480, and 51200.
+
+
+Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+> [!NOTE]
+> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+
-**SERVERDELETEACTION**
-Optional. Character string that specifies how message is deleted on server. Value options are:
+
+**Description framework properties**:
-- 1 - Delete message on the server.
-- 2 - Keep the message on the server (delete to the Trash folder).
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-Any other value results in default action, which depends on the transport.
+
+
+
-Supported operations are Get, Add, Replace, and Delete.
+
-**CELLULARONLY**
-Optional. If this flag is set, the account only uses the cellular network and not Wi-Fi.
+
+### {Account GUID}/SMTPALTAUTHNAME
-Value type is string. Supported operations are Get, Add, Replace, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-**SYNCINGCONTENTTYPES**
-Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/SMTPALTAUTHNAME
+```
+
-- No data (0x0)
-- Contacts (0x1)
-- Mail (0x2)
-- Appointments (0x4)
-- Tasks (0x8)
-- Notes (0x10)
-- Feeds (0x60)
-- Network Photo (0x180)
-- Group and room (0x200)
-- Chat (0x400)
-- Email Recipient Email (0x800)
-- Server Link (0x1000)
-- All items (0xffffffff)
+
+
+Character string that specifies the display name associated with the user's alternative SMTP email account.
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+
-**CONTACTSSERVER**
-Optional. Server for contact sync if it's different from the email server.
+
+**Description framework properties**:
-Supported operations are Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-**CALENDARSERVER**
-Optional. Server for calendar sync if it's different from the email server.
+
+
+
-Supported operations are Get, Add, Replace, and Delete.
+
-**CONTACTSSERVERREQUIRESSL**
-Optional. Indicates if the connection to the contact server requires SSL.
+
+### {Account GUID}/SMTPALTDOMAIN
-Supported operations are Get, Add, Replace, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-**CALENDARSERVERREQUIRESSL**
-Optional. Indicates if the connection to the calendar server requires SSL.
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/SMTPALTDOMAIN
+```
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+Character string that specifies the domain name for the user's alternative SMTP account.
+
-**CONTACTSSYNCSCHEDULE**
-Optional. Sets the schedule for syncing contact items.
+
+
+
-Supported operations are Get, Add, Replace, and Delete.
+
+**Description framework properties**:
-**CALENDARSYNCSCHEDULE**
-Optional. Sets the schedule for syncing calendar items.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+
-**SMTPALTAUTHNAME**
-Optional. Character string that specifies the display name associated with the user's alternative SMTP email account.
+
-Supported operations are Get, Add, Replace, and Delete.
+
+### {Account GUID}/SMTPALTENABLED
-**SMTPALTDOMAIN**
-Optional. Character string that specifies the domain name for the user's alternative SMTP account.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-Supported operations are Get, Add, Replace, and Delete.
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/SMTPALTENABLED
+```
+
-**SMTPALTENABLED**
-Optional. Character string that specifies if the user's alternate SMTP account is enabled.
+
+
+Character string that specifies if the user's alternate SMTP account is enabled.
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+
-A value of "FALSE" means the user's alternate SMTP email account is disabled. A value of "TRUE" means that the user's alternate SMTP email account is enabled.
+
+**Description framework properties**:
-**SMTPALTPASSWORD**
-Optional. Character string that specifies the password for the user's alternate SMTP account.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-Supported operations are Get, Add, Replace, and Delete.
+
+**Allowed values**:
-**TAGPROPS**
-Optional. Defines a group of properties with non-standard element names.
+| Value | Description |
+|:--|:--|
+| 0 | The user's alternate SMTP email account is disabled. |
+| 1 | The user's alternate SMTP email account is enabled. |
+
-Supported operations are Get, Add, Replace, and Delete.
+
+
+
-**TAGPROPS/8128000B**
-Optional. Character string that specifies if the incoming email server requires SSL.
+
-Supported operations are Get, Add, Replace, and Delete.
+
+### {Account GUID}/SMTPALTPASSWORD
-Value options are:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-- 0 - SSL isn't required.
-- 1 - SSL is required.
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/SMTPALTPASSWORD
+```
+
-**TAGPROPS/812C000B**
-Optional. Character string that specifies if the outgoing email server requires SSL.
+
+
+Character string that specifies the password for the user's alternate SMTP account.
+
-Supported operations are Get and Replace.
+
+
+
-Value options:
+
+**Description framework properties**:
-- 0 - SSL isn't required.
-- 1 - SSL is required.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+### {Account GUID}/SYNCINGCONTENTTYPES
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/SYNCINGCONTENTTYPES
+```
+
+
+
+
+Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Flag | Description |
+|:--|:--|
+| 0x0 | No data. |
+| 0x1 | Contacts. |
+| 0x2 | Mail. |
+| 0x4 | Appointments. |
+| 0x8 | Tasks. |
+| 0x10 | Notes. |
+| 0x60 | Feeds. |
+| 0x180 | Network Photo. |
+| 0x200 | Group and room. |
+| 0x400 | Chat. |
+| 0x800 | Email Recipient Email. |
+| 0x1000 | Server Link. |
+| 0xffffffff | All items. |
+
+
+
+
+
+
+
+
+
+### {Account GUID}/TAGPROPS
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/TAGPROPS
+```
+
+
+
+
+Specifies that stated parameter element name attributes is nonstandard tag properties.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### {Account GUID}/TAGPROPS/8128000B
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/TAGPROPS/8128000B
+```
+
+
+
+
+Character string that specifies if the incoming email server requires SSL.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | SSL is not required. |
+| 1 | SSL is required. |
+
+
+
+
+
+
+
+
+
+#### {Account GUID}/TAGPROPS/812C000B
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EMAIL2/{Account GUID}/TAGPROPS/812C000B
+```
+
+
+
+
+Character string that specifies if the outgoing email server requires SSL.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | SSL is not required. |
+| 1 | SSL is required. |
+
+
+
+
+
+
+
+
+
+
## Remarks
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
@@ -349,7 +1492,10 @@ If the connection to the mail server is initiated with deferred SSL, the mail se
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
+
+
+
## Related articles
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md
index cda01b7a53..20e168d936 100644
--- a/windows/client-management/mdm/email2-ddf-file.md
+++ b/windows/client-management/mdm/email2-ddf-file.md
@@ -1,39 +1,986 @@
---
title: EMAIL2 DDF file
-description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the EMAIL2 configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/21/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# EMAIL2 DDF file
-This topic shows the OMA DM device description framework (DDF) for the **EMAIL2** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the EMAIL2 configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ EMAIL2
+ ./User/Vendor/MSFT
+
+
+
+
+ Root node
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10240
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is unique and identifies a particular account. Also, we can only have 6 additional email accounts. So, depending on how many are already there on the device, we can have from 1 to 6.
+
+
+
+
+
+
+
+
+
+ Account GUID
+
+
+
+
+
+
+
+ \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
- EMAIL2
- ./Vendor/MSFT
+ ACCOUNTICON
+
+
+
- Root characteristic
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ACCOUNTTYPE
+
+
+
+
+
+
+
+ Specifies the type of account. Valid values are: Email - normal email, VVM - visual voice mail
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Email
+ normal email
+
+
+ VVM
+ visual voice mail
+
+
+
+
+
+ AUTHNAME
+
+
+
+
+
+
+
+ Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AUTHREQUIRED
+
+
+
+
+
+
+
+ Character string that specifies whether the outgoing server requires authentication.
+ 1 for TRUE
+ 0 for FALSE(default).
+ Note: If this is not specified then SMTP authentication will not be done. Also, this is different from the SMTPALTENABLED. That is to specify different set of credentials for SMTP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Server authentication is not required.
+
+
+ 1
+ Server authentication is required.
+
+
+
+
+
+ AUTHSECRET
+
+
+
+
+
+
+
+ Character string that specifies the user's password. The same password is used for SMTP authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DOMAIN
+
+
+
+
+
+
+
+ Character string that specifies the incoming server credentials domain. Limited to 255 characters.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DWNDAY
+
+
+
+
+
+
+
+ Character string that specifies how many days' worth of email should be downloaded from the server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ -1
+ Specifies that all email currently on the server should be downloaded.
+
+
+ 7
+ Specifies that 7 days’ worth of email should be downloaded.
+
+
+ 14
+ Specifies that 14 days’ worth of email should be downloaded.
+
+
+ 30
+ Specifies that 30 days’ worth of email should be downloaded.
+
+
+ 90
+ Specifies that 90 days’ worth of email should be downloaded.
+
+
+
+
+
+ INSERVER
+
+
+
+
+
+
+
+ Character string that specifies how many days' worth of email should be downloaded from the server. server name:port number
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LINGER
+
+
+
+
+
+
+
+ 15
+ Character string that specifies the length of time between email send/receive updates in minutes. 0 indicates that updates must be performed manually.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [(-1)-2147483647]
+
+
+
+
+ KEEPMAX
+
+
+
+
+
+
+
+ Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts. The limit is specified in KB.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ -1
+ No limit is enforced
+
+
+ 0
+ No attachment is downloaded
+
+
+ 25
+ 25 KB
+
+
+ 50
+ 50 KB
+
+
+ 100
+ 100 KB
+
+
+ 250
+ 250 KB
+
+
+
+
+
+ NAME
+
+
+
+
+
+
+
+ Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ OUTSERVER
+
+
+
+
+
+
+
+ Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is: server name:port number
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ REPLYADDR
+
+
+
+
+
+
+
+ Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SERVICENAME
+
+
+
+
+
+
+
+ Character string that specifies the name of the email service to create or edit (32 characters maximum).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SERVICETYPE
+
+
+
+
+
+
+
+ Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RETRIEVE
+
+
+
+
+
+
+
+ Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [(-1)-2147483647]
+
+
+
+
+ SERVERDELETEACTION
+
+
+
+
+
+
+
+ Character string that specifies how message is deleted on server. The default action depends on the transport.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ delete message on the server
+
+
+ 2
+ keep the message on the server (delete to the Trash folder).
+
+
+
+
+
+ CELLULARONLY
+
+
+
+
+
+
+
+ If this flag is set, the account only uses the cellular network and not Wi-Fi.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SYNCINGCONTENTTYPES
+
+
+
+
+
+
+
+ Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0x0
+ No data
+
+
+ 0x1
+ Contacts
+
+
+ 0x2
+ Mail
+
+
+ 0x4
+ Appointments
+
+
+ 0x8
+ Tasks
+
+
+ 0x10
+ Notes
+
+
+ 0x60
+ Feeds
+
+
+ 0x180
+ Network Photo
+
+
+ 0x200
+ Group and room
+
+
+ 0x400
+ Chat
+
+
+ 0x800
+ Email Recipient Email
+
+
+ 0x1000
+ Server Link
+
+
+ 0xffffffff
+ All items
+
+
+
+
+
+ CONTACTSSERVER
+
+
+
+
+
+
+
+ Server for contact sync if it is different from the email server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CALENDARSERVER
+
+
+
+
+
+
+
+ Server for calendar sync if it is different from the email server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CONTACTSSERVERREQUIRESSL
+
+
+
+
+
+
+
+ Indicates if the connection to the contact server requires SSL.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CALENDARSERVERREQUIRESSL
+
+
+
+
+
+
+
+ Indicates if the connection to the calendar server requires SSL.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CONTACTSSYNCSCHEDULE
+
+
+
+
+
+
+
+ Sets the schedule for syncing contact items.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CALENDARSYNCSCHEDULE
+
+
+
+
+
+
+
+ Sets the schedule for syncing calendar items.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SMTPALTAUTHNAME
+
+
+
+
+
+
+
+ Character string that specifies the display name associated with the user's alternative SMTP email account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SMTPALTDOMAIN
+
+
+
+
+
+
+
+ Character string that specifies the domain name for the user's alternative SMTP account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SMTPALTENABLED
+
+
+
+
+
+
+
+ Character string that specifies if the user's alternate SMTP account is enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ The user's alternate SMTP email account is disabled.
+
+
+ 1
+ The user's alternate SMTP email account is enabled.
+
+
+
+
+
+ SMTPALTPASSWORD
+
+
+
+
+
+
+
+ Character string that specifies the password for the user's alternate SMTP account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TAGPROPS
+
+
+
+
+
+
+
+ Specifies that stated parameter element name attributes is nonstandard tag properties.
@@ -41,839 +988,86 @@ The XML below is the current version for this CSP.
-
+
- com.microsoft/1.0/MDM/EMAIL2
+
-
+ 8128000B
-
-
+
+
- This is unique and identifies a particular account. Also, we can only have 6 additional email accounts. So, depending on how many are already there on the device, we can have from 1 to 6.
+ Character string that specifies if the incoming email server requires SSL.
-
+
- 1
+
- Account GUID
-
+
+
+
+ 0
+ SSL is not required.
+
+
+ 1
+ SSL is required.
+
+
+
+
+
+ 812C000B
+
+
+
+
+
+
+
+ Character string that specifies if the outgoing email server requires SSL.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ SSL is not required.
+
+
+ 1
+ SSL is required.
+
+
-
- ACCOUNTICON
-
-
-
-
-
-
-
- The location of the icon associated with the account.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ACCOUNTTYPE
-
-
-
-
-
-
-
- Specifies the type of account. Valid values are: Email - normal email, VVM - visual voice mail
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AUTHNAME
-
-
-
-
-
-
-
- User Name for Incoming server. Limited to 255 chars.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AUTHREQUIRED
-
-
-
-
-
-
-
- This will specify whether the outgoing server requires authentication.
- 1 for TRUE
- 0 for FALSE(default).
- Note: If this is not specified then SMTP authentication will not be done. Also, this is different from the SMTPALTENABLED. That is to specify different set of credentials for SMTP.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AUTHSECRET
-
-
-
-
-
-
-
- Password. Limited to 255 chars.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DOMAIN
-
-
-
-
-
-
-
- Incoming server credentials domain. Limited to 255 chars.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DWNDAY
-
-
-
-
-
-
-
- Specifies how many days of email to download. (number of days worth going back into the past)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- INSERVER
-
-
-
-
-
-
-
- The incoming server name and port number. Limited to 62 chars. If the standard port number is used, the port number isn't necessary to be specified in this node. The value format is:
- Server name:port number
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LINGER
-
-
-
-
-
-
-
- Specifies how frequently Messaging performs scheduled send/receives. (Specified as the length of time in minutes, between updates.)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KEEPMAX
-
-
-
-
-
-
-
- Specifies the maximum size for a message's attachment. (Attachments beyond this size will not be downloaded but will remain on the server. The message itself will be downloaded). This value can be set only for IMAP4 accounts. The limit is specified in KB, with a value of 0 meaning that no limit will be enforced.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NAME
-
-
-
-
-
-
-
- User Display Name. Limited to 255 chars
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- OUTSERVER
-
-
-
-
-
-
-
- The outcoming server name and port number. Limited to 62 chars. The value format is:
- Server name:port number
- If the standard port number is used, the port number isn't necessary to be specified in this node.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- REPLYADDR
-
-
-
-
-
-
-
- SMTP reply address of the user. Limited to 255 chars.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SERVICENAME
-
-
-
-
-
-
-
- This is the account name. It's limited to 32 characters.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SERVICETYPE
-
-
-
-
-
-
-
- This is the type of account. Valid values are POP3/IMAP4.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RETRIEVE
-
-
-
-
-
-
-
- Specifies the maximum size(in bytes) for messages retrieved from the incoming email server. Messages beyond this size will still be retrieved, but will be truncated.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SERVERDELETEACTION
-
-
-
-
-
-
-
- Specifies how message is deleted on server.
- 1 for delete message on server,
- 2 for keep the message on server (delete to Trash folder),
- any other value default action is used, which depends on the transport.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CELLULARONLY
-
-
-
-
-
-
-
- If this flag is set, the account uses cellular network only and not Wi-Fi.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SYNCINGCONTENTTYPES
-
-
-
-
-
-
-
- Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar). No data (0x0), Contacts (0x1), Mail (0x2), Appointments (0x4), Tasks (0x8), Notes (0x10), Feeds (0x60), Network Photo (0x180), Group and room (0x200), Chat (0x400), Email Recipient Email (0x800), Server Link (0x1000), All items (0xffffffff).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CONTACTSSERVER
-
-
-
-
-
-
-
- Server for contact sync if it is different from the email server.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CALENDARSERVER
-
-
-
-
-
-
-
- Server for calendar sync if it is different from the email server.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CONTACTSSERVERREQUIRESSL
-
-
-
-
-
-
-
- Defines if the connection to the contact server requires SSL.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CALENDARSERVERREQUIRESSL
-
-
-
-
-
-
-
- Defines if the connection to the calendar server requires SSL.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CONTACTSSYNCSCHEDULE
-
-
-
-
-
-
-
- Sets the schedule for syncing contact items.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CALENDARSYNCSCHEDULE
-
-
-
-
-
-
-
- Sets the schedule for syncing calendar items.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SMTPALTAUTHNAME
-
-
-
-
-
-
-
- If SMTPALTENABLED is true, then this will have the alternate User Name for SMTP. 255 chars.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SMTPALTDOMAIN
-
-
-
-
-
-
-
- If SMTPALTENABLED is true, then this will have the alternate domain for SMTP. 255 chars.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SMTPALTENABLED
-
-
-
-
-
-
-
- This is a bool value that specifies if we have separate SMTP credentials.
-1 for true
-0 for false (default)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SMTPALTPASSWORD
-
-
-
-
-
-
-
- If SMTPALTENABLED is true, then this will have the alternate password for SMTP. 255 chars.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TAGPROPS
-
-
-
-
-
-
-
- Specifies that stated parameter element name attributes is nonstandard tag properties.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 8128000B
-
-
-
-
-
-
-
- Specify whether incoming server requires SSL connection.
-1- Require SSL connection
-0- Doesn't require SSL connection (default)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- 812C000B
-
-
-
-
-
-
-
- Specify whether outgoing server requires SSL connection.
-1- Require SSL connection
-0- Doesn't require SSL connection (default)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
```
-## Related topics
-
-
-[EMAIL2 configuration service provider](email2-csp.md)
-
-
-
-
-
-
-
-
-
+## Related articles
+[EMAIL2 configuration service provider reference](email2-csp.md)
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index 62e50eadd1..394eabf465 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -1,83 +1,163 @@
---
title: EnterpriseDesktopAppManagement CSP
-description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
-ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
-ms.reviewer:
+description: Learn more about the EnterpriseDesktopAppManagement CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/27/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/11/2017
+ms.topic: reference
---
+
+
+
# EnterpriseDesktopAppManagement CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
Application installations can take some time to complete, hence they're done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
+
-The following example shows the EnterpriseDesktopAppManagement CSP in tree format.
+
+The following list shows the EnterpriseDesktopAppManagement configuration service provider nodes:
+- ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement
+ - [MSI](#devicemsi)
+ - [{ProductID}](#devicemsiproductid)
+ - [DownloadInstall](#devicemsiproductiddownloadinstall)
+ - [InstallDate](#devicemsiproductidinstalldate)
+ - [InstallPath](#devicemsiproductidinstallpath)
+ - [LastError](#devicemsiproductidlasterror)
+ - [LastErrorDesc](#devicemsiproductidlasterrordesc)
+ - [Name](#devicemsiproductidname)
+ - [Publisher](#devicemsiproductidpublisher)
+ - [Status](#devicemsiproductidstatus)
+ - [Version](#devicemsiproductidversion)
+ - [UpgradeCode](#devicemsiupgradecode)
+ - [{Guid}](#devicemsiupgradecodeguid)
+- ./User/Vendor/MSFT/EnterpriseDesktopAppManagement
+ - [MSI](#usermsi)
+ - [{ProductID}](#usermsiproductid)
+ - [DownloadInstall](#usermsiproductiddownloadinstall)
+ - [InstallDate](#usermsiproductidinstalldate)
+ - [InstallPath](#usermsiproductidinstallpath)
+ - [LastError](#usermsiproductidlasterror)
+ - [LastErrorDesc](#usermsiproductidlasterrordesc)
+ - [Name](#usermsiproductidname)
+ - [Publisher](#usermsiproductidpublisher)
+ - [Status](#usermsiproductidstatus)
+ - [Version](#usermsiproductidversion)
+ - [UpgradeCode](#usermsiupgradecode)
+ - [{Guid}](#usermsiupgradecodeguid)
+
+
+
+## Device/MSI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI
```
-./Device/Vendor/MSFT
-EnterpriseDesktopAppManagement
-----MSI
---------ProductID
-------------Version
-------------Name
-------------Publisher
-------------InstallPath
-------------InstallDate
-------------DownloadInstall
-------------Status
-------------LastError
-------------LastErrorDesc
---------UpgradeCode
-------------Guid
+
+
+
+
+Product Type is MSI.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/MSI/{ProductID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}
```
+
-**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
-The root node for the EnterpriseDesktopAppManagement configuration service provider.
-
-**MSI**
-Node for all settings.
-
-**MSI/***ProductID*
+
+
The MSI product code for the application.
+
-**MSI/*ProductID*/Version**
-Version number. Value type is string. Supported operation is Get.
+
+
+
-**MSI/*ProductID*/Name**
-Name of the application. Value type is string. Supported operation is Get.
+
+**Description framework properties**:
-**MSI/*ProductID*/Publisher**
-Publisher of application. Value type is string. Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Atomic Required | True |
+| Dynamic Node Naming | UniqueName: The MSI product code for the application. |
+
-**MSI/*ProductID*/InstallPath**
-Installation path of the application. Value type is string. Supported operation is Get.
+
+
+
-**MSI/*ProductID*/InstallDate**
-Installation date of the application. Value type is string. Supported operation is Get.
+
-**MSI/*ProductID*/DownloadInstall**
-Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.
+
+#### Device/MSI/{ProductID}/DownloadInstall
-In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (don't send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. `` 0 will set the timeout to infinite.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/DownloadInstall
+```
+
+
+
+
+Executes the download and installation of the application. In Windows 10, version 1703 service release, a new tag `` was added to the `` section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
+
+
+
+
Here's an example:
```xml
@@ -90,280 +170,1236 @@ Here's an example:
```
-**MSI/*ProductID*/Status**
-Status of the application. Value type is string. Supported operation is Get.
+For more information, see [DownloadInstall XSD Schema](#downloadinstall-xsd-schema).
+
-| Status | Value |
-|---------------------------|-------|
-| Initialized | 10 |
-| Download In Progress | 20 |
-| Pending Download Retry | 25 |
-| Download Failed | 30 |
-| Download Completed | 40 |
-| Pending User Session | 48 |
-| Enforcement In Progress | 50 |
-| Pending Enforcement Retry | 55 |
-| Enforcement Failed | 60 |
-| Enforcement Completed | 70 |
+
+**Description framework properties**:
-**MSI/*ProductID*/LastError**
-The last error code during the application installation process. This error code is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this error could be the result of executing MSIExec.exe or the error result from an API that failed.
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Add, Delete, Exec, Get |
+
-Value type is string. Supported operation is Get.
+
+
+
-**MSI/*ProductID*/LastErrorDesc**
-Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there's no LastErrorDesc returned.
+
-Value type is string. Supported operation is Get.
+
+#### Device/MSI/{ProductID}/InstallDate
-**MSI/UpgradeCode**
-Added in the March service release of Windows 10, version 1607.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**MSI/UpgradeCode/_Guid_**
-Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when an administrator wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/InstallDate
+```
+
-Value type is string. Supported operation is Get.
+
+
+Installation date of the application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/MSI/{ProductID}/InstallPath
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/InstallPath
+```
+
+
+
+
+Installation path of the application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/MSI/{ProductID}/LastError
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/LastError
+```
+
+
+
+
+The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/MSI/{ProductID}/LastErrorDesc
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/LastErrorDesc
+```
+
+
+
+
+Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/MSI/{ProductID}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Name
+```
+
+
+
+
+Name of the application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/MSI/{ProductID}/Publisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Publisher
+```
+
+
+
+
+Publisher of application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/MSI/{ProductID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Status
+```
+
+
+
+
+Status of the application. Valid values: 10-Initialized, 20-Download In Progress, 25-Pending Download Retry, 30-Download Failed, 40-Download Completed, 48-Pending User Session, 50-Enforcement In Progress, 55-Pending Enforcement Retry, 60-Enforcement Failed, 70-Enforcement Completed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/MSI/{ProductID}/Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Version
+```
+
+
+
+
+MSI Product Version.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/MSI/UpgradeCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/UpgradeCode
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Case Sensitive | True |
+
+
+
+
+
+
+
+
+
+#### Device/MSI/UpgradeCode/{Guid}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/UpgradeCode/{Guid}
+```
+
+
+
+
+A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+## User/MSI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI
+```
+
+
+
+
+Product Type is MSI.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/MSI/{ProductID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}
+```
+
+
+
+
+The MSI product code for the application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Atomic Required | True |
+| Dynamic Node Naming | UniqueName: The MSI product code for the application. |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/DownloadInstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/DownloadInstall
+```
+
+
+
+
+Executes the download and installation of the application. In Windows 10, version 1703 service release, a new tag `` was added to the `` section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
+
+
+
+
+Here's an example:
+
+```xml
+
+ /quiet
+ 5
+ 3
+ 5
+ 1
+
+```
+
+For more information, see [DownloadInstall XSD Schema](#downloadinstall-xsd-schema).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Add, Delete, Exec, Get |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/InstallDate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/InstallDate
+```
+
+
+
+
+Installation date of the application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/InstallPath
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/InstallPath
+```
+
+
+
+
+Installation path of the application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/LastError
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/LastError
+```
+
+
+
+
+The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/LastErrorDesc
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/LastErrorDesc
+```
+
+
+
+
+Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Name
+```
+
+
+
+
+Name of the application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/Publisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Publisher
+```
+
+
+
+
+Publisher of application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Status
+```
+
+
+
+
+Status of the application. Valid values: 10-Initialized, 20-Download In Progress, 25-Pending Download Retry, 30-Download Failed, 40-Download Completed, 48-Pending User Session, 50-Enforcement In Progress, 55-Pending Enforcement Retry, 60-Enforcement Failed, 70-Enforcement Completed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/MSI/{ProductID}/Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Version
+```
+
+
+
+
+MSI Product Version.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/MSI/UpgradeCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/UpgradeCode
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Case Sensitive | True |
+
+
+
+
+
+
+
+
+
+#### User/MSI/UpgradeCode/{Guid}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/UpgradeCode/{Guid}
+```
+
+
+
+
+A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+
+## DownloadInstall XSD Schema
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
## Examples
-**SyncML to request CSP version information**
+- SyncML to request CSP version information:
-```xml
-
-
-
- 12345
-
-
- ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement?prop=Type
-
-
-
-
-
-
-```
+ ```xml
+
+
+
+ 12345
+
+
+ ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement?prop=Type
+
+
+
+
+
+
+ ```
-The following table describes the fields in the previous sample:
+ The following table describes the fields in the previous sample:
-| Name | Description |
-|--------|-------------------------------------------------------------------------------------------------------------------------------|
-| Get | Operation being performed. The Get operation is a request to return information. |
-| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
-| LocURI | Path to Win32 CSP command processor. |
+ | Name | Description |
+ |--------|------------------------------------------------------------------------------------------------------------------------------|
+ | Get | Operation being performed. The Get operation is a request to return information. |
+ | CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
+ | LocURI | Path to Win32 CSP command processor. |
-**SyncML to perform MSI operations for application uninstall:**
+- SyncML to perform MSI operations for application uninstall:
-```xml
-
-
-
- 12345
-
-
- ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D
-
-
-
-
-
-
-```
+ ```xml
+
+
+
+ 12345
+
+
+ ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D
+
+
+
+
+
+
+ ```
-The following table describes the fields in the previous sample:
+ The following table describes the fields in the previous sample:
-| Name | Description |
-|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. |
-| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
-| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
+ | Name | Description |
+ |--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. |
+ | CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
+ | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
+- SyncML to perform MSI operations for application status reporting:
+ ```xml
+
+
+
+ 12345
+
+
+ ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D
+
+
+
+
+
+
+ ```
-**SyncML to perform MSI operations for application status reporting**
+ The following table describes the fields in the previous sample:
-```xml
-
-
-
- 12345
-
-
- ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D
-
-
-
-
-
-
-```
+ | Name | Description |
+ |--------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. |
+ | CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
+ | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
-The following table describes the fields in the previous sample:
+- SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.
-| Name | Description |
-|--------|-----------------------|
-| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.|
-| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
-| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
+ ```xml
+
+
+
+ 1
+
+
+ ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C384D2B-9B9A-0CB37243539C%7D/DownloadInstall
+
+
+
+
+ 6
+
+
+ ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D/DownloadInstall
+
+
+ xml
+ text/plain
+
+
+
+
+
+
+
+ http://bcl-w2k12r2-vm/testapps/msi/reboot/reboot.msi
+
+ https://dp2.com/packages/myApp.msi
+
+
+
+ 134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3
+
+
+ /quiet
+ 5
+ 3
+ 5
+
+
+
+
+
+
+
+
+
+ ```
-**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
+ The following table describes the fields in the previous sample:
-```xml
-
-
-
- 1
-
-
- ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C384D2B-9B9A-0CB37243539C%7D/DownloadInstall
-
-
-
-
- 6
-
-
- ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D/DownloadInstall
-
-
- xml
- text/plain
-
-
-
-
-
-
-
- http://bcl-w2k12r2-vm/testapps/msi/reboot/reboot.msi
-
- https://dp2.com/packages/myApp.msi
-
-
-
-134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3
-
-
- /quiet
- 5
- 3
- 5
-
-
-
-
-
-
-
-
-
-```
+ |Name|Description|
+ |--- |--- |
+ |Add|This field is required to precede the Exec command.
CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.|
+ |Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
CmdID - Input value used to reference the request. Responses will include this value that can be used to match request and response.
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
Data - The Data node contains an embedded XML, of type “MsiInstallJob”
MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).|
-The following table describes the fields in the previous sample:
+ > [!NOTE]
+ > Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
-|Name|Description|
-|--- |--- |
-|Add|This field is required to precede the Exec command.
CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.|
-|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
CmdID - Input value used to reference the request. Responses will include this value that can be used to match request and response.
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
Data - The Data node contains an embedded XML, of type “MsiInstallJob”
MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).|
-
+- SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation):
-> [!Note]
-> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
+ ```xml
+
+
+
+ 1
+
+
+ ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall
+
+
+
+
+
+ 67890
+
+
+ ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall
+
+
+ xml
+ text/plain
+
+
+
+
+
+
+ http://bcl-w2k12r2-vm/testapps/msi/Orca/Orca.msi
+ https://dp2.com/packages/myApp.msi
+
+
+
+ 4525065777EF18B9444ABF71DD4B48E5F64F4F0E1E029995FB8DA441CDE4296E
+
+
+ /quiet
+ 5
+ 3
+ 5
+
+
+
+
+
+
+
+
+
+ ```
-**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation):**
+ The following table MsiInstallJob describes the schema elements.
-```xml
-
-
-
- 1
-
-
- ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall
-
-
-
-
-
- 67890
-
-
- ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall
-
-
- xml
- text/plain
-
-
-
-
-
-
- http://bcl-w2k12r2-vm/testapps/msi/Orca/Orca.msi
- https://dp2.com/packages/myApp.msi
-
-
-
- 4525065777EF18B9444ABF71DD4B48E5F64F4F0E1E029995FB8DA441CDE4296E
-
-
- /quiet
- 5
- 3
- 5
-
-
-
-
-
-
-
-
-
-```
+ | Element | Description |
+ |-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | MsiInstallJob | root element Attribute: "id" - the application identifier of the application being installed |
+ | Product | child element of MsiInstallJob Attribute: "Version" - string representation of application version |
+ | Download | child element of Product. Container for download configuration information. |
+ | ContentURLList | child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements. |
+ | ContentURL | Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file. |
+ | Validation | Contains information used to validate contend authenticity. • FileHash - SHA256 hash value of file content |
+ | FileHash | SHA256 hash value of file content |
+ | Enforcement | installation properties to be used when installing this MSI |
+ | CommandLine | Command-line options to be used when calling MSIEXEC.exe |
+ | TimeOut | Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. |
+ | RetryCount | The number of times the download and installation operation will be retried before the installation will be marked as failed. |
+ | RetryInterval | Amount of time, in minutes between retry operations. |
-The following table MsiInstallJob describes the schema elements.
+ Here's an example of a common response to a request
-|Element|Description|
-|--- |--- |
-|MsiInstallJob|root element Attribute: "id" - the application identifier of the application being installed|
-|Product|child element of MsiInstallJob Attribute: “Version” – string representation of application version|
-|Download|child element of Product. Container for download configuration information.|
-|ContentURLList|child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements.|
-|ContentURL|Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.|
-|Validation|Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content|
-|FileHash|SHA256 hash value of file content|
-|Enforcement|installation properties to be used when installing this MSI|
-|CommandLine|Command-line options to be used when calling MSIEXEC.exe|
-|TimeOut|Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.|
-|RetryCount|The number of times the download and installation operation will be retried before the installation will be marked as failed.|
-|RetryInterval|Amount of time, in minutes between retry operations.|
-
-Here's an example of a common response to a request
-
-```xml
-
-
-
-
-
- 12345
- 1
- 0
- SyncHdr
- 200
-
-
- 67890
- 1
- 1
- Add
- 200
-
-
-
-
-```
+ ```xml
+
+
+
+
+
+ 12345
+ 1
+ 0
+ SyncHdr
+ 200
+
+
+ 67890
+ 1
+ 1
+ Add
+ 200
+
+
+
+
+ ```
## How to determine which installation context to use for an MSI package
@@ -395,7 +1431,6 @@ Here's a list of references:
- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10))
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
-- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
## Alert example
@@ -416,6 +1451,10 @@ Here's a list of references:
```
-## Related topics
+
-[Configuration service provider reference](index.yml)
\ No newline at end of file
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
index 0a13970546..788f6427ae 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
@@ -1,370 +1,752 @@
---
-title: EnterpriseDesktopAppManagement DDF
-description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
-ms.reviewer:
+title: EnterpriseDesktopAppManagement DDF file
+description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/27/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.topic: reference
---
-# EnterpriseDesktopAppManagement DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **EnterpriseDesktopAppManagement** configuration service provider.
+# EnterpriseDesktopAppManagement DDF file
-DDF files are used only with OMA DM provisioning XML.
+The following XML file contains the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ EnterpriseDesktopAppManagement
+ ./User/Vendor/MSFT
+
+
+
+
+ The root node for the EnterpriseDesktopAppManagement configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- EnterpriseDesktopAppManagement
- ./Device/Vendor/MSFT
+ MSI
+
+
+
+
+ Product Type is MSI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.0/MDM/EnterpriseDesktopAppManagement
-
+
+
+
+
+
+ The MSI product code for the application.
+
+
+
+
+
+
+
+
+
+ ProductID
+
+
+
+
+
+
+
+ The MSI product code for the application.
+
+
- MSI
-
-
-
-
- Product Type is MSI
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MSI product code for Threshold
-
-
-
-
-
-
-
-
-
-
-
-
- ProductID
-
-
-
-
-
- Version
-
-
-
-
- MSI Product Version
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Name
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Publisher
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InstallPath
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InstallDate
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DownloadInstall
-
-
-
-
-
-
-
- Method to download and install an MSI app
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastError
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastErrorDesc
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- UpgradeCode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Guid
-
- text/plain
-
-
-
-
+ Version
+
+
+
+
+ MSI Product Version
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ Name of the application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Publisher
+
+
+
+
+ Publisher of application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallPath
+
+
+
+
+ Installation path of the application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallDate
+
+
+
+
+ Installation date of the application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DownloadInstall
+
+
+
+
+
+
+
+ was added to the section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Status of the application. Valid values: 10-Initialized, 20-Download In Progress, 25-Pending Download Retry, 30-Download Failed, 40-Download Completed, 48-Pending User Session, 50-Enforcement In Progress, 55-Pending Enforcement Retry, 60-Enforcement Failed, 70-Enforcement Completed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastError
+
+
+
+
+ The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastErrorDesc
+
+
+
+
+ Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UpgradeCode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+
+
+
+
+
+
+
+
+
+ A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
+
+
+
+
+
+
+
+
+
+ Guid
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnterpriseDesktopAppManagement
+ ./Device/Vendor/MSFT
+
+
+
+
+ The root node for the EnterpriseDesktopAppManagement configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ MSI
+
+
+
+
+ Product Type is MSI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The MSI product code for the application.
+
+
+
+
+
+
+
+
+
+ ProductID
+
+
+
+
+
+
+
+ The MSI product code for the application.
+
+
+
+
+ Version
+
+
+
+
+ MSI Product Version
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ Name of the application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Publisher
+
+
+
+
+ Publisher of application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallPath
+
+
+
+
+ Installation path of the application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallDate
+
+
+
+
+ Installation date of the application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DownloadInstall
+
+
+
+
+
+
+
+ was added to the section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Status of the application. Valid values: 10-Initialized, 20-Download In Progress, 25-Pending Download Retry, 30-Download Failed, 40-Download Completed, 48-Pending User Session, 50-Enforcement In Progress, 55-Pending Enforcement Retry, 60-Enforcement Failed, 70-Enforcement Completed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastError
+
+
+
+
+ The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastErrorDesc
+
+
+
+
+ Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UpgradeCode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+
+
+
+
+
+
+
+
+
+ A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
+
+
+
+
+
+
+
+
+
+ Guid
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
```
-
-
-
-
-
-
-
-
+## Related articles
+[EnterpriseDesktopAppManagement configuration service provider reference](enterprisedesktopappmanagement-csp.md)
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md
deleted file mode 100644
index 7bdeb81114..0000000000
--- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: EnterpriseDesktopAppManagement XSD
-description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
----
-
-# EnterpriseDesktopAppManagement XSD
-
-This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-The following table describes the various elements and attributes of the XSD file:
-
-
-
-| Name | Description |
-|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| MsiInstallJob | Root element |
-| id | The application identifier for the application being installed. |
-| Product | Child element of MsiInstallJob |
-| Version | String representation of the application version |
-| Download | Child element of Product. Container for download configuration information. |
-| ContentURLList | Child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements. |
-| ContentURL | Location that content should be downloaded from. Must be a property formatted URL that points to the MSI file. |
-| Validation | Contains information used to validate content authenticity. |
-| FileHash | SHA256 hash value of file content. |
-| Enforcement | Installation properties to be used when installing this MSI |
-| CommandLine | Command-line options to be used when calling MSIEXEC.exe |
-| Timeout | Amount of time in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. |
-| RetryCount | Number of times the download and installation operation will be retried before the installation will be marked as failed. |
-| RetryInterval | Amount of time in minutes between retry operations. |
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 534c2117a8..726ff88fb1 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,266 +1,335 @@
---
title: EnterpriseModernAppManagement CSP
-description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps.
-ms.reviewer:
+description: Learn more about the EnterpriseModernAppManagement CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 11/19/2021
+ms.topic: reference
---
+
+
+
# EnterpriseModernAppManagement CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../enterprise-app-management.md).
-> [!Note]
+> [!NOTE]
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
+
-The following example shows the EnterpriseModernAppManagement configuration service provider in tree format.
+
+The following list shows the EnterpriseModernAppManagement configuration service provider nodes:
-```console
-./Vendor/MSFT
-EnterpriseModernAppManagement
-----AppManagement
---------EnterpriseID
-------------PackageFamilyName
-----------------PackageFullName
---------------------Name
---------------------Version
---------------------Publisher
---------------------Architecture
---------------------InstallLocation
---------------------IsFramework
---------------------IsBundle
---------------------InstallDate
---------------------ResourceID
---------------------PackageStatus
---------------------RequiresReinstall
---------------------Users
---------------------IsProvisioned
-----------------DoNotUpdate
-----------------AppSettingPolicy
---------------------SettingValue
---------UpdateScan
---------LastScanError
---------AppInventoryResults
---------AppInventoryQuery
-----AppInstallation
---------PackageFamilyName
-------------StoreInstall
-------------HostedInstall
-------------LastError
-------------LastErrorDesc
-------------Status
-------------ProgressStatus
-----AppLicenses
---------StoreLicenses
-------------LicenseID
-----------------LicenseCategory
-----------------LicenseUsage
-----------------RequesterID
-----------------AddLicense
-----------------GetLicenseFromStore
+- ./Device/Vendor/MSFT/EnterpriseModernAppManagement
+ - [AppInstallation](#deviceappinstallation)
+ - [{PackageFamilyName}](#deviceappinstallationpackagefamilyname)
+ - [HostedInstall](#deviceappinstallationpackagefamilynamehostedinstall)
+ - [LastError](#deviceappinstallationpackagefamilynamelasterror)
+ - [LastErrorDesc](#deviceappinstallationpackagefamilynamelasterrordesc)
+ - [ProgressStatus](#deviceappinstallationpackagefamilynameprogressstatus)
+ - [Status](#deviceappinstallationpackagefamilynamestatus)
+ - [StoreInstall](#deviceappinstallationpackagefamilynamestoreinstall)
+ - [AppLicenses](#deviceapplicenses)
+ - [StoreLicenses](#deviceapplicensesstorelicenses)
+ - [{LicenseID}](#deviceapplicensesstorelicenseslicenseid)
+ - [AddLicense](#deviceapplicensesstorelicenseslicenseidaddlicense)
+ - [GetLicenseFromStore](#deviceapplicensesstorelicenseslicenseidgetlicensefromstore)
+ - [LicenseCategory](#deviceapplicensesstorelicenseslicenseidlicensecategory)
+ - [LicenseUsage](#deviceapplicensesstorelicenseslicenseidlicenseusage)
+ - [RequesterID](#deviceapplicensesstorelicenseslicenseidrequesterid)
+ - [AppManagement](#deviceappmanagement)
+ - [AppInventoryQuery](#deviceappmanagementappinventoryquery)
+ - [AppInventoryResults](#deviceappmanagementappinventoryresults)
+ - [AppStore](#deviceappmanagementappstore)
+ - [{PackageFamilyName}](#deviceappmanagementappstorepackagefamilyname)
+ - [{PackageFullName}](#deviceappmanagementappstorepackagefamilynamepackagefullname)
+ - [Architecture](#deviceappmanagementappstorepackagefamilynamepackagefullnamearchitecture)
+ - [InstallDate](#deviceappmanagementappstorepackagefamilynamepackagefullnameinstalldate)
+ - [InstallLocation](#deviceappmanagementappstorepackagefamilynamepackagefullnameinstalllocation)
+ - [IsBundle](#deviceappmanagementappstorepackagefamilynamepackagefullnameisbundle)
+ - [IsFramework](#deviceappmanagementappstorepackagefamilynamepackagefullnameisframework)
+ - [IsProvisioned](#deviceappmanagementappstorepackagefamilynamepackagefullnameisprovisioned)
+ - [IsStub](#deviceappmanagementappstorepackagefamilynamepackagefullnameisstub)
+ - [Name](#deviceappmanagementappstorepackagefamilynamepackagefullnamename)
+ - [PackageStatus](#deviceappmanagementappstorepackagefamilynamepackagefullnamepackagestatus)
+ - [Publisher](#deviceappmanagementappstorepackagefamilynamepackagefullnamepublisher)
+ - [RequiresReinstall](#deviceappmanagementappstorepackagefamilynamepackagefullnamerequiresreinstall)
+ - [ResourceID](#deviceappmanagementappstorepackagefamilynamepackagefullnameresourceid)
+ - [Users](#deviceappmanagementappstorepackagefamilynamepackagefullnameusers)
+ - [Version](#deviceappmanagementappstorepackagefamilynamepackagefullnameversion)
+ - [DoNotUpdate](#deviceappmanagementappstorepackagefamilynamedonotupdate)
+ - [MaintainProcessorArchitectureOnUpdate](#deviceappmanagementappstorepackagefamilynamemaintainprocessorarchitectureonupdate)
+ - [NonRemovable](#deviceappmanagementappstorepackagefamilynamenonremovable)
+ - [ReleaseManagement](#deviceappmanagementappstorereleasemanagement)
+ - [{ReleaseManagementKey}](#deviceappmanagementappstorereleasemanagementreleasemanagementkey)
+ - [ChannelId](#deviceappmanagementappstorereleasemanagementreleasemanagementkeychannelid)
+ - [EffectiveRelease](#deviceappmanagementappstorereleasemanagementreleasemanagementkeyeffectiverelease)
+ - [ChannelId](#deviceappmanagementappstorereleasemanagementreleasemanagementkeyeffectivereleasechannelid)
+ - [ReleaseManagementId](#deviceappmanagementappstorereleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid)
+ - [ReleaseManagementId](#deviceappmanagementappstorereleasemanagementreleasemanagementkeyreleasemanagementid)
+ - [LastScanError](#deviceappmanagementlastscanerror)
+ - [nonStore](#deviceappmanagementnonstore)
+ - [{PackageFamilyName}](#deviceappmanagementnonstorepackagefamilyname)
+ - [{PackageFullName}](#deviceappmanagementnonstorepackagefamilynamepackagefullname)
+ - [Architecture](#deviceappmanagementnonstorepackagefamilynamepackagefullnamearchitecture)
+ - [InstallDate](#deviceappmanagementnonstorepackagefamilynamepackagefullnameinstalldate)
+ - [InstallLocation](#deviceappmanagementnonstorepackagefamilynamepackagefullnameinstalllocation)
+ - [IsBundle](#deviceappmanagementnonstorepackagefamilynamepackagefullnameisbundle)
+ - [IsFramework](#deviceappmanagementnonstorepackagefamilynamepackagefullnameisframework)
+ - [IsProvisioned](#deviceappmanagementnonstorepackagefamilynamepackagefullnameisprovisioned)
+ - [IsStub](#deviceappmanagementnonstorepackagefamilynamepackagefullnameisstub)
+ - [Name](#deviceappmanagementnonstorepackagefamilynamepackagefullnamename)
+ - [PackageStatus](#deviceappmanagementnonstorepackagefamilynamepackagefullnamepackagestatus)
+ - [Publisher](#deviceappmanagementnonstorepackagefamilynamepackagefullnamepublisher)
+ - [RequiresReinstall](#deviceappmanagementnonstorepackagefamilynamepackagefullnamerequiresreinstall)
+ - [ResourceID](#deviceappmanagementnonstorepackagefamilynamepackagefullnameresourceid)
+ - [Users](#deviceappmanagementnonstorepackagefamilynamepackagefullnameusers)
+ - [Version](#deviceappmanagementnonstorepackagefamilynamepackagefullnameversion)
+ - [DoNotUpdate](#deviceappmanagementnonstorepackagefamilynamedonotupdate)
+ - [MaintainProcessorArchitectureOnUpdate](#deviceappmanagementnonstorepackagefamilynamemaintainprocessorarchitectureonupdate)
+ - [NonRemovable](#deviceappmanagementnonstorepackagefamilynamenonremovable)
+ - [ReleaseManagement](#deviceappmanagementnonstorereleasemanagement)
+ - [{ReleaseManagementKey}](#deviceappmanagementnonstorereleasemanagementreleasemanagementkey)
+ - [ChannelId](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeychannelid)
+ - [EffectiveRelease](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeyeffectiverelease)
+ - [ChannelId](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeyeffectivereleasechannelid)
+ - [ReleaseManagementId](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid)
+ - [ReleaseManagementId](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeyreleasemanagementid)
+ - [ResetPackage](#deviceappmanagementresetpackage)
+ - [System](#deviceappmanagementsystem)
+ - [{PackageFamilyName}](#deviceappmanagementsystempackagefamilyname)
+ - [{PackageFullName}](#deviceappmanagementsystempackagefamilynamepackagefullname)
+ - [Architecture](#deviceappmanagementsystempackagefamilynamepackagefullnamearchitecture)
+ - [InstallDate](#deviceappmanagementsystempackagefamilynamepackagefullnameinstalldate)
+ - [InstallLocation](#deviceappmanagementsystempackagefamilynamepackagefullnameinstalllocation)
+ - [IsBundle](#deviceappmanagementsystempackagefamilynamepackagefullnameisbundle)
+ - [IsFramework](#deviceappmanagementsystempackagefamilynamepackagefullnameisframework)
+ - [IsProvisioned](#deviceappmanagementsystempackagefamilynamepackagefullnameisprovisioned)
+ - [IsStub](#deviceappmanagementsystempackagefamilynamepackagefullnameisstub)
+ - [Name](#deviceappmanagementsystempackagefamilynamepackagefullnamename)
+ - [PackageStatus](#deviceappmanagementsystempackagefamilynamepackagefullnamepackagestatus)
+ - [Publisher](#deviceappmanagementsystempackagefamilynamepackagefullnamepublisher)
+ - [RequiresReinstall](#deviceappmanagementsystempackagefamilynamepackagefullnamerequiresreinstall)
+ - [ResourceID](#deviceappmanagementsystempackagefamilynamepackagefullnameresourceid)
+ - [Users](#deviceappmanagementsystempackagefamilynamepackagefullnameusers)
+ - [Version](#deviceappmanagementsystempackagefamilynamepackagefullnameversion)
+ - [AppUpdateSettings](#deviceappmanagementsystempackagefamilynameappupdatesettings)
+ - [AutoRepair](#deviceappmanagementsystempackagefamilynameappupdatesettingsautorepair)
+ - [PackageSource](#deviceappmanagementsystempackagefamilynameappupdatesettingsautorepairpackagesource)
+ - [AutoUpdateSettings](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettings)
+ - [AutomaticBackgroundTask](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsautomaticbackgroundtask)
+ - [Disable](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsdisable)
+ - [ForceUpdateFromAnyVersion](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsforceupdatefromanyversion)
+ - [HoursBetweenUpdateChecks](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingshoursbetweenupdatechecks)
+ - [OnLaunchUpdateCheck](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsonlaunchupdatecheck)
+ - [PackageSource](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingspackagesource)
+ - [ShowPrompt](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsshowprompt)
+ - [UpdateBlocksActivation](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsupdateblocksactivation)
+ - [DoNotUpdate](#deviceappmanagementsystempackagefamilynamedonotupdate)
+ - [MaintainProcessorArchitectureOnUpdate](#deviceappmanagementsystempackagefamilynamemaintainprocessorarchitectureonupdate)
+ - [NonRemovable](#deviceappmanagementsystempackagefamilynamenonremovable)
+ - [ReleaseManagement](#deviceappmanagementsystemreleasemanagement)
+ - [{ReleaseManagementKey}](#deviceappmanagementsystemreleasemanagementreleasemanagementkey)
+ - [ChannelId](#deviceappmanagementsystemreleasemanagementreleasemanagementkeychannelid)
+ - [EffectiveRelease](#deviceappmanagementsystemreleasemanagementreleasemanagementkeyeffectiverelease)
+ - [ChannelId](#deviceappmanagementsystemreleasemanagementreleasemanagementkeyeffectivereleasechannelid)
+ - [ReleaseManagementId](#deviceappmanagementsystemreleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid)
+ - [ReleaseManagementId](#deviceappmanagementsystemreleasemanagementreleasemanagementkeyreleasemanagementid)
+ - [UpdateScan](#deviceappmanagementupdatescan)
+- ./User/Vendor/MSFT/EnterpriseModernAppManagement
+ - [AppInstallation](#userappinstallation)
+ - [{PackageFamilyName}](#userappinstallationpackagefamilyname)
+ - [HostedInstall](#userappinstallationpackagefamilynamehostedinstall)
+ - [LastError](#userappinstallationpackagefamilynamelasterror)
+ - [LastErrorDesc](#userappinstallationpackagefamilynamelasterrordesc)
+ - [ProgressStatus](#userappinstallationpackagefamilynameprogressstatus)
+ - [Status](#userappinstallationpackagefamilynamestatus)
+ - [StoreInstall](#userappinstallationpackagefamilynamestoreinstall)
+ - [AppLicenses](#userapplicenses)
+ - [StoreLicenses](#userapplicensesstorelicenses)
+ - [{LicenseID}](#userapplicensesstorelicenseslicenseid)
+ - [AddLicense](#userapplicensesstorelicenseslicenseidaddlicense)
+ - [GetLicenseFromStore](#userapplicensesstorelicenseslicenseidgetlicensefromstore)
+ - [LicenseCategory](#userapplicensesstorelicenseslicenseidlicensecategory)
+ - [LicenseUsage](#userapplicensesstorelicenseslicenseidlicenseusage)
+ - [RequesterID](#userapplicensesstorelicenseslicenseidrequesterid)
+ - [AppManagement](#userappmanagement)
+ - [AppInventoryQuery](#userappmanagementappinventoryquery)
+ - [AppInventoryResults](#userappmanagementappinventoryresults)
+ - [AppStore](#userappmanagementappstore)
+ - [{PackageFamilyName}](#userappmanagementappstorepackagefamilyname)
+ - [{PackageFullName}](#userappmanagementappstorepackagefamilynamepackagefullname)
+ - [Architecture](#userappmanagementappstorepackagefamilynamepackagefullnamearchitecture)
+ - [InstallDate](#userappmanagementappstorepackagefamilynamepackagefullnameinstalldate)
+ - [InstallLocation](#userappmanagementappstorepackagefamilynamepackagefullnameinstalllocation)
+ - [IsBundle](#userappmanagementappstorepackagefamilynamepackagefullnameisbundle)
+ - [IsFramework](#userappmanagementappstorepackagefamilynamepackagefullnameisframework)
+ - [IsProvisioned](#userappmanagementappstorepackagefamilynamepackagefullnameisprovisioned)
+ - [IsStub](#userappmanagementappstorepackagefamilynamepackagefullnameisstub)
+ - [Name](#userappmanagementappstorepackagefamilynamepackagefullnamename)
+ - [PackageStatus](#userappmanagementappstorepackagefamilynamepackagefullnamepackagestatus)
+ - [Publisher](#userappmanagementappstorepackagefamilynamepackagefullnamepublisher)
+ - [RequiresReinstall](#userappmanagementappstorepackagefamilynamepackagefullnamerequiresreinstall)
+ - [ResourceID](#userappmanagementappstorepackagefamilynamepackagefullnameresourceid)
+ - [Users](#userappmanagementappstorepackagefamilynamepackagefullnameusers)
+ - [Version](#userappmanagementappstorepackagefamilynamepackagefullnameversion)
+ - [AppSettingPolicy](#userappmanagementappstorepackagefamilynameappsettingpolicy)
+ - [{SettingValue}](#userappmanagementappstorepackagefamilynameappsettingpolicysettingvalue)
+ - [DoNotUpdate](#userappmanagementappstorepackagefamilynamedonotupdate)
+ - [MaintainProcessorArchitectureOnUpdate](#userappmanagementappstorepackagefamilynamemaintainprocessorarchitectureonupdate)
+ - [ReleaseManagement](#userappmanagementappstorereleasemanagement)
+ - [{ReleaseManagementKey}](#userappmanagementappstorereleasemanagementreleasemanagementkey)
+ - [ChannelId](#userappmanagementappstorereleasemanagementreleasemanagementkeychannelid)
+ - [EffectiveRelease](#userappmanagementappstorereleasemanagementreleasemanagementkeyeffectiverelease)
+ - [ChannelId](#userappmanagementappstorereleasemanagementreleasemanagementkeyeffectivereleasechannelid)
+ - [ReleaseManagementId](#userappmanagementappstorereleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid)
+ - [ReleaseManagementId](#userappmanagementappstorereleasemanagementreleasemanagementkeyreleasemanagementid)
+ - [LastScanError](#userappmanagementlastscanerror)
+ - [nonStore](#userappmanagementnonstore)
+ - [{PackageFamilyName}](#userappmanagementnonstorepackagefamilyname)
+ - [{PackageFullName}](#userappmanagementnonstorepackagefamilynamepackagefullname)
+ - [Architecture](#userappmanagementnonstorepackagefamilynamepackagefullnamearchitecture)
+ - [InstallDate](#userappmanagementnonstorepackagefamilynamepackagefullnameinstalldate)
+ - [InstallLocation](#userappmanagementnonstorepackagefamilynamepackagefullnameinstalllocation)
+ - [IsBundle](#userappmanagementnonstorepackagefamilynamepackagefullnameisbundle)
+ - [IsFramework](#userappmanagementnonstorepackagefamilynamepackagefullnameisframework)
+ - [IsProvisioned](#userappmanagementnonstorepackagefamilynamepackagefullnameisprovisioned)
+ - [IsStub](#userappmanagementnonstorepackagefamilynamepackagefullnameisstub)
+ - [Name](#userappmanagementnonstorepackagefamilynamepackagefullnamename)
+ - [PackageStatus](#userappmanagementnonstorepackagefamilynamepackagefullnamepackagestatus)
+ - [Publisher](#userappmanagementnonstorepackagefamilynamepackagefullnamepublisher)
+ - [RequiresReinstall](#userappmanagementnonstorepackagefamilynamepackagefullnamerequiresreinstall)
+ - [ResourceID](#userappmanagementnonstorepackagefamilynamepackagefullnameresourceid)
+ - [Users](#userappmanagementnonstorepackagefamilynamepackagefullnameusers)
+ - [Version](#userappmanagementnonstorepackagefamilynamepackagefullnameversion)
+ - [AppSettingPolicy](#userappmanagementnonstorepackagefamilynameappsettingpolicy)
+ - [{SettingValue}](#userappmanagementnonstorepackagefamilynameappsettingpolicysettingvalue)
+ - [DoNotUpdate](#userappmanagementnonstorepackagefamilynamedonotupdate)
+ - [MaintainProcessorArchitectureOnUpdate](#userappmanagementnonstorepackagefamilynamemaintainprocessorarchitectureonupdate)
+ - [ReleaseManagement](#userappmanagementnonstorereleasemanagement)
+ - [{ReleaseManagementKey}](#userappmanagementnonstorereleasemanagementreleasemanagementkey)
+ - [ChannelId](#userappmanagementnonstorereleasemanagementreleasemanagementkeychannelid)
+ - [EffectiveRelease](#userappmanagementnonstorereleasemanagementreleasemanagementkeyeffectiverelease)
+ - [ChannelId](#userappmanagementnonstorereleasemanagementreleasemanagementkeyeffectivereleasechannelid)
+ - [ReleaseManagementId](#userappmanagementnonstorereleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid)
+ - [ReleaseManagementId](#userappmanagementnonstorereleasemanagementreleasemanagementkeyreleasemanagementid)
+ - [RemovePackage](#userappmanagementremovepackage)
+ - [ResetPackage](#userappmanagementresetpackage)
+ - [System](#userappmanagementsystem)
+ - [{PackageFamilyName}](#userappmanagementsystempackagefamilyname)
+ - [{PackageFullName}](#userappmanagementsystempackagefamilynamepackagefullname)
+ - [Architecture](#userappmanagementsystempackagefamilynamepackagefullnamearchitecture)
+ - [InstallDate](#userappmanagementsystempackagefamilynamepackagefullnameinstalldate)
+ - [InstallLocation](#userappmanagementsystempackagefamilynamepackagefullnameinstalllocation)
+ - [IsBundle](#userappmanagementsystempackagefamilynamepackagefullnameisbundle)
+ - [IsFramework](#userappmanagementsystempackagefamilynamepackagefullnameisframework)
+ - [IsProvisioned](#userappmanagementsystempackagefamilynamepackagefullnameisprovisioned)
+ - [IsStub](#userappmanagementsystempackagefamilynamepackagefullnameisstub)
+ - [Name](#userappmanagementsystempackagefamilynamepackagefullnamename)
+ - [PackageStatus](#userappmanagementsystempackagefamilynamepackagefullnamepackagestatus)
+ - [Publisher](#userappmanagementsystempackagefamilynamepackagefullnamepublisher)
+ - [RequiresReinstall](#userappmanagementsystempackagefamilynamepackagefullnamerequiresreinstall)
+ - [ResourceID](#userappmanagementsystempackagefamilynamepackagefullnameresourceid)
+ - [Users](#userappmanagementsystempackagefamilynamepackagefullnameusers)
+ - [Version](#userappmanagementsystempackagefamilynamepackagefullnameversion)
+ - [AppSettingPolicy](#userappmanagementsystempackagefamilynameappsettingpolicy)
+ - [{SettingValue}](#userappmanagementsystempackagefamilynameappsettingpolicysettingvalue)
+ - [DoNotUpdate](#userappmanagementsystempackagefamilynamedonotupdate)
+ - [MaintainProcessorArchitectureOnUpdate](#userappmanagementsystempackagefamilynamemaintainprocessorarchitectureonupdate)
+ - [ReleaseManagement](#userappmanagementsystemreleasemanagement)
+ - [{ReleaseManagementKey}](#userappmanagementsystemreleasemanagementreleasemanagementkey)
+ - [ChannelId](#userappmanagementsystemreleasemanagementreleasemanagementkeychannelid)
+ - [EffectiveRelease](#userappmanagementsystemreleasemanagementreleasemanagementkeyeffectiverelease)
+ - [ChannelId](#userappmanagementsystemreleasemanagementreleasemanagementkeyeffectivereleasechannelid)
+ - [ReleaseManagementId](#userappmanagementsystemreleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid)
+ - [ReleaseManagementId](#userappmanagementsystemreleasemanagementreleasemanagementkeyreleasemanagementid)
+ - [UpdateScan](#userappmanagementupdatescan)
+
+
+
+## Device/AppInstallation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation
```
+
-**Device or User context**
-For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
+
+
+Used to perform app installation.
+
-> [!Note]
-> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
+
+This is a required node.
+
-**AppManagement**
-Required. Used for inventory and app management (post-install).
+
+**Description framework properties**:
-**AppManagement/UpdateScan**
-Required. Used to start the Windows Update scan.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported operation is Execute.
+
+
+
-**AppManagement/LastScanError**
-Required. Reports the last error code returned by the update scan.
+
-Supported operation is Get.
+
+### Device/AppInstallation/{PackageFamilyName}
-**AppManagement/AppInventoryResults**
-Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Get.
-
-Here's an example of AppInventoryResults operation.
-
-```xml
-
- 11
-
-
- ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults
-
-
-
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}
```
+
-**AppManagement/AppInventoryQuery**
-Added in Windows 10, version 1511. Required. Specifies the query for app inventory.
+
+
+Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
-Query parameters:
-
-- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are:
- - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified.
- - PackageDetails - returns all inventory attributes of the package. This information includes all information from PackageNames parameter, but doesn't validate RequiresReinstall.
- - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state.
-- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
- - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business.
- - nonStore - This classification is for apps that weren't acquired from the Microsoft Store.
- - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
-- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are:
-
- - Main - returns the main installed package.
- - Bundle - returns installed bundle packages.
- - Framework - returns installed framework packages.
- - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle.
- - XAP - returns XAP package types. This filter is only supported on Windows Mobile.
- - All - returns all package types.
-
- If no value is specified, the combination of Main, Bundle, and Framework are returned.
-
-- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
-
- If you don't specify this value, then all packages are returned.
-
-- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field.
-
- If you don't specify this value, then all publishers are returned.
-
-
-Supported operation is Get and Replace.
-
-The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps.
-
-```xml
-
- 10
-
-
- ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery
-
- xml
-
-
-
-```
-**AppManagement/RemovePackage**
-Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT.
-
-Parameters:
-
-
Package
-
-
Name: Specifies the PackageFullName of the particular package to remove.
-
RemoveForAllUsers:
-
-
0 (default) – Package will be unprovisioned so that new users don't receive the package. The package will remain installed for current users. This option isn't currently supported.
-
1 – Package will be removed for all users only if it's a provisioned package.
-
-
-
-
-
User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.
-
-Supported operation is Execute.
-
-The following example removes a package for all users:
-
-````XML
-
- 10
-
-
- ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage
-
- xml
-
-
-
-
-
-````
-
-**AppManagement/nonStore**
-Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store.
-
-Supported operation is Get.
-
-**AppManagement/System**
-Reports apps installed as part of the operating system.
-
-Supported operation is Get.
-
-**AppManagement/AppStore**
-Required. Used for managing apps from the Microsoft Store.
-
-Supported operations are Get and Delete.
-
-**AppManagement/AppStore/ReleaseManagement**
-Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+This is an optional node.
> [!NOTE]
-> ReleaseManagement settings only apply to updates through the Microsoft Store.
-
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
-Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it's for a set of apps, it's the PackageFamilyName of the main app.
-
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
-Added in Windows 10, version 1809. Specifies the app channel ID.
-
-Value type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
-Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
-
-Value type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
-Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
-
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
-Added in Windows 10, version 1809. Returns the last user channel ID on the device.
-
-Value type is string.
-
-Supported operation is Get.
-
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
-Added in Windows 10, version 1809. Returns the last user release ID on the device.
-
-Value type is string.
-
-Supported operation is Get.
-
-**.../***PackageFamilyName*
-Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
-
-Supported operations are Get and Delete.
-
-> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: Package family name (PFN) of the app. |
+
+
+
+**Example**:
Here's an example for uninstalling an app:
@@ -280,155 +349,7755 @@ Here's an example for uninstalling an app:
```
+
-**.../*PackageFamilyName*/***PackageFullName*
-Optional. Full name of the package installed.
+
-Supported operations are Get and Delete.
+
+#### Device/AppInstallation/{PackageFamilyName}/HostedInstall
-> [!Note]
-> XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall
+```
+
-**.../*PackageFamilyName*/*PackageFullName*/Name**
-Required. Name of the app.
+
+
+Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
+
-Value type is string.
+
+This is a required node. The following list shows the supported deployment options:
-Supported operation is Get.
+- ForceApplicationShutdown
+- DevelopmentMode
+- InstallAllResources
+- ForceTargetApplicationShutdown
+- ForceUpdateToAnyVersion
+- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
+- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
+- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
+- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
+- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
+
-**.../*PackageFamilyName*/*PackageFullName*/Version**
-Required. Version of the app.
+
+**Description framework properties**:
-Value type is string.
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Add, Delete, Exec, Get |
+
-Supported operation is Get.
+
+
+
-**.../*PackageFamilyName*/*PackageFullName*/Publisher**
-Required. Publisher name of the app.
+
-Value type is string.
+
+#### Device/AppInstallation/{PackageFamilyName}/LastError
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**.../*PackageFamilyName*/*PackageFullName*/Architecture**
-Required. Architecture of installed package.
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/LastError
+```
+
-Value type is string.
+
+
+Last error relating to the app installation.
+
-> [!Note]
+
+> [!NOTE]
+> This element isn't present after the app is installed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/AppInstallation/{PackageFamilyName}/LastErrorDesc
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/LastErrorDesc
+```
+
+
+
+
+Description of last error relating to the app installation.
+
+
+
+> [!NOTE]
+> This element isn't present after the app is installed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/AppInstallation/{PackageFamilyName}/ProgressStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/ProgressStatus
+```
+
+
+
+
+An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero).
+
+
+
+> [!NOTE]
+> This element isn't present after the app is installed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/AppInstallation/{PackageFamilyName}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/Status
+```
+
+
+
+
+Status of app installation. The following values are returned: NOT_INSTALLED (0) - The node was added, but the execution has not completed. INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
+
+
+
+> [!NOTE]
+> This element isn't present after the app is installed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/AppInstallation/{PackageFamilyName}/StoreInstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall
+```
+
+
+
+
+Command to perform an install of an app and a license from the Microsoft Store.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Add, Delete, Exec, Get |
+
+
+
+
+
+
+
+
+
+## Device/AppLicenses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses
+```
+
+
+
+
+Used to manage licenses for app scenarios.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/AppLicenses/StoreLicenses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses
+```
+
+
+
+
+Used to manage licenses for store apps.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/AppLicenses/StoreLicenses/{LicenseID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}
+```
+
+
+
+
+License ID for a store installed app. The license ID is generally the PFN of the app.
+
+
+
+This is an optional node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: License ID for a store installed app. The license ID is generally the PFN of the app. |
+
+
+
+
+
+
+
+
+
+##### Device/AppLicenses/StoreLicenses/{LicenseID}/AddLicense
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense
+```
+
+
+
+
+Command to add license.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### Device/AppLicenses/StoreLicenses/{LicenseID}/GetLicenseFromStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/GetLicenseFromStore
+```
+
+
+
+
+Command to get license from the store.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### Device/AppLicenses/StoreLicenses/{LicenseID}/LicenseCategory
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/LicenseCategory
+```
+
+
+
+
+Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/AppLicenses/StoreLicenses/{LicenseID}/LicenseUsage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/LicenseUsage
+```
+
+
+
+
+Indicates the allowed usage for the license. Valid values: Unknown - usage is unknown. Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. Offline - license is valid for use offline. You don't need a connection to the internet to use this license. Enterprise Root - The license is valid for line of business apps.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/AppLicenses/StoreLicenses/{LicenseID}/RequesterID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/RequesterID
+```
+
+
+
+
+Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Device/AppManagement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement
+```
+
+
+
+
+Used for inventory and app management (post-install).
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/AppManagement/AppInventoryQuery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery
+```
+
+
+
+
+Specifies the query for app inventory.
+
+
+
+This is a required node. Query parameters:
+
+- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are:
+ - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified.
+ - PackageDetails - returns all inventory attributes of the package. This information includes all information from PackageNames parameter, but doesn't validate RequiresReinstall.
+ - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state.
+
+- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
+ - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business.
+ - nonStore - This classification is for apps that weren't acquired from the Microsoft Store.
+ - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
+
+- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are:
+ - Main - returns the main installed package.
+ - Bundle - returns installed bundle packages.
+ - Framework - returns installed framework packages.
+ - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle.
+ - XAP - returns XAP package types. This filter is only supported on Windows Mobile.
+ - All - returns all package types.
+
+ If no value is specified, the combination of Main, Bundle, and Framework are returned.
+
+- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
+
+ If you don't specify this value, then all packages are returned.
+
+- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field.
+
+ If you don't specify this value, then all publishers are returned.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Get, Replace |
+
+
+
+**Example**:
+
+The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps.
+
+```xml
+
+ 10
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery
+
+ xml
+
+
+
+```
+
+
+
+
+
+### Device/AppManagement/AppInventoryResults
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults
+```
+
+
+
+
+Returns the results for app inventory that was created after the AppInventoryQuery operation.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Get |
+
+
+
+**Example**:
+
+Here's an example of AppInventoryResults operation.
+
+```xml
+
+ 11
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults
+
+
+
+```
+
+
+
+
+
+### Device/AppManagement/AppStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore
+```
+
+
+
+
+
+
+
+This is a required node. Used for managing apps from the Microsoft Store.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### Device/AppManagement/AppStore/{PackageFamilyName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}
+```
+
+
+
+
+Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+> [!NOTE]
+> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+**Example**:
+
+Here's an example for uninstalling an app:
+
+```xml
+
+
+
+
+ 2
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D
+
+
+
+
+
+
+```
+
+
+
+
+
+##### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}
+```
+
+
+
+
+Full name of the package installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Architecture
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Architecture
+```
+
+
+
+
+Architecture of installed package. Value type is string.
+
+
+
+> [!NOTE]
> Not applicable to XAP files.
+
-Supported operation is Get.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
-Required. Install location of the app on the device.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Value type is string.
+
+
+
-> [!Note]
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallDate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallDate
+```
+
+
+
+
+Date the app was installed. Value type is string.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallLocation
+```
+
+
+
+
+Install location of the app on the device. Value type is string.
+
+
+
+> [!NOTE]
> Not applicable to XAP files.
+
-Supported operation is Get.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/*PackageFullName*/IsFramework**
-Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-> [!Note]
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsBundle
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsBundle
+```
+
+
+
+
+The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsFramework
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsFramework
+```
+
+
+
+
+Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+> [!NOTE]
> Not applicable to XAP files.
+
- Supported operation is Get.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/*PackageFullName*/IsBundle**
-Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+```
+
+
+
+
+The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsStub
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsStub
+```
+
+
+
+
+This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+The value is 1 if the package is a stub package and 0 (zero) for all other cases.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Name
+```
+
+
+
+
+Name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/PackageStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/PackageStatus
+```
+
+
+
+
+Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Publisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Publisher
+```
+
+
+
+
+Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+```
+
+
+
+
+Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+This is a required node.
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/ResourceID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/ResourceID
+```
+
+
+
+
+Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Users
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Users
+```
+
+
+
+
+Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+This is a required node. Possible values:
+
+- 0 = Not Installed
+- 1 = Staged
+- 2 = Installed
+- 6 = Paused
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Version
+```
+
+
+
+
+Version of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate
+```
+
+
+
+
+Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/AppStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+```
+
+
+
+
+Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
+
+| Applicability Setting | CSP state | Result |
+|-----------------------|----------------|----------------------|
+| True | Not configured | X86 flavor is picked |
+| True | Enabled | X86 flavor is picked |
+| True | Disabled | X86 flavor is picked |
+| False (not set) | Not configured | X64 flavor is picked |
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/AppStore/{PackageFamilyName}/NonRemovable
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/NonRemovable
+```
+
+
+
+
+This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn't remove it for all users.
+
+
+
+NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | App is not in the nonremovable app policy list. |
+| 1 | App is included in the nonremovable app policy list. |
+
+
+
+**Examples**:
+
+- Add an app to the nonremovable app policy list
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+ int
+
+ 1
+
+
+
+
+
+ ```
+
+- Get the status for a particular app
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+
+
+
+
+ ```
+
+- Replace an app in the nonremovable app policy list (Data 0 = app isn't in the app policy list; Data 1 = app is in the app policy list)
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+ int
+
+ 0
+
+
+
+
+
+ ```
+
+
+
+
+
+#### Device/AppManagement/AppStore/ReleaseManagement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement
+```
+
+
+
+
+Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+> [!NOTE]
+> ReleaseManagement settings only apply to updates through the Microsoft Store.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}
+```
+
+
+
+
+Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+```
+
+
+
+
+Specifies the app channel ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+```
+
+
+
+
+Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+```
+
+
+
+
+Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+```
+
+
+
+
+Returns the last user release ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+```
+
+
+
+
+The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/AppManagement/LastScanError
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError
+```
+
+
+
+
+Reports the last error code returned by the update scan.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/AppManagement/nonStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore
+```
+
+
+
+
+
+
+
+Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### Device/AppManagement/nonStore/{PackageFamilyName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}
+```
+
+
+
+
+Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+> [!NOTE]
+> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+**Example**:
+
+Here's an example for uninstalling an app:
+
+```xml
+
+
+
+
+ 2
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D
+
+
+
+
+
+
+```
+
+
+
+
+
+##### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}
+```
+
+
+
+
+Full name of the package installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Architecture
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Architecture
+```
+
+
+
+
+Architecture of installed package. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallDate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallDate
+```
+
+
+
+
+Date the app was installed. Value type is string.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallLocation
+```
+
+
+
+
+Install location of the app on the device. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsBundle
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsBundle
+```
+
+
+
+
+The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsFramework
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsFramework
+```
+
+
+
+
+Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+```
+
+
+
+
+The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsStub
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsStub
+```
+
+
+
+
+This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+The value is 1 if the package is a stub package and 0 (zero) for all other cases.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Name
+```
+
+
+
+
+Name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/PackageStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/PackageStatus
+```
+
+
+
+
+Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Publisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Publisher
+```
+
+
+
+
+Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+```
+
+
+
+
+Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+This is a required node.
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/ResourceID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/ResourceID
+```
+
+
+
+
+Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Users
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Users
+```
+
+
+
+
+Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+This is a required node. Possible values:
+
+- 0 = Not Installed
+- 1 = Staged
+- 2 = Installed
+- 6 = Paused
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Version
+```
+
+
+
+
+Version of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/nonStore/{PackageFamilyName}/DoNotUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/DoNotUpdate
+```
+
+
+
+
+Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/nonStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+```
+
+
+
+
+Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
+
+| Applicability Setting | CSP state | Result |
+|-----------------------|----------------|----------------------|
+| True | Not configured | X86 flavor is picked |
+| True | Enabled | X86 flavor is picked |
+| True | Disabled | X86 flavor is picked |
+| False (not set) | Not configured | X64 flavor is picked |
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/nonStore/{PackageFamilyName}/NonRemovable
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/NonRemovable
+```
+
+
+
+
+This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn't remove it for all users.
+
+
+
+NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | App is not in the nonremovable app policy list. |
+| 1 | App is included in the nonremovable app policy list. |
+
+
+
+**Examples**:
+
+- Add an app to the nonremovable app policy list
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+ int
+
+ 1
+
+
+
+
+
+ ```
+
+- Get the status for a particular app
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+
+
+
+
+ ```
+
+- Replace an app in the nonremovable app policy list (Data 0 = app isn't in the app policy list; Data 1 = app is in the app policy list)
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+ int
+
+ 0
+
+
+
+
+
+ ```
+
+
+
+
+
+#### Device/AppManagement/nonStore/ReleaseManagement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement
+```
+
+
+
+
+Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}
+```
+
+
+
+
+Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+```
+
+
+
+
+Specifies the app channel ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+```
+
+
+
+
+Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+```
+
+
+
+
+Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+```
+
+
+
+
+Returns the last user release ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+```
+
+
+
+
+The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/AppManagement/ResetPackage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/ResetPackage
+```
+
+
+
+
+Used to restore the Windows app to its initial configuration.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+### Device/AppManagement/System
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System
+```
+
+
+
+
+
+
+
+Reports apps installed as part of the operating system.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### Device/AppManagement/System/{PackageFamilyName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}
+```
+
+
+
+
+Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+> [!NOTE]
+> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}
+```
+
+
+
+
+Full name of the package installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Architecture
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Architecture
+```
+
+
+
+
+Architecture of installed package. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallDate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallDate
+```
+
+
+
+
+Date the app was installed. Value type is string.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallLocation
+```
+
+
+
+
+Install location of the app on the device. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsBundle
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsBundle
+```
+
+
+
+
+The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsFramework
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsFramework
+```
+
+
+
+
+Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+```
+
+
+
+
+The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsStub
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsStub
+```
+
+
+
+
+This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+The value is 1 if the package is a stub package and 0 (zero) for all other cases.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Name
+```
+
+
+
+
+Name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/PackageStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/PackageStatus
+```
+
+
+
+
+Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Publisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Publisher
+```
+
+
+
+
+Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+```
+
+
+
+
+Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+This is a required node.
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/ResourceID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/ResourceID
+```
+
+
+
+
+Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Users
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Users
+```
+
+
+
+
+Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+This is a required node.
+
+- 0 = Not Installed
+- 1 = Staged
+- 2 = Installed
+- 6 = Paused
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Version
+```
+
+
+
+
+Version of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings
+```
+
+
+
+
+AppUpdateSettings nodes to support the auto-update and auto-repair feature for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoRepair
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoRepair
+```
+
+
+
+
+AutoRepair node to support auto-repair feature for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoRepair/PackageSource
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoRepair/PackageSource
+```
+
+
+
+
+PackageSource node that points the update location for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Allowed Values | Regular Expression: `^(([^;]+(?i)(\.appx|\.eappx|\.appxbundle|\.eappxbundle|\.msix|\.emsix|\.msixbundle|\.emsixbundle)([;]|$)){0,10}|([^;]+(?i)(\.appinstaller)([;]|$)){0,10})$` |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings
+```
+
+
+
+
+AutoUpdateSettings nodes to support the auto-updates for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/AutomaticBackgroundTask
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/AutomaticBackgroundTask
+```
+
+
+
+
+Specifies whether AutomaticBackgroundTask is enabled/disabled for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| True | AutomaticBackgroundTask is enabled for the package. |
+| False (Default) | AutomaticBackgroundTask is disabled for the package. |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/Disable
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/Disable
+```
+
+
+
+
+Specifies whether the auto-update settings is enabled/disabled for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| True | AutoUpdates settings is disabled for the package. |
+| False (Default) | AutoUpdates settings is enabled for the package. |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/ForceUpdateFromAnyVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/ForceUpdateFromAnyVersion
+```
+
+
+
+
+Specifies whether the auto-update setting ForceUpdateFromAnyVersion is enabled/disabled for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| True | ForceUpdateFromAnyVersion is enabled for the package. |
+| False (Default) | ForceUpdateFromAnyVersion is disabled for the package. |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/HoursBetweenUpdateChecks
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/HoursBetweenUpdateChecks
+```
+
+
+
+
+Specifies HoursBetweenUpdateChecks for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[8-10000]` |
+| Default Value | 8 |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/OnLaunchUpdateCheck
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/OnLaunchUpdateCheck
+```
+
+
+
+
+Specifies whether OnLaunchUpdateCheck is enabled/disabled for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| True | OnLaunchUpdateCheck is enabled for the package. |
+| False (Default) | OnLaunchUpdateCheck is disabled for the package. |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/PackageSource
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/PackageSource
+```
+
+
+
+
+PackageSource node that points the update location for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Allowed Values | Regular Expression: `^(([^;]+(?i)(\.appinstaller)([;]|$)){1,11})$` |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/ShowPrompt
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/ShowPrompt
+```
+
+
+
+
+Specifies whether the auto-update setting ShowPrompt is enabled/disabled for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| True | ShowPrompt is enabled for the package. |
+| False (Default) | ShowPrompt is disabled for the package. |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/UpdateBlocksActivation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/UpdateBlocksActivation
+```
+
+
+
+
+Specifies whether the auto-update setting UpdateBlocksActivation is enabled/disabled for a specific package.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| True | UpdateBlocksActivation is enabled for the package. |
+| False (Default) | UpdateBlocksActivation is disabled for the package. |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/System/{PackageFamilyName}/DoNotUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/DoNotUpdate
+```
+
+
+
+
+Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/System/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+```
+
+
+
+
+Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
+
+| Applicability Setting | CSP state | Result |
+|-----------------------|----------------|----------------------|
+| True | Not configured | X86 flavor is picked |
+| True | Enabled | X86 flavor is picked |
+| True | Disabled | X86 flavor is picked |
+| False (not set) | Not configured | X64 flavor is picked |
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/System/{PackageFamilyName}/NonRemovable
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/NonRemovable
+```
+
+
+
+
+This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn't remove it for all users.
+
+
+
+NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | App is not in the nonremovable app policy list. |
+| 1 | App is included in the nonremovable app policy list. |
+
+
+
+**Examples**:
+
+- Add an app to the nonremovable app policy list
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+ int
+
+ 1
+
+
+
+
+
+ ```
+
+- Get the status for a particular app
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+
+
+
+
+ ```
+
+- Replace an app in the nonremovable app policy list (Data 0 = app isn't in the app policy list; Data 1 = app is in the app policy list)
+
+ ```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+ int
+
+ 0
+
+
+
+
+
+ ```
+
+
+
+
+
+#### Device/AppManagement/System/ReleaseManagement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement
+```
+
+
+
+
+Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}
+```
+
+
+
+
+Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+```
+
+
+
+
+Specifies the app channel ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+```
+
+
+
+
+Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+```
+
+
+
+
+Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+```
+
+
+
+
+Returns the last user release ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+```
+
+
+
+
+The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/AppManagement/UpdateScan
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan
+```
+
+
+
+
+Used to start the Windows Update scan.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## User/AppInstallation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation
+```
+
+
+
+
+Used to perform app installation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/AppInstallation/{PackageFamilyName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}
+```
+
+
+
+
+Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+> [!NOTE]
+> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: Package family name (PFN) of the app. |
+
+
+
+**Example**:
+
+Here's an example for uninstalling an app:
+
+```xml
+
+
+
+
+ 2
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D
+
+
+
+
+
+
+```
+
+
+
+
+
+#### User/AppInstallation/{PackageFamilyName}/HostedInstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall
+```
+
+
+
+
+Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
+
+
+
+This is a required node. The following list shows the supported deployment options:
+
+- ForceApplicationShutdown
+- DevelopmentMode
+- InstallAllResources
+- ForceTargetApplicationShutdown
+- ForceUpdateToAnyVersion
+- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
+- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
+- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
+- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
+- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Add, Delete, Exec, Get |
+
+
+
+
+
+
+
+
+
+#### User/AppInstallation/{PackageFamilyName}/LastError
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/LastError
+```
+
+
+
+
+Last error relating to the app installation.
+
+
+
+> [!NOTE]
+> This element isn't present after the app is installed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/AppInstallation/{PackageFamilyName}/LastErrorDesc
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/LastErrorDesc
+```
+
+
+
+
+Description of last error relating to the app installation.
+
+
+
+> [!NOTE]
+> This element isn't present after the app is installed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/AppInstallation/{PackageFamilyName}/ProgressStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/ProgressStatus
+```
+
+
+
+
+An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero).
+
+
+
+> [!NOTE]
+> This element isn't present after the app is installed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/AppInstallation/{PackageFamilyName}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/Status
+```
+
+
+
+
+Status of app installation. The following values are returned: NOT_INSTALLED (0) - The node was added, but the execution has not completed. INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
+
+
+
+> [!NOTE]
+> This element isn't present after the app is installed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/AppInstallation/{PackageFamilyName}/StoreInstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall
+```
+
+
+
+
+Command to perform an install of an app and a license from the Microsoft Store.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Add, Delete, Exec, Get |
+
+
+
+
+
+
+
+
+
+## User/AppLicenses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses
+```
+
+
+
+
+Used to manage licenses for app scenarios.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/AppLicenses/StoreLicenses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses
+```
+
+
+
+
+Used to manage licenses for store apps.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/AppLicenses/StoreLicenses/{LicenseID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}
+```
+
+
+
+
+License ID for a store installed app. The license ID is generally the PFN of the app.
+
+
+
+This is an optional node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: License ID for a store installed app. The license ID is generally the PFN of the app. |
+
+
+
+
+
+
+
+
+
+##### User/AppLicenses/StoreLicenses/{LicenseID}/AddLicense
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense
+```
+
+
+
+
+Command to add license.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### User/AppLicenses/StoreLicenses/{LicenseID}/GetLicenseFromStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/GetLicenseFromStore
+```
+
+
+
+
+Command to get license from the store.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### User/AppLicenses/StoreLicenses/{LicenseID}/LicenseCategory
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/LicenseCategory
+```
+
+
+
+
+Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/AppLicenses/StoreLicenses/{LicenseID}/LicenseUsage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/LicenseUsage
+```
+
+
+
+
+Indicates the allowed usage for the license. Valid values: Unknown - usage is unknown. Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. Offline - license is valid for use offline. You don't need a connection to the internet to use this license. Enterprise Root - The license is valid for line of business apps.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/AppLicenses/StoreLicenses/{LicenseID}/RequesterID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/RequesterID
+```
+
+
+
+
+Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/AppManagement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement
+```
+
+
+
+
+Used for inventory and app management (post-install).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/AppManagement/AppInventoryQuery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery
+```
+
+
+
+
+Specifies the query for app inventory.
+
+
+
+This is a required node. Query parameters:
+
+- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are:
+ - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified.
+ - PackageDetails - returns all inventory attributes of the package. This information includes all information from PackageNames parameter, but doesn't validate RequiresReinstall.
+ - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state.
+- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
+ - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business.
+ - nonStore - This classification is for apps that weren't acquired from the Microsoft Store.
+ - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
+- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by `|`. Valid values are:
+ - Main - returns the main installed package.
+ - Bundle - returns installed bundle packages.
+ - Framework - returns installed framework packages.
+ - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle.
+ - XAP - returns XAP package types. This filter is only supported on Windows Mobile.
+ - All - returns all package types.
+
+ If no value is specified, the combination of Main, Bundle, and Framework are returned.
+
+- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
+
+ If you don't specify this value, then all packages are returned.
+
+- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field.
+
+ If you don't specify this value, then all publishers are returned.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Get, Replace |
+
+
+
+**Example**:
+
+The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps.
+
+```xml
+
+ 10
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery
+
+ xml
+
+
+
+```
+
+
+
+
+
+### User/AppManagement/AppInventoryResults
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults
+```
+
+
+
+
+Returns the results for app inventory that was created after the AppInventoryQuery operation.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Get |
+
+
+
+**Example**:
+
+Here's an example of AppInventoryResults operation.
+
+```xml
+
+ 11
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults
+
+
+
+```
+
+
+
+
+
+### User/AppManagement/AppStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore
+```
+
+
+
+
+
+
+
+This is a required node. Used for managing apps from the Microsoft Store.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### User/AppManagement/AppStore/{PackageFamilyName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}
+```
+
+
+
+
+Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+> [!NOTE]
+> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+**Example**:
+
+Here's an example for uninstalling an app:
+
+```xml
+
+
+
+
+ 2
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D
+
+
+
+
+
+
+```
+
+
+
+
+
+##### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}
+```
+
+
+
+
+Full name of the package installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Architecture
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Architecture
+```
+
+
+
+
+Architecture of installed package. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallDate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallDate
+```
+
+
+
+
+Date the app was installed. Value type is string.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallLocation
+```
+
+
+
+
+Install location of the app on the device. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsBundle
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsBundle
+```
+
+
+
+
+The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsFramework
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsFramework
+```
+
+
+
+
+Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+```
+
+
+
+
+The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsStub
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsStub
+```
+
+
+
+
+This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+The value is 1 if the package is a stub package and 0 (zero) for all other cases.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Name
+```
+
+
+
+
+Name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/PackageStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/PackageStatus
+```
+
+
+
+
+Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Publisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Publisher
+```
+
+
+
+
+Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+```
+
+
+
+
+Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+This is a required node.
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/ResourceID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/ResourceID
+```
+
+
+
+
+Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Users
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Users
+```
+
+
+
+
+Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+This is a required node. Possible values:
+
+- 0 = Not Installed
+- 1 = Staged
+- 2 = Installed
+- 6 = Paused
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Version
+```
+
+
+
+
+Version of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/AppManagement/AppStore/{PackageFamilyName}/AppSettingPolicy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/AppSettingPolicy
+```
+
+
+
+
+Interior node for all managed app setting values.
+
+
+
+> [!NOTE]
+> This node is only supported in the user context.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/{PackageFamilyName}/AppSettingPolicy/{SettingValue}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/AppSettingPolicy/{SettingValue}
+```
+
+
+
+
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+
+
+
+This setting only works for apps that support the feature and it's only supported in the user context.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. |
+
+
+
+**Examples**:
+
+- The following example sets the value for the 'Server'
+
+ ```xml
+
+
+ 0
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy/Server
+
+
+ chr
+
+ server1.contoso.com
+
+
+ ```
+
+- The following example gets all managed app settings for a specific app.
+
+ ```xml
+
+
+ 0
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy?list=StructData
+
+
+
+ ```
+
+
+
+
+
+##### User/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate
+```
+
+
+
+
+Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### User/AppManagement/AppStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+```
+
+
+
+
+Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
+
+|Applicability Setting |CSP state |Result |
+|---------|---------|---------|
+|True |Not configured |X86 flavor is picked |
+|True |Enabled |X86 flavor is picked |
+|True |Disabled |X86 flavor is picked |
+|False (not set) |Not configured |X64 flavor is picked |
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+#### User/AppManagement/AppStore/ReleaseManagement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement
+```
+
+
+
+
+Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+> [!NOTE]
+> ReleaseManagement settings only apply to updates through the Microsoft Store.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}
+```
+
+
+
+
+Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+```
+
+
+
+
+Specifies the app channel ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+```
+
+
+
+
+Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+```
+
+
+
+
+Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+```
+
+
+
+
+Returns the last user release ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+```
+
+
+
+
+The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/AppManagement/LastScanError
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError
+```
+
+
+
+
+Reports the last error code returned by the update scan.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/AppManagement/nonStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore
+```
+
+
+
+
+
+
+
+Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### User/AppManagement/nonStore/{PackageFamilyName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}
+```
+
+
+
+
+Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+> [!NOTE]
+> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+```xml
+
+
+
+
+ 2
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D
+
+
+
+
+
+
+```
+
+
+
+
+
+##### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}
+```
+
+
+
+
+Full name of the package installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Architecture
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Architecture
+```
+
+
+
+
+Architecture of installed package. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallDate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallDate
+```
+
+
+
+
+Date the app was installed. Value type is string.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallLocation
+```
+
+
+
+
+Install location of the app on the device. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsBundle
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsBundle
+```
+
+
+
+
+The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsFramework
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsFramework
+```
+
+
+
+
+Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+```
+
+
+
+
+The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsStub
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsStub
+```
+
+
+
+
+This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+The value is 1 if the package is a stub package and 0 (zero) for all other cases.
Value type is int.
+
-Supported operation is Get.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/*PackageFullName*/InstallDate**
-Required. Date the app was installed.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-Value type is string.
+
+
+
-Supported operation is Get.
+
-**.../*PackageFamilyName*/*PackageFullName*/ResourceID**
-Required. Resource ID of the app. This value is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string.
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Name
-> [!Note]
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Name
+```
+
+
+
+
+Name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/PackageStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/PackageStatus
+```
+
+
+
+
+Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+> [!NOTE]
> Not applicable to XAP files.
+
-Supported operation is Get.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/*PackageFullName*/PackageStatus**
-Required. Provides information about the status of the package.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-Value type is int. Valid values are:
+
+
+
-- OK (0) - The package is usable.
-- LicenseIssue (1) - The license of the package isn't valid.
-- Modified (2) - The package payload was modified by an unknown source.
-- Tampered (4) - The package payload was tampered intentionally.
-- Disabled (8) - The package isn't available for use. It can still be serviced.
+
-> [!Note]
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Publisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Publisher
+```
+
+
+
+
+Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+```
+
+
+
+
+Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+This is a required node.
+
+> [!NOTE]
> Not applicable to XAP files.
+
-Supported operation is Get.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall**
-Required. Specifies whether the package state has changed and requires a reinstallation of the app. This change of status can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-> [!Note]
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/ResourceID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/ResourceID
+```
+
+
+
+
+Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+> [!NOTE]
> Not applicable to XAP files.
+
-Supported operation is Get.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/*PackageFullName*/Users**
-Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Users
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Users
+```
+
+
+
+
+Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+Requried.
- Not Installed = 0
- Staged = 1
- Installed = 2
- Paused = 6
+
-Supported operation is Get.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned**
-Required. The value is 0 or 1 that indicates if the app is provisioned on the device.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-The value type is int.
+
+
+
-Supported operation is Get.
+
-**.../*PackageFamilyName*/*PackageFullName*/IsStub**
-Added in Windows 10, version 2004.
-Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Version
-The value is 1 if the package is a stub package and 0 (zero) for all other cases.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is int.
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Version
+```
+
-Supported operation is Get.
+
+
+Version of the app. Value type is string.
+
-**.../*PackageFamilyName*/DoNotUpdate**
-Required. Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-**.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT)
-Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**.../*PackageFamilyName*/AppSettingPolicy/***SettingValue* (only for ./User/Vendor/MSFT)
-Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
+
+
+
+
+
+
+##### User/AppManagement/nonStore/{PackageFamilyName}/AppSettingPolicy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/AppSettingPolicy
+```
+
+
+
+
+Interior node for all managed app setting values.
+
+
+
+This node is only supported in the user context.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/{PackageFamilyName}/AppSettingPolicy/{SettingValue}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/AppSettingPolicy/{SettingValue}
+```
+
+
+
+
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+
+
+
This setting only works for apps that support the feature and it's only supported in the user context.
+
-Value type is string.
+
+**Description framework properties**:
-Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. |
+
+
The following example sets the value for the 'Server'
```xml
@@ -460,223 +8129,1747 @@ The following example gets all managed app settings for a specific app.
```
+
-**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate**
-Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+##### User/AppManagement/nonStore/{PackageFamilyName}/DoNotUpdate
-Value type is integer.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/DoNotUpdate
+```
+
+
+
+
+Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### User/AppManagement/nonStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+```
+
+
+
+
+Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
-|Applicability Setting |CSP state |Result |
-|---------|---------|---------|
-|True |Not configured |X86 flavor is picked |
-|True |Enabled |X86 flavor is picked |
-|True |Disabled |X86 flavor is picked |
-|False (not set) |Not configured |X64 flavor is picked |
+| Applicability Setting | CSP state | Result |
+|-----------------------|----------------|----------------------|
+| True | Not configured | X86 flavor is picked |
+| True | Enabled | X86 flavor is picked |
+| True | Disabled | X86 flavor is picked |
+| False (not set) | Not configured | X64 flavor is picked |
+
-**.../_PackageFamilyName_/NonRemovable**
-Added in Windows 10, version 1809. Specifies if an app is nonremovable by the user.
+
+**Description framework properties**:
-This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This setting is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This setting is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
-NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
+
+**Allowed values**:
-Value type is integer.
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
-Supported operations are Add, Get, and Replace.
+
+
+
-Valid values:
+
-- 0 – app isn't in the nonremovable app policy list
-- 1 – app is included in the nonremovable app policy list
+
+#### User/AppManagement/nonStore/ReleaseManagement
-**Examples:**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Add an app to the nonremovable app policy list
-
-```xml
-
-
-
- 1
-
-
- ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
-
-
- int
-
- 1
-
-
-
-
-
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement
```
+
-Get the status for a particular app
+
+
+Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
-```xml
-
-
-
- 1
-
-
- ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
-
-
-
-
-
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}
```
+
-Replace an app in the nonremovable app policy list
-Data 0 = app isn't in the app policy list
-Data 1 = app is in the app policy list
+
+
+Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
-```xml
-
-
-
- 1
-
-
- ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
-
-
- int
-
- 0
-
-
-
-
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId
```
+
-**AppInstallation**
-Required node. Used to perform app installation.
+
+
+Specifies the app channel ID.
+
-**AppInstallation/***PackageFamilyName*
-Optional node. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
-Supported operations are Get and Add.
+
+**Description framework properties**:
-> [!Note]
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+```
+
+
+
+
+Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+```
+
+
+
+
+Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+```
+
+
+
+
+Returns the last user release ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+```
+
+
+
+
+The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/AppManagement/RemovePackage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage
+```
+
+
+
+
+Used to remove packages.
+
+
+
+Parameters:
+
+- Package
+ - Name: Specifies the PackageFullName of the particular package to remove.
+ - RemoveForAllUsers:
+ - 0 (default) - Package will be un-provisioned so that new users don't receive the package. The package will remain installed for current users. This option isn't currently supported.
+ - 1 - Package will be removed for all users only if it's a provisioned package.
+- User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Exec, Get |
+
+
+
+**Example**:
+
+The following example removes a package for all users:
+
+````XML
+
+ 10
+
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage
+
+ xml
+
+
+
+
+
+````
+
+
+
+
+
+### User/AppManagement/ResetPackage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/ResetPackage
+```
+
+
+
+
+Used to restore the Windows app to its initial configuration.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+### User/AppManagement/System
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System
+```
+
+
+
+
+
+
+
+Reports apps installed as part of the operating system.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### User/AppManagement/System/{PackageFamilyName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}
+```
+
+
+
+
+Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+> [!NOTE]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
+
-**AppInstallation/*PackageFamilyName*/StoreInstall**
-Required. Command to perform an install of an app and a license from the Microsoft Store.
+
+**Description framework properties**:
-Supported operation is Execute, Add, Delete, and Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
-**AppInstallation/*PackageFamilyName*/HostedInstall**
-Required. Command to perform an install of an app package from a hosted location (this location can be a local drive, a UNC, or https data source).
+
+**Example**:
-The following list shows the supported deployment options:
+```xml
+
+
+
+
+ 2
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D
+
+
+
+
+
+
+```
+
-- ForceApplicationShutdown
-- DevelopmentMode
-- InstallAllResources
-- ForceTargetApplicationShutdown
-- ForceUpdateToAnyVersion
-- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
-- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
-- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
-- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
-- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
+
-Supported operation is Execute, Add, Delete, and Get.
+
+##### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}
-**AppInstallation/*PackageFamilyName*/LastError**
-Required. Last error relating to the app installation.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Get.
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}
+```
+
-> [!Note]
-> This element isn't present after the app is installed.
+
+
+Full name of the package installed.
+
-**AppInstallation/*PackageFamilyName*/LastErrorDesc**
-Required. Description of last error relating to the app installation.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-> [!Note]
-> This element isn't present after the app is installed.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+
-**AppInstallation/*PackageFamilyName*/Status**
-Required. Status of app installation. The following values are returned:
+
+
+
-- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed.
-- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated.
-- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
-- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear.
+
-Supported operation is Get.
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Architecture
-> [!Note]
-> This element isn't present after the app is installed.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Architecture
+```
+
-**AppInstallation/*PackageFamilyName*/ProgessStatus**
-Required. An integer that indicates the progress of the app installation. For https locations, this integer indicates the download progress. ProgressStatus isn't available for provisioning and it's only for user-based installations. ProgressStatus value is always 0 (zero) in provisioning.
+
+
+Architecture of installed package. Value type is string.
+
-Supported operation is Get.
+
+> [!NOTE]
+> Not applicable to XAP files.
+
-> [!Note]
-> This element isn't present after the app is installed.
+
+**Description framework properties**:
-**AppLicenses**
-Required node. Used to manage licenses for app scenarios.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**AppLicenses/StoreLicenses**
-Required node. Used to manage licenses for store apps.
+
+
+
-**AppLicenses/StoreLicenses/***LicenseID*
-Optional node. License ID for a store installed app. The license ID is generally the PFN of the app.
+
-Supported operations are Add, Get, and Delete.
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallDate
-**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory**
-Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid values are:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- Unknown - unknown license category
-- Retail - license sold through retail channels, typically from the Microsoft Store
-- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business
-- OEM - license issued to an OEM
-- Developer - developer license, typically installed during the app development or side-loading scenarios.
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallDate
+```
+
-Supported operation is Get.
+
+
+Date the app was installed. Value type is string.
+
-**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage**
-Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values are:
+
+This is a required node.
+
-- Unknown - usage is unknown.
-- Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
-- Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
-- Enterprise Root -
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**AppLicenses/StoreLicenses/*LicenseID*/RequesterID**
-Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
+
+
+
-Supported operation is Get.
+
-**AppLicenses/StoreLicenses/*LicenseID*/AddLicense**
-Required. Command to add license.
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallLocation
-Supported operation is Execute.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore**
-Added in Windows 10, version 1511. Required. Command to get license from the store.
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallLocation
+```
+
-Supported operation is Execute.
+
+
+Install location of the app on the device. Value type is string.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsBundle
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsBundle
+```
+
+
+
+
+The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsFramework
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsFramework
+```
+
+
+
+
+Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsProvisioned
+```
+
+
+
+
+The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsStub
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsStub
+```
+
+
+
+
+This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+The value is 1 if the package is a stub package and 0 (zero) for all other cases.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Name
+```
+
+
+
+
+Name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/PackageStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/PackageStatus
+```
+
+
+
+
+Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Publisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Publisher
+```
+
+
+
+
+Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/RequiresReinstall
+```
+
+
+
+
+Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+This is a required node.
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/ResourceID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/ResourceID
+```
+
+
+
+
+Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+> [!NOTE]
+> Not applicable to XAP files.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Users
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Users
+```
+
+
+
+
+Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+This is a required node.
+
+- 0 = Not Installed
+- 1 = Staged
+- 2 = Installed
+- 6 = Paused
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Version
+```
+
+
+
+
+Version of the app. Value type is string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/AppManagement/System/{PackageFamilyName}/AppSettingPolicy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppSettingPolicy
+```
+
+
+
+
+Interior node for all managed app setting values.
+
+
+
+This node is only supported in the user context.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/{PackageFamilyName}/AppSettingPolicy/{SettingValue}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppSettingPolicy/{SettingValue}
+```
+
+
+
+
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+
+
+
+This setting only works for apps that support the feature and it's only supported in the user context.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. |
+
+
+
+**Examples**:
+
+- The following example sets the value for the 'Server'
+
+ ```xml
+
+
+ 0
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy/Server
+
+
+ chr
+
+ server1.contoso.com
+
+
+ ```
+
+- The following example gets all managed app settings for a specific app.
+
+ ```xml
+
+
+ 0
+
+
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy?list=StructData
+
+
+
+ ```
+
+
+
+
+
+##### User/AppManagement/System/{PackageFamilyName}/DoNotUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/DoNotUpdate
+```
+
+
+
+
+Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+##### User/AppManagement/System/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate
+```
+
+
+
+
+Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
+
+| Applicability Setting | CSP state | Result |
+|-----------------------|----------------|----------------------|
+| True | Not configured | X86 flavor is picked |
+| True | Enabled | X86 flavor is picked |
+| True | Disabled | X86 flavor is picked |
+| False (not set) | Not configured | X64 flavor is picked |
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | False. |
+| 1 | True. |
+
+
+
+
+
+
+
+
+
+#### User/AppManagement/System/ReleaseManagement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement
+```
+
+
+
+
+Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}
+```
+
+
+
+
+Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get, Replace |
+| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ChannelId
+```
+
+
+
+
+Specifies the app channel ID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease
+```
+
+
+
+
+Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId
+```
+
+
+
+
+Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId
+```
+
+
+
+
+Returns the last user release ID on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId
+```
+
+
+
+
+The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/AppManagement/UpdateScan
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan
+```
+
+
+
+
+Used to start the Windows Update scan.
+
+
+
+This is a required node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+
+## EnterpriseModernAppManagement XSD
+
+Here is the XSD for the application parameters.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
## Examples
@@ -717,7 +9910,10 @@ Subsequent query for a specific app for its properties.
```
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index a7c599a149..2e9e5509b9 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -1,34 +1,32 @@
---
-title: EnterpriseModernAppManagement DDF
-description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP).
-ms.reviewer:
+title: EnterpriseModernAppManagement DDF file
+description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 10/01/2019
+ms.topic: reference
---
-# EnterpriseModernAppManagement DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# EnterpriseModernAppManagement DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider.
```xml
-]>
+]>
1.2
+
+ EnterpriseModernAppManagement
- ./Vendor/MSFT
+ ./User/Vendor/MSFT
@@ -43,8 +41,13 @@ The XML below is the current version for this CSP.
-
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+ AppManagement
@@ -52,6 +55,7 @@ The XML below is the current version for this CSP.
+ Used for inventory and app management (post-install).
@@ -62,11 +66,11 @@ The XML below is the current version for this CSP.
-
+
-
+ AppStore
@@ -82,19 +86,20 @@ The XML below is the current version for this CSP.
- EnterpriseID
-
+
-
+
+
+ Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
@@ -106,17 +111,22 @@ The XML below is the current version for this CSP.
PackageFamilyName
-
+
+
+
+
-
+
+
+ Full name of the package installed.
@@ -128,8 +138,11 @@ The XML below is the current version for this CSP.
PackageFullName
-
+
+
+
+ Name
@@ -137,6 +150,7 @@ The XML below is the current version for this CSP.
+ Name of the app. Value type is string.
@@ -147,7 +161,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -157,6 +171,7 @@ The XML below is the current version for this CSP.
+ Version of the app. Value type is string.
@@ -167,7 +182,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -177,6 +192,7 @@ The XML below is the current version for this CSP.
+ Publisher name of the app. Value type is string.
@@ -187,7 +203,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -197,6 +213,7 @@ The XML below is the current version for this CSP.
+ Architecture of installed package. Value type is string.
@@ -207,7 +224,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -217,6 +234,7 @@ The XML below is the current version for this CSP.
+ Install location of the app on the device. Value type is string.
@@ -227,7 +245,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -237,6 +255,7 @@ The XML below is the current version for this CSP.
+ Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
@@ -247,7 +266,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -257,6 +276,7 @@ The XML below is the current version for this CSP.
+ The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
@@ -267,7 +287,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -277,6 +297,7 @@ The XML below is the current version for this CSP.
+ Date the app was installed. Value type is string.
@@ -287,7 +308,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -297,6 +318,7 @@ The XML below is the current version for this CSP.
+ Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
@@ -307,7 +329,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -317,6 +339,7 @@ The XML below is the current version for this CSP.
+ Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
@@ -327,7 +350,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -337,6 +360,7 @@ The XML below is the current version for this CSP.
+ Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
@@ -347,7 +371,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -357,6 +381,7 @@ The XML below is the current version for this CSP.
+ Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
@@ -367,7 +392,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -377,6 +402,7 @@ The XML below is the current version for this CSP.
+ The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
@@ -387,7 +413,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -397,6 +423,7 @@ The XML below is the current version for this CSP.
+ This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
@@ -407,8 +434,12 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ 10.0.19041
+ 1.2
+
@@ -421,6 +452,7 @@ The XML below is the current version for this CSP.
+ Specifies whether you want to block a specific app from being updated via auto-updates.
@@ -432,8 +464,18 @@ The XML below is the current version for this CSP.
DoNotUpdate
- text/plain
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
@@ -445,6 +487,7 @@ The XML below is the current version for this CSP.
+ Interior node for all managed app setting values.
@@ -455,11 +498,12 @@ The XML below is the current version for this CSP.
-
+
-
+
+
@@ -467,6 +511,7 @@ The XML below is the current version for this CSP.
+ The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
@@ -478,8 +523,11 @@ The XML below is the current version for this CSP.
SettingValue
- text/plain
+
+
+ SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container.
+
@@ -487,11 +535,12 @@ The XML below is the current version for this CSP.
MaintainProcessorArchitectureOnUpdate
-
+
+ Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
@@ -503,31 +552,22 @@ The XML below is the current version for this CSP.
MaintainProcessorArchitectureOnUpdate
- text/plain
-
-
-
-
- NonRemovable
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- NonRemovable
-
- text/plain
+
+
+ 10.0.19041
+ 1.2
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
@@ -536,10 +576,9 @@ The XML below is the current version for this CSP.
-
-
+ Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
@@ -547,44 +586,48 @@ The XML below is the current version for this CSP.
-
+
-
+
-
+
+
-
-
+ Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
-
+
-
+ ReleaseManagementKey
-
+
+
+ If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app.
+ ChannelId
-
+
+ Specifies the app channel ID.
@@ -595,19 +638,22 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ ReleaseManagementId
-
+
+ The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
@@ -618,8 +664,10 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
@@ -628,17 +676,18 @@ The XML below is the current version for this CSP.
+ Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
-
+
-
+
-
+
@@ -647,6 +696,7 @@ The XML below is the current version for this CSP.
+ Returns the last user channel ID on the device.
@@ -657,7 +707,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -667,6 +717,7 @@ The XML below is the current version for this CSP.
+ Returns the last user release ID on the device.
@@ -677,7 +728,1341 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+
+
+
+
+
+
+ nonStore
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+
+
+
+
+
+
+ PackageFamilyName
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Full name of the package installed.
+
+
+
+
+
+
+
+
+
+ PackageFullName
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ Name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Version
+
+
+
+
+ Version of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Publisher
+
+
+
+
+ Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Architecture
+
+
+
+
+ Architecture of installed package. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallLocation
+
+
+
+
+ Install location of the app on the device. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsFramework
+
+
+
+
+ Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsBundle
+
+
+
+
+ The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallDate
+
+
+
+
+ Date the app was installed. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResourceID
+
+
+
+
+ Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PackageStatus
+
+
+
+
+ Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RequiresReinstall
+
+
+
+
+ Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Users
+
+
+
+
+ Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsProvisioned
+
+
+
+
+ The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsStub
+
+
+
+
+ This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+
+
+ Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ AppSettingPolicy
+
+
+
+
+
+
+
+ Interior node for all managed app setting values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
+
+
+
+
+
+
+
+
+
+ SettingValue
+
+
+
+
+ SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container.
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+
+
+
+ Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+
+ ReleaseManagement
+
+
+
+
+
+ Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+
+
+ ReleaseManagementKey
+
+
+
+
+ If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app.
+
+
+
+ ChannelId
+
+
+
+
+
+
+
+ Specifies the app channel ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+
+
+
+ The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EffectiveRelease
+
+
+
+
+ Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChannelId
+
+
+
+
+ Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+ Returns the last user release ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ System
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+
+
+
+
+
+
+ PackageFamilyName
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Full name of the package installed.
+
+
+
+
+
+
+
+
+
+ PackageFullName
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ Name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Version
+
+
+
+
+ Version of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Publisher
+
+
+
+
+ Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Architecture
+
+
+
+
+ Architecture of installed package. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallLocation
+
+
+
+
+ Install location of the app on the device. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsFramework
+
+
+
+
+ Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsBundle
+
+
+
+
+ The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallDate
+
+
+
+
+ Date the app was installed. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResourceID
+
+
+
+
+ Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PackageStatus
+
+
+
+
+ Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RequiresReinstall
+
+
+
+
+ Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Users
+
+
+
+
+ Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsProvisioned
+
+
+
+
+ The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsStub
+
+
+
+
+ This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+
+
+ Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ AppSettingPolicy
+
+
+
+
+
+
+
+ Interior node for all managed app setting values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
+
+
+
+
+
+
+
+
+
+ SettingValue
+
+
+
+
+ SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container.
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+
+
+
+ Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+
+ ReleaseManagement
+
+
+
+
+
+ Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+
+
+ ReleaseManagementKey
+
+
+
+
+ If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app.
+
+
+
+ ChannelId
+
+
+
+
+
+
+
+ Specifies the app channel ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+
+
+
+ The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EffectiveRelease
+
+
+
+
+ Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChannelId
+
+
+
+
+ Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+ Returns the last user release ID on the device.
+
+
+
+
+
+
+
+
+
+
+
@@ -691,6 +2076,7 @@ The XML below is the current version for this CSP.
+ Used to start the Windows Update scan.
@@ -701,7 +2087,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -711,6 +2097,7 @@ The XML below is the current version for this CSP.
+ Reports the last error code returned by the update scan.
@@ -721,7 +2108,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -731,6 +2118,7 @@ The XML below is the current version for this CSP.
+ Returns the results for app inventory that was created after the AppInventoryQuery operation.
@@ -741,7 +2129,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -752,6 +2140,7 @@ The XML below is the current version for this CSP.
+ Specifies the query for app inventory.
@@ -762,8 +2151,10 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
@@ -773,6 +2164,7 @@ The XML below is the current version for this CSP.
+ Used to remove packages.
@@ -783,8 +2175,42 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+ 10.0.15063
+ 1.2
+
+
+
+
+
+
+ ResetPackage
+
+
+
+
+
+ Used to restore the Windows app to its initial configuration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.2
+
+
+
@@ -794,6 +2220,7 @@ The XML below is the current version for this CSP.
+ Used to perform app installation.
@@ -804,11 +2231,12 @@ The XML below is the current version for this CSP.
-
+
-
+
+
@@ -816,6 +2244,7 @@ The XML below is the current version for this CSP.
+ Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
@@ -827,18 +2256,22 @@ The XML below is the current version for this CSP.
PackageFamilyName
-
+
+
+ Package family name (PFN) of the app.
+ StoreInstall
-
+
+ Command to perform an install of an app and a license from the Microsoft Store.
@@ -849,7 +2282,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -857,11 +2290,12 @@ The XML below is the current version for this CSP.
HostedInstall
-
+
+ Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
@@ -872,7 +2306,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -882,6 +2316,7 @@ The XML below is the current version for this CSP.
+ Last error relating to the app installation.
@@ -892,7 +2327,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -902,6 +2337,7 @@ The XML below is the current version for this CSP.
+ Description of last error relating to the app installation.
@@ -912,7 +2348,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -922,6 +2358,7 @@ The XML below is the current version for this CSP.
+ Status of app installation. The following values are returned: NOT_INSTALLED (0) - The node was added, but the execution has not completed. INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
@@ -932,7 +2369,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -942,6 +2379,7 @@ The XML below is the current version for this CSP.
+ An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero).
@@ -952,7 +2390,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -964,6 +2402,7 @@ The XML below is the current version for this CSP.
+ Used to manage licenses for app scenarios.
@@ -974,7 +2413,7 @@ The XML below is the current version for this CSP.
-
+
@@ -983,6 +2422,7 @@ The XML below is the current version for this CSP.
+ Used to manage licenses for store apps.
@@ -993,17 +2433,19 @@ The XML below is the current version for this CSP.
-
+
-
+
+
+ License ID for a store installed app. The license ID is generally the PFN of the app.
@@ -1015,8 +2457,11 @@ The XML below is the current version for this CSP.
LicenseID
-
+
+
+ License ID for a store installed app. The license ID is generally the PFN of the app.
+ LicenseCategory
@@ -1024,6 +2469,7 @@ The XML below is the current version for this CSP.
+ Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
@@ -1034,7 +2480,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -1044,6 +2490,7 @@ The XML below is the current version for this CSP.
+ Indicates the allowed usage for the license. Valid values: Unknown - usage is unknown. Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. Offline - license is valid for use offline. You don't need a connection to the internet to use this license. Enterprise Root - The license is valid for line of business apps.
@@ -1054,7 +2501,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -1064,6 +2511,7 @@ The XML below is the current version for this CSP.
+ Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
@@ -1074,7 +2522,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -1084,6 +2532,7 @@ The XML below is the current version for this CSP.
+ Command to add license.
@@ -1094,7 +2543,7 @@ The XML below is the current version for this CSP.
- text/plain
+
@@ -1104,6 +2553,7 @@ The XML below is the current version for this CSP.
+ Command to get license from the store.
@@ -1114,7 +2564,2831 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+
+
+
+
+
+
+ EnterpriseModernAppManagement
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ AppManagement
+
+
+
+
+ Used for inventory and app management (post-install).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AppStore
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+
+
+
+
+
+
+ PackageFamilyName
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Full name of the package installed.
+
+
+
+
+
+
+
+
+
+ PackageFullName
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ Name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Version
+
+
+
+
+ Version of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Publisher
+
+
+
+
+ Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Architecture
+
+
+
+
+ Architecture of installed package. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallLocation
+
+
+
+
+ Install location of the app on the device. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsFramework
+
+
+
+
+ Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsBundle
+
+
+
+
+ The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallDate
+
+
+
+
+ Date the app was installed. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResourceID
+
+
+
+
+ Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PackageStatus
+
+
+
+
+ Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RequiresReinstall
+
+
+
+
+ Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Users
+
+
+
+
+ Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsProvisioned
+
+
+
+
+ The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsStub
+
+
+
+
+ This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+
+
+ Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+
+
+
+ Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ NonRemovable
+
+
+
+
+
+
+ This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.
+
+
+
+
+
+
+
+
+
+ NonRemovable
+
+
+
+
+ 10.0.17763
+ 1.2
+
+
+
+ 0
+ app is not in the nonremovable app policy list
+
+
+ 1
+ app is included in the nonremovable app policy list
+
+
+
+
+
+
+ ReleaseManagement
+
+
+
+
+
+ Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+
+
+ ReleaseManagementKey
+
+
+
+
+ If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app.
+
+
+
+ ChannelId
+
+
+
+
+
+
+
+ Specifies the app channel ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+
+
+
+ The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EffectiveRelease
+
+
+
+
+ Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChannelId
+
+
+
+
+ Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+ Returns the last user release ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ nonStore
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+
+
+
+
+
+
+ PackageFamilyName
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Full name of the package installed.
+
+
+
+
+
+
+
+
+
+ PackageFullName
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ Name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Version
+
+
+
+
+ Version of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Publisher
+
+
+
+
+ Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Architecture
+
+
+
+
+ Architecture of installed package. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallLocation
+
+
+
+
+ Install location of the app on the device. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsFramework
+
+
+
+
+ Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsBundle
+
+
+
+
+ The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallDate
+
+
+
+
+ Date the app was installed. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResourceID
+
+
+
+
+ Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PackageStatus
+
+
+
+
+ Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RequiresReinstall
+
+
+
+
+ Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Users
+
+
+
+
+ Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsProvisioned
+
+
+
+
+ The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsStub
+
+
+
+
+ This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+
+
+ Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+
+
+
+ Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ NonRemovable
+
+
+
+
+
+
+ This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.
+
+
+
+
+
+
+
+
+
+ NonRemovable
+
+
+
+
+ 10.0.17763
+ 1.2
+
+
+
+ 0
+ app is not in the nonremovable app policy list
+
+
+ 1
+ app is included in the nonremovable app policy list
+
+
+
+
+
+
+ ReleaseManagement
+
+
+
+
+
+ Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+
+
+ ReleaseManagementKey
+
+
+
+
+ If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app.
+
+
+
+ ChannelId
+
+
+
+
+
+
+
+ Specifies the app channel ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+
+
+
+ The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EffectiveRelease
+
+
+
+
+ Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChannelId
+
+
+
+
+ Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+ Returns the last user release ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ System
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+
+
+
+
+
+
+ PackageFamilyName
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Full name of the package installed.
+
+
+
+
+
+
+
+
+
+ PackageFullName
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ Name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Version
+
+
+
+
+ Version of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Publisher
+
+
+
+
+ Publisher name of the app. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Architecture
+
+
+
+
+ Architecture of installed package. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallLocation
+
+
+
+
+ Install location of the app on the device. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsFramework
+
+
+
+
+ Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsBundle
+
+
+
+
+ The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InstallDate
+
+
+
+
+ Date the app was installed. Value type is string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResourceID
+
+
+
+
+ Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PackageStatus
+
+
+
+
+ Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RequiresReinstall
+
+
+
+
+ Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Users
+
+
+
+
+ Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsProvisioned
+
+
+
+
+ The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsStub
+
+
+
+
+ This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+
+
+ Specifies whether you want to block a specific app from being updated via auto-updates.
+
+
+
+
+
+
+
+
+
+ DoNotUpdate
+
+
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+
+
+
+ Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+
+
+
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+ 10.0.19041
+ 1.2
+
+
+
+ 0
+ False
+
+
+ 1
+ True
+
+
+
+
+
+ NonRemovable
+
+
+
+
+
+
+ This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.
+
+
+
+
+
+
+
+
+
+ NonRemovable
+
+
+
+
+ 10.0.17763
+ 1.2
+
+
+
+ 0
+ app is not in the nonremovable app policy list
+
+
+ 1
+ app is included in the nonremovable app policy list
+
+
+
+
+
+ AppUpdateSettings
+
+
+
+
+
+
+ AppUpdateSettings nodes to support the auto-update and auto-repair feature for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.2
+
+
+
+ AutoUpdateSettings
+
+
+
+
+
+
+ AutoUpdateSettings nodes to support the auto-updates for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PackageSource
+
+
+
+
+
+ PackageSource node that points the update location for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^(([^;]+(?i)(\.appinstaller)([;]|$)){1,11})$
+
+
+
+
+
+ AutomaticBackgroundTask
+
+
+
+
+
+ False
+ Specifies whether AutomaticBackgroundTask is enabled/disabled for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ True
+ AutomaticBackgroundTask is enabled for the package
+
+
+ False
+ AutomaticBackgroundTask is disabled for the package
+
+
+
+
+
+ OnLaunchUpdateCheck
+
+
+
+
+
+ False
+ Specifies whether OnLaunchUpdateCheck is enabled/disabled for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ True
+ OnLaunchUpdateCheck is enabled for the package
+
+
+ False
+ OnLaunchUpdateCheck is disabled for the package
+
+
+
+
+
+ HoursBetweenUpdateChecks
+
+
+
+
+
+ 8
+ Specifies HoursBetweenUpdateChecks for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [8-10000]
+
+
+
+
+ ShowPrompt
+
+
+
+
+
+ False
+ Specifies whether the auto-update setting ShowPrompt is enabled/disabled for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ True
+ ShowPrompt is enabled for the package
+
+
+ False
+ ShowPrompt is disabled for the package
+
+
+
+
+
+ UpdateBlocksActivation
+
+
+
+
+
+ False
+ Specifies whether the auto-update setting UpdateBlocksActivation is enabled/disabled for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ True
+ UpdateBlocksActivation is enabled for the package
+
+
+ False
+ UpdateBlocksActivation is disabled for the package
+
+
+
+
+
+ ForceUpdateFromAnyVersion
+
+
+
+
+
+ False
+ Specifies whether the auto-update setting ForceUpdateFromAnyVersion is enabled/disabled for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ True
+ ForceUpdateFromAnyVersion is enabled for the package
+
+
+ False
+ ForceUpdateFromAnyVersion is disabled for the package
+
+
+
+
+
+ Disable
+
+
+
+
+
+ False
+ Specifies whether the auto-update settings is enabled/disabled for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ True
+ AutoUpdates settings is disabled for the package
+
+
+ False
+ AutoUpdates settings is enabled for the package
+
+
+
+
+
+
+ AutoRepair
+
+
+
+
+
+
+ AutoRepair node to support auto-repair feature for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PackageSource
+
+
+
+
+
+ PackageSource node that points the update location for a specific package
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^(([^;]+(?i)(\.appx|\.eappx|\.appxbundle|\.eappxbundle|\.msix|\.emsix|\.msixbundle|\.emsixbundle)([;]|$)){0,10}|([^;]+(?i)(\.appinstaller)([;]|$)){0,10})$
+
+
+
+
+
+
+
+
+ ReleaseManagement
+
+
+
+
+
+ Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+
+
+
+
+
+
+
+
+
+ ReleaseManagementKey
+
+
+
+
+ If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app.
+
+
+
+ ChannelId
+
+
+
+
+
+
+
+ Specifies the app channel ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+
+
+
+ The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EffectiveRelease
+
+
+
+
+ Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChannelId
+
+
+
+
+ Returns the last user channel ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementId
+
+
+
+
+ Returns the last user release ID on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UpdateScan
+
+
+
+
+ Used to start the Windows Update scan.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastScanError
+
+
+
+
+ Reports the last error code returned by the update scan.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AppInventoryResults
+
+
+
+
+ Returns the results for app inventory that was created after the AppInventoryQuery operation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AppInventoryQuery
+
+
+
+
+
+ Specifies the query for app inventory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResetPackage
+
+
+
+
+
+ Used to restore the Windows app to its initial configuration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.2
+
+
+
+
+
+
+
+ AppInstallation
+
+
+
+
+ Used to perform app installation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+
+
+
+
+
+
+
+
+
+ PackageFamilyName
+
+
+
+
+ Package family name (PFN) of the app.
+
+
+
+ StoreInstall
+
+
+
+
+
+
+
+ Command to perform an install of an app and a license from the Microsoft Store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HostedInstall
+
+
+
+
+
+
+
+ Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastError
+
+
+
+
+ Last error relating to the app installation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastErrorDesc
+
+
+
+
+ Description of last error relating to the app installation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Status of app installation. The following values are returned: NOT_INSTALLED (0) - The node was added, but the execution has not completed. INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProgressStatus
+
+
+
+
+ An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AppLicenses
+
+
+
+
+ Used to manage licenses for app scenarios.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ StoreLicenses
+
+
+
+
+ Used to manage licenses for store apps.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ License ID for a store installed app. The license ID is generally the PFN of the app.
+
+
+
+
+
+
+
+
+
+ LicenseID
+
+
+
+
+ License ID for a store installed app. The license ID is generally the PFN of the app.
+
+
+
+ LicenseCategory
+
+
+
+
+ Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LicenseUsage
+
+
+
+
+ Indicates the allowed usage for the license. Valid values: Unknown - usage is unknown. Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. Offline - license is valid for use offline. You don't need a connection to the internet to use this license. Enterprise Root - The license is valid for line of business apps.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RequesterID
+
+
+
+
+ Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AddLicense
+
+
+
+
+ Command to add license.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ GetLicenseFromStore
+
+
+
+
+ Command to get license from the store.
+
+
+
+
+
+
+
+
+
+
+
@@ -1124,3 +5398,7 @@ The XML below is the current version for this CSP.
```
+
+## Related articles
+
+[EnterpriseModernAppManagement configuration service provider reference](enterprisemodernappmanagement-csp.md)
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
deleted file mode 100644
index 423e4752c9..0000000000
--- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: EnterpriseModernAppManagement XSD
-description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
----
-
-# EnterpriseModernAppManagement XSD
-
-Here is the XSD for the application parameters.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 1d8c5255b7..bbd1a859ce 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -1,194 +1,1045 @@
---
title: eUICCs CSP
-description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees.
+description: Learn more about the eUICCs CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/02/2018
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# eUICCs CSP
-The table below shows the applicability of Windows:
+
+
+The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+The following list shows the eUICCs configuration service provider nodes:
-The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709.
+- ./Device/Vendor/MSFT/eUICCs
+ - [{eUICC}](#euicc)
+ - [Actions](#euiccactions)
+ - [ResetToFactoryState](#euiccactionsresettofactorystate)
+ - [Status](#euiccactionsstatus)
+ - [DownloadServers](#euiccdownloadservers)
+ - [{ServerName}](#euiccdownloadserversservername)
+ - [AutoEnable](#euiccdownloadserversservernameautoenable)
+ - [DiscoveryState](#euiccdownloadserversservernamediscoverystate)
+ - [IsDiscoveryServer](#euiccdownloadserversservernameisdiscoveryserver)
+ - [Identifier](#euiccidentifier)
+ - [IsActive](#euiccisactive)
+ - [Policies](#euiccpolicies)
+ - [LocalUIEnabled](#euiccpolicieslocaluienabled)
+ - [PPR1Allowed](#euiccppr1allowed)
+ - [PPR1AlreadySet](#euiccppr1alreadyset)
+ - [Profiles](#euiccprofiles)
+ - [{ICCID}](#euiccprofilesiccid)
+ - [ErrorDetail](#euiccprofilesicciderrordetail)
+ - [IsEnabled](#euiccprofilesiccidisenabled)
+ - [MatchingID](#euiccprofilesiccidmatchingid)
+ - [PPR1Set](#euiccprofilesiccidppr1set)
+ - [PPR2Set](#euiccprofilesiccidppr2set)
+ - [ServerName](#euiccprofilesiccidservername)
+ - [State](#euiccprofilesiccidstate)
+
-The following shows the eUICCs configuration service provider in tree format.
+
+## {eUICC}
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}
```
-./Device/Vendor/MSFT
-eUICCs
-----eUICC
---------Identifier
---------IsActive
---------PPR1Allowed
---------PPR1AlreadySet
---------DownloadServers
-------------ServerName
-----------------DiscoveryState
-----------------AutoEnable
-----------------IsDiscoveryServer
---------Profiles
-------------ICCID
-----------------ServerName
-----------------MatchingID
-----------------State
-----------------IsEnabled
-----------------PPR1Set
-----------------PPR2Set
-----------------ErrorDetail
---------Policies
-------------LocalUIEnabled
---------Actions
-------------ResetToFactoryState
-------------Status
+
+
+
+
+Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | UniqueName: The eUICC ID (EID) associated with the device. |
+
+
+
+
+
+
+
+
+
+### {eUICC}/Actions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Actions
```
+
-**./Vendor/MSFT/eUICCs**
-Root node for the eUICCs CSP.
+
+
+Actions that can be performed on the eUICC as a whole (when it is active).
+
-**_eUICC_**
-Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this association could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**_eUICC_/Identifier**
-Required. Identifies an eUICC in an implementation-specific manner, for example, this identification could be an SHA-256 hash of the EID.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported operation is Get. Value type is string.
+
+
+
-**_eUICC_/IsActive**
-Required. Indicates whether this eUICC is physically present and active. Updated only by the LPA.
+
-Supported operation is Get. Value type is boolean.
+
+#### {eUICC}/Actions/ResetToFactoryState
-**_eUICC_/PPR1Allowed**
-Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-Supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Actions/ResetToFactoryState
+```
+
-Value type is boolean.
+
+
+An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
+
-**_eUICC_/PPR1AlreadySet**
-Required. Indicates whether the eUICC already has a profile with PPR1.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-Value type is boolean.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
-**_eUICC_/DownloadServers**
-Interior node. Represents default SM-DP+ discovery requests.
+
+
+
-Supported operation is Get.
+
-**_eUICC_/DownloadServers/_ServerName_**
-Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
+
+#### {eUICC}/Actions/Status
-Supported operations are Add, Get, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
-Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Actions/Status
+```
+
-Supported operation is Get.
+
+
+Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
+
-Value type is integer. Default value is 1.
+
+
+
-**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
-Required. Indicates whether the discovered profile must be enabled automatically after install. This setting must be defined by the MDM when the ServerName subtree is created.
+
+**Description framework properties**:
-Supported operations are Add, Get, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
-Value type is bool.
+
+
+
-**_eUICC_/DownloadServers/_ServerName_/IsDiscoveryServer**
-Optional. Indicates whether the server is a discovery server. This setting must be defined by the MDM when the ServerName subtree is created.
+
-Supported operations are Add, Get, and Replace.
+
+### {eUICC}/DownloadServers
-Value type is bool. Default value is false.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-**_eUICC_/Profiles**
-Interior node. Required. Represents all enterprise-owned profiles.
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers
+```
+
-Supported operation is Get.
+
+
+Represents default SM-DP+ discovery requests.
+
-**_eUICC_/Profiles/_ICCID_**
-Interior node. Optional. Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
+
+
+
-Supported operations are Add, Get, and Delete.
+
+**Description framework properties**:
-**_eUICC_/Profiles/_ICCID_/ServerName**
-Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported operations are Add and Get.
+
+
+
-Value type is string.
+
-**_eUICC_/Profiles/_ICCID_/MatchingID**
-Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
+
+#### {eUICC}/DownloadServers/{ServerName}
-Supported operations are Add and Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-Value type is string.
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}
+```
+
-**_eUICC_/Profiles/_ICCID_/State**
-Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
+
+
+Node representing the discovery operation for a server name. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
+
-Supported operation is Get.
+
+
+
-Value type is integer. Default value is 1.
+
+**Description framework properties**:
-**_eUICC_/Profiles/_ICCID_/IsEnabled**
-Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once it’s successfully downloaded and installed on the device. Can also be queried and updated by the CSP.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: ServerName used for the discovery operation. |
+
-Supported operations are Add, Get, and Replace.
+
+
+
-Value type is bool.
+
-**_eUICC_/Policies**
-Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile).
+
+##### {eUICC}/DownloadServers/{ServerName}/AutoEnable
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-**_eUICC_/Policies/LocalUIEnabled**
-Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}/AutoEnable
+```
+
-Supported operations are Get and Replace.
+
+
+Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
+
-Value type is boolean. Default value is true.
+
+
+
-**_eUICC_/Actions**
-Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active).
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+
-**_eUICC_/Actions/ResetToFactoryState**
-Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
+
+**Allowed values**:
-Supported operation is Execute.
+| Value | Description |
+|:--|:--|
+| false | Disable. |
+| true | Enable. |
+
-Value type is string.
+
+
+
-**_eUICC_/Actions/Status**
-Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
+
-Supported value is Get.
+
+##### {eUICC}/DownloadServers/{ServerName}/DiscoveryState
-Value type is integer. Default is 0.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-## Related topics
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}/DiscoveryState
+```
+
-[Configuration service provider reference](index.yml)
+
+
+Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
+
+##### {eUICC}/DownloadServers/{ServerName}/IsDiscoveryServer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}/IsDiscoveryServer
+```
+
+
+
+
+Indicates whether the server is a discovery server. Optional, default value is false.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Is Not Discovery Server. |
+| true | Is Discovery Server. |
+
+
+
+
+
+
+
+
+
+### {eUICC}/Identifier
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Identifier
+```
+
+
+
+
+The EID.
+
+
+
+
+Identifies an eUICC in an implementation-specific manner, for example, this identification could be an SHA-256 hash of the EID.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### {eUICC}/IsActive
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/IsActive
+```
+
+
+
+
+Indicates whether this eUICC is physically present and active. Updated only by the LPA.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### {eUICC}/Policies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Policies
+```
+
+
+
+
+Device policies associated with the eUICC as a whole (not per-profile).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### {eUICC}/Policies/LocalUIEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Policies/LocalUIEnabled
+```
+
+
+
+
+Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true (Default) | Enabled. |
+
+
+
+
+
+
+
+
+
+### {eUICC}/PPR1Allowed
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/PPR1Allowed
+```
+
+
+
+
+Indicates whether the download of a profile with PPR1 is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 is not allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### {eUICC}/PPR1AlreadySet
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/PPR1AlreadySet
+```
+
+
+
+
+Indicates whether the eUICC has already a profile with PPR1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### {eUICC}/Profiles
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles
+```
+
+
+
+
+Represents all enterprise-owned profiles.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### {eUICC}/Profiles/{ICCID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}
+```
+
+
+
+
+Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: ICCID of the profile. |
+
+
+
+
+
+
+
+
+
+##### {eUICC}/Profiles/{ICCID}/ErrorDetail
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/ErrorDetail
+```
+
+
+
+
+Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### {eUICC}/Profiles/{ICCID}/IsEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/IsEnabled
+```
+
+
+
+
+Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+##### {eUICC}/Profiles/{ICCID}/MatchingID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/MatchingID
+```
+
+
+
+
+Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+| Allowed Values | Regular Expression: `^([0-9a-fA-F]{5}-){3}[0-9a-fA-F]{5}$` |
+
+
+
+
+
+
+
+
+
+##### {eUICC}/Profiles/{ICCID}/PPR1Set
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/PPR1Set
+```
+
+
+
+
+This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### {eUICC}/Profiles/{ICCID}/PPR2Set
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/PPR2Set
+```
+
+
+
+
+This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### {eUICC}/Profiles/{ICCID}/ServerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/ServerName
+```
+
+
+
+
+Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### {eUICC}/Profiles/{ICCID}/State
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/State
+```
+
+
+
+
+Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index a6de1b34ab..7e78256e0b 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -1,594 +1,670 @@
---
title: eUICCs DDF file
-description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/21/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/02/2018
+ms.topic: reference
---
+
+
# eUICCs DDF file
-This topic shows the OMA DM device description framework (DDF) for the **eUICCs** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below if for Windows 10, version 1803.
+The following XML file contains the device description framework (DDF) for the eUICCs configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ eUICCs
+ ./Device/Vendor/MSFT
+
+
+
+
+ Subtree for all embedded UICCs (eUICC)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- eUICCs
- ./Device/Vendor/MSFT
+
+
+
+
+
+
+ Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC.
+
+
+
+
+
+
+
+
+
+ eUICC
+
+
+
+
+ The eUICC ID (EID) associated with the device.
+
+
+
+ Identifier
-
-
-
- Subtree for all embedded UICCs (eUICC)
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.2/MDM/eUICCs
-
+
+
+
+ The EID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsActive
+
+
+
+
+ Indicates whether this eUICC is physically present and active. Updated only by the LPA.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PPR1Allowed
+
+
+
+
+ Indicates whether the download of a profile with PPR1 is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 is not allowed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PPR1AlreadySet
+
+
+
+
+ Indicates whether the eUICC has already a profile with PPR1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DownloadServers
+
+
+
+
+ Represents default SM-DP+ discovery requests.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.0
+
-
+
+
+
+
+
+
+
+
+
+ Node representing the discovery operation for a server name. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
+
+
+
+
+
+
+
+
+
+ ServerName
+
+
+
+
+ ServerName used for the discovery operation.
+
+
+
+ DiscoveryState
-
-
-
- Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC.
-
-
-
-
-
-
-
-
-
- eUICC
-
-
-
+
+
+
+ 1
+ Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
+
+
+
+
+
+
+
+
+
+
+
+
-
- Identifier
-
-
-
-
- The EID.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsActive
-
-
-
-
- Indicates whether this eUICC is physically present and active. Updated only by the LPA.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PPR1Allowed
-
-
-
-
- Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PPR1AlreadySet
-
-
-
-
- Indicates whether the eUICC already has a profile with PPR1.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DownloadServers
-
-
-
-
- Represents default SM-DP+ discovery requests.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
-
-
-
-
-
-
-
-
-
- ServerName
-
-
-
-
-
- DiscoveryState
-
-
-
-
- 1
- Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AutoEnable
-
-
-
-
-
-
- Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsDiscoveryServer
-
-
-
-
-
-
- false
- Indicates whether the server is a discovery server. Optional, default value is false.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- Profiles
-
-
-
-
- Represents all enterprise-owned profiles.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
-
-
-
-
-
-
-
-
-
- ICCID
-
-
-
-
-
- ServerName
-
-
-
-
-
-
- Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MatchingID
-
-
-
-
-
-
- Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- State
-
-
-
-
- 1
- Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsEnabled
-
-
-
-
-
-
- Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PPR1Set
-
-
-
-
- This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PPR2Set
-
-
-
-
- This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ErrorDetail
-
-
-
-
- 0
- Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- Policies
-
-
-
-
- Device policies associated with the eUICC as a whole (not per-profile).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- LocalUIEnabled
-
-
-
-
-
- true
- Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Actions
-
-
-
-
- Actions that can be performed on the eUICC as a whole (when it is active).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ResetToFactoryState
-
-
-
-
- An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- 0
- Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+ AutoEnable
+
+
+
+
+
+
+ Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disable
+
+
+ true
+ Enable
+
+
+
+
+
+ IsDiscoveryServer
+
+
+
+
+
+
+ false
+ Indicates whether the server is a discovery server. Optional, default value is false.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Is Not Discovery Server
+
+
+ true
+ Is Discovery Server
+
+
+
+
+
+
+ Profiles
+
+
+
+
+ Represents all enterprise-owned profiles.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
+
+
+
+
+
+
+
+
+
+ ICCID
+
+
+
+
+ ICCID of the profile.
+
+
+
+ ServerName
+
+
+
+
+
+
+ Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MatchingID
+
+
+
+
+
+
+ Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^([0-9a-fA-F]{5}-){3}[0-9a-fA-F]{5}$
+
+
+
+
+ State
+
+
+
+
+ 1
+ Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsEnabled
+
+
+
+
+
+
+ Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.0
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ PPR1Set
+
+
+
+
+ This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PPR2Set
+
+
+
+
+ This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorDetail
+
+
+
+
+ 0
+ Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Policies
+
+
+
+
+ Device policies associated with the eUICC as a whole (not per-profile).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LocalUIEnabled
+
+
+
+
+
+ true
+ Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+ Actions
+
+
+
+
+ Actions that can be performed on the eUICC as a whole (when it is active).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResetToFactoryState
+
+
+
+
+ An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ 0
+ Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
+
+## Related articles
+
+[eUICCs configuration service provider reference](euiccs-csp.md)
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index a425989761..e0917186af 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -1,299 +1,484 @@
---
title: Firewall CSP
-description: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings.
+description: Learn more about the Firewall CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.reviewer:
-manager: aaroncz
-ms.date: 12/31/2017
+ms.topic: reference
---
-# Firewall configuration service provider (CSP)
+
-The table below shows the applicability of Windows:
+
+# Firewall CSP
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
-The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
+
+
+The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.
-Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.
+> [!NOTE]
+> Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.
For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac).
+
-The following example shows the Firewall configuration service provider in tree format.
+
+The following list shows the Firewall configuration service provider nodes:
+
+- ./Vendor/MSFT/Firewall
+ - [MdmStore](#mdmstore)
+ - [DomainProfile](#mdmstoredomainprofile)
+ - [AllowLocalIpsecPolicyMerge](#mdmstoredomainprofileallowlocalipsecpolicymerge)
+ - [AllowLocalPolicyMerge](#mdmstoredomainprofileallowlocalpolicymerge)
+ - [AuthAppsAllowUserPrefMerge](#mdmstoredomainprofileauthappsallowuserprefmerge)
+ - [DefaultInboundAction](#mdmstoredomainprofiledefaultinboundaction)
+ - [DefaultOutboundAction](#mdmstoredomainprofiledefaultoutboundaction)
+ - [DisableInboundNotifications](#mdmstoredomainprofiledisableinboundnotifications)
+ - [DisableStealthMode](#mdmstoredomainprofiledisablestealthmode)
+ - [DisableStealthModeIpsecSecuredPacketExemption](#mdmstoredomainprofiledisablestealthmodeipsecsecuredpacketexemption)
+ - [DisableUnicastResponsesToMulticastBroadcast](#mdmstoredomainprofiledisableunicastresponsestomulticastbroadcast)
+ - [EnableFirewall](#mdmstoredomainprofileenablefirewall)
+ - [EnableLogDroppedPackets](#mdmstoredomainprofileenablelogdroppedpackets)
+ - [EnableLogIgnoredRules](#mdmstoredomainprofileenablelogignoredrules)
+ - [EnableLogSuccessConnections](#mdmstoredomainprofileenablelogsuccessconnections)
+ - [GlobalPortsAllowUserPrefMerge](#mdmstoredomainprofileglobalportsallowuserprefmerge)
+ - [LogFilePath](#mdmstoredomainprofilelogfilepath)
+ - [LogMaxFileSize](#mdmstoredomainprofilelogmaxfilesize)
+ - [Shielded](#mdmstoredomainprofileshielded)
+ - [DynamicKeywords](#mdmstoredynamickeywords)
+ - [Addresses](#mdmstoredynamickeywordsaddresses)
+ - [{Id}](#mdmstoredynamickeywordsaddressesid)
+ - [Addresses](#mdmstoredynamickeywordsaddressesidaddresses)
+ - [AutoResolve](#mdmstoredynamickeywordsaddressesidautoresolve)
+ - [Keyword](#mdmstoredynamickeywordsaddressesidkeyword)
+ - [FirewallRules](#mdmstorefirewallrules)
+ - [{FirewallRuleName}](#mdmstorefirewallrulesfirewallrulename)
+ - [Action](#mdmstorefirewallrulesfirewallrulenameaction)
+ - [Type](#mdmstorefirewallrulesfirewallrulenameactiontype)
+ - [App](#mdmstorefirewallrulesfirewallrulenameapp)
+ - [FilePath](#mdmstorefirewallrulesfirewallrulenameappfilepath)
+ - [Fqbn](#mdmstorefirewallrulesfirewallrulenameappfqbn)
+ - [PackageFamilyName](#mdmstorefirewallrulesfirewallrulenameapppackagefamilyname)
+ - [ServiceName](#mdmstorefirewallrulesfirewallrulenameappservicename)
+ - [Description](#mdmstorefirewallrulesfirewallrulenamedescription)
+ - [Direction](#mdmstorefirewallrulesfirewallrulenamedirection)
+ - [EdgeTraversal](#mdmstorefirewallrulesfirewallrulenameedgetraversal)
+ - [Enabled](#mdmstorefirewallrulesfirewallrulenameenabled)
+ - [IcmpTypesAndCodes](#mdmstorefirewallrulesfirewallrulenameicmptypesandcodes)
+ - [InterfaceTypes](#mdmstorefirewallrulesfirewallrulenameinterfacetypes)
+ - [LocalAddressRanges](#mdmstorefirewallrulesfirewallrulenamelocaladdressranges)
+ - [LocalPortRanges](#mdmstorefirewallrulesfirewallrulenamelocalportranges)
+ - [LocalUserAuthorizedList](#mdmstorefirewallrulesfirewallrulenamelocaluserauthorizedlist)
+ - [Name](#mdmstorefirewallrulesfirewallrulenamename)
+ - [PolicyAppId](#mdmstorefirewallrulesfirewallrulenamepolicyappid)
+ - [Profiles](#mdmstorefirewallrulesfirewallrulenameprofiles)
+ - [Protocol](#mdmstorefirewallrulesfirewallrulenameprotocol)
+ - [RemoteAddressDynamicKeywords](#mdmstorefirewallrulesfirewallrulenameremoteaddressdynamickeywords)
+ - [RemoteAddressRanges](#mdmstorefirewallrulesfirewallrulenameremoteaddressranges)
+ - [RemotePortRanges](#mdmstorefirewallrulesfirewallrulenameremoteportranges)
+ - [Status](#mdmstorefirewallrulesfirewallrulenamestatus)
+ - [Global](#mdmstoreglobal)
+ - [BinaryVersionSupported](#mdmstoreglobalbinaryversionsupported)
+ - [CRLcheck](#mdmstoreglobalcrlcheck)
+ - [CurrentProfiles](#mdmstoreglobalcurrentprofiles)
+ - [DisableStatefulFtp](#mdmstoreglobaldisablestatefulftp)
+ - [EnablePacketQueue](#mdmstoreglobalenablepacketqueue)
+ - [IPsecExempt](#mdmstoreglobalipsecexempt)
+ - [OpportunisticallyMatchAuthSetPerKM](#mdmstoreglobalopportunisticallymatchauthsetperkm)
+ - [PolicyVersion](#mdmstoreglobalpolicyversion)
+ - [PolicyVersionSupported](#mdmstoreglobalpolicyversionsupported)
+ - [PresharedKeyEncoding](#mdmstoreglobalpresharedkeyencoding)
+ - [SaIdleTime](#mdmstoreglobalsaidletime)
+ - [HyperVFirewallRules](#mdmstorehypervfirewallrules)
+ - [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename)
+ - [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction)
+ - [Type](#mdmstorehypervfirewallrulesfirewallrulenameactiontype)
+ - [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection)
+ - [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled)
+ - [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges)
+ - [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges)
+ - [Name](#mdmstorehypervfirewallrulesfirewallrulenamename)
+ - [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority)
+ - [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol)
+ - [RemoteAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteaddressranges)
+ - [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges)
+ - [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus)
+ - [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid)
+ - [HyperVVMSettings](#mdmstorehypervvmsettings)
+ - [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid)
+ - [DefaultInboundAction](#mdmstorehypervvmsettingsvmcreatoriddefaultinboundaction)
+ - [DefaultOutboundAction](#mdmstorehypervvmsettingsvmcreatoriddefaultoutboundaction)
+ - [EnableFirewall](#mdmstorehypervvmsettingsvmcreatoridenablefirewall)
+ - [EnableLoopback](#mdmstorehypervvmsettingsvmcreatoridenableloopback)
+ - [PrivateProfile](#mdmstoreprivateprofile)
+ - [AllowLocalIpsecPolicyMerge](#mdmstoreprivateprofileallowlocalipsecpolicymerge)
+ - [AllowLocalPolicyMerge](#mdmstoreprivateprofileallowlocalpolicymerge)
+ - [AuthAppsAllowUserPrefMerge](#mdmstoreprivateprofileauthappsallowuserprefmerge)
+ - [DefaultInboundAction](#mdmstoreprivateprofiledefaultinboundaction)
+ - [DefaultOutboundAction](#mdmstoreprivateprofiledefaultoutboundaction)
+ - [DisableInboundNotifications](#mdmstoreprivateprofiledisableinboundnotifications)
+ - [DisableStealthMode](#mdmstoreprivateprofiledisablestealthmode)
+ - [DisableStealthModeIpsecSecuredPacketExemption](#mdmstoreprivateprofiledisablestealthmodeipsecsecuredpacketexemption)
+ - [DisableUnicastResponsesToMulticastBroadcast](#mdmstoreprivateprofiledisableunicastresponsestomulticastbroadcast)
+ - [EnableFirewall](#mdmstoreprivateprofileenablefirewall)
+ - [EnableLogDroppedPackets](#mdmstoreprivateprofileenablelogdroppedpackets)
+ - [EnableLogIgnoredRules](#mdmstoreprivateprofileenablelogignoredrules)
+ - [EnableLogSuccessConnections](#mdmstoreprivateprofileenablelogsuccessconnections)
+ - [GlobalPortsAllowUserPrefMerge](#mdmstoreprivateprofileglobalportsallowuserprefmerge)
+ - [LogFilePath](#mdmstoreprivateprofilelogfilepath)
+ - [LogMaxFileSize](#mdmstoreprivateprofilelogmaxfilesize)
+ - [Shielded](#mdmstoreprivateprofileshielded)
+ - [PublicProfile](#mdmstorepublicprofile)
+ - [AllowLocalIpsecPolicyMerge](#mdmstorepublicprofileallowlocalipsecpolicymerge)
+ - [AllowLocalPolicyMerge](#mdmstorepublicprofileallowlocalpolicymerge)
+ - [AuthAppsAllowUserPrefMerge](#mdmstorepublicprofileauthappsallowuserprefmerge)
+ - [DefaultInboundAction](#mdmstorepublicprofiledefaultinboundaction)
+ - [DefaultOutboundAction](#mdmstorepublicprofiledefaultoutboundaction)
+ - [DisableInboundNotifications](#mdmstorepublicprofiledisableinboundnotifications)
+ - [DisableStealthMode](#mdmstorepublicprofiledisablestealthmode)
+ - [DisableStealthModeIpsecSecuredPacketExemption](#mdmstorepublicprofiledisablestealthmodeipsecsecuredpacketexemption)
+ - [DisableUnicastResponsesToMulticastBroadcast](#mdmstorepublicprofiledisableunicastresponsestomulticastbroadcast)
+ - [EnableFirewall](#mdmstorepublicprofileenablefirewall)
+ - [EnableLogDroppedPackets](#mdmstorepublicprofileenablelogdroppedpackets)
+ - [EnableLogIgnoredRules](#mdmstorepublicprofileenablelogignoredrules)
+ - [EnableLogSuccessConnections](#mdmstorepublicprofileenablelogsuccessconnections)
+ - [GlobalPortsAllowUserPrefMerge](#mdmstorepublicprofileglobalportsallowuserprefmerge)
+ - [LogFilePath](#mdmstorepublicprofilelogfilepath)
+ - [LogMaxFileSize](#mdmstorepublicprofilelogmaxfilesize)
+ - [Shielded](#mdmstorepublicprofileshielded)
+
+
+
+## MdmStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore
```
-./Vendor/MSFT
-Firewall
-----
---------Global
-------------PolicyVersionSupported
-------------CurrentProfiles
-------------DisableStatefulFtp
-------------SaIdleTime
-------------PresharedKeyEncoding
-------------IPsecExempt
-------------CRLcheck
-------------PolicyVersion
-------------BinaryVersionSupported
-------------OpportunisticallyMatchAuthSetPerKM
-------------EnablePacketQueue
---------DomainProfile
-------------EnableFirewall
-------------DisableStealthMode
-------------Shielded
-------------DisableUnicastResponsesToMulticastBroadcast
-------------EnableLogDroppedPackets
-------------EnableLogSuccessConnections
-------------EnableLogIgnoredRules
-------------LogMaxFileSize
-------------LogFilePath
-------------DisableInboundNotifications
-------------AuthAppsAllowUserPrefMerge
-------------GlobalPortsAllowUserPrefMerge
-------------AllowLocalPolicyMerge
-------------AllowLocalIpsecPolicyMerge
-------------DefaultOutboundAction
-------------DefaultInboundAction
-------------DisableStealthModeIpsecSecuredPacketExemption
---------PrivateProfile
-------------EnableFirewall
-------------DisableStealthMode
-------------Shielded
-------------DisableUnicastResponsesToMulticastBroadcast
-------------EnableLogDroppedPackets
-------------EnableLogSuccessConnections
-------------EnableLogIgnoredRules
-------------LogMaxFileSize
-------------LogFilePath
-------------DisableInboundNotifications
-------------AuthAppsAllowUserPrefMerge
-------------GlobalPortsAllowUserPrefMerge
-------------AllowLocalPolicyMerge
-------------AllowLocalIpsecPolicyMerge
-------------DefaultOutboundAction
-------------DefaultInboundAction
-------------DisableStealthModeIpsecSecuredPacketExemption
---------PublicProfile
-------------EnableFirewall
-------------DisableStealthMode
-------------Shielded
-------------DisableUnicastResponsesToMulticastBroadcast
-------------EnableLogDroppedPackets
-------------EnableLogSuccessConnections
-------------EnableLogIgnoredRules
-------------LogMaxFileSize
-------------LogFilePath
-------------DisableInboundNotifications
-------------AuthAppsAllowUserPrefMerge
-------------GlobalPortsAllowUserPrefMerge
-------------AllowLocalPolicyMerge
-------------AllowLocalIpsecPolicyMerge
-------------DefaultOutboundAction
-------------DefaultInboundAction
-------------DisableStealthModeIpsecSecuredPacketExemption
---------FirewallRules
-------------FirewallRuleName
-----------------App
---------------------PackageFamilyName
---------------------FilePath
---------------------Fqbn
---------------------ServiceName
-----------------Protocol
-----------------LocalPortRanges
-----------------RemotePortRanges
-----------------IcmpTypesAndCodes
-----------------LocalAddressRanges
-----------------RemoteAddressRanges
-----------------Description
-----------------Enabled
-----------------Profiles
-----------------Action
---------------------Type
-----------------Direction
-----------------InterfaceTypes
-----------------EdgeTraversal
-----------------LocalUserAuthorizationList
-----------------FriendlyName
-----------------Status
-----------------Name
-----------------RemoteAddressDynamicKeywords
---------DynamicKeywords
-----------------Addresses
--------------------------Id
----------------------------------Keyword
----------------------------------Addresses
----------------------------------AutoResolve
+
+
+
+
+
+
+
+
+Interior node.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### MdmStore/DomainProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile
```
+
-**./Vendor/MSFT/Firewall**
-Root node for the Firewall configuration service provider.
+
+
+
-**MdmStore**
-Interior node.
-Supported operation is Get.
+
+
+
-**MdmStore/Global**
-Interior node.
-Supported operations are Get.
+
+**Description framework properties**:
-**MdmStore/Global/PolicyVersionSupported**
-Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.
-Value type in integer. Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**MdmStore/Global/CurrentProfiles**
-Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.
-Value type in integer. Supported operation is Get.
+
+
+
-**MdmStore/Global/DisableStatefulFtp**
-Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
-Default value is false.
+
-Data type is bool. Supported operations are Add, Get, Replace, and Delete.
+
+#### MdmStore/DomainProfile/AllowLocalIpsecPolicyMerge
-**MdmStore/Global/SaIdleTime**
-This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-Default value is 300.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-**MdmStore/Global/PresharedKeyEncoding**
-Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-Default value is 1.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalIpsecPolicyMerge
+```
+
-**MdmStore/Global/IPsecExempt**
-This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+
-**MdmStore/Global/CRLcheck**
-This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:
+
+
+
-- 0 disables CRL checking
-- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.
-- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
+
+**Description framework properties**:
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
-**MdmStore/Global/PolicyVersion**
-This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.
-Value type is string. Supported operation is Get.
+
+**Allowed values**:
-**MdmStore/Global/BinaryVersionSupported**
-This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
-Value type is string. Supported operation is Get.
+| Value | Description |
+|:--|:--|
+| false | AllowLocalIpsecPolicyMerge Off. |
+| true (Default) | AllowLocalIpsecPolicyMerge On. |
+
-**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
-This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Boolean value. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**MdmStore/Global/EnablePacketQueue**
-This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+
-- 0x00 indicates that all queuing is to be disabled
-- 0x01 specifies that inbound encrypted packets are to be queued
-- 0x02 specifies that packets are to be queued after decryption is performed for forwarding
+
+#### MdmStore/DomainProfile/AllowLocalPolicyMerge
-Default value is 0.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalPolicyMerge
+```
+
-**MdmStore/DomainProfile**
-Interior node. Supported operation is Get.
+
+
+This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+
-**MdmStore/PrivateProfile**
-Interior node. Supported operation is Get.
+
+
+
-**MdmStore/PublicProfile**
-Interior node. Supported operation is Get.
+
+**Description framework properties**:
-**/EnableFirewall**
-Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
-**/DisableStealthMode**
-Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+
+**Allowed values**:
-**/Shielded**
-Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
-Default value is false.
+| Value | Description |
+|:--|:--|
+| false | AllowLocalPolicyMerge Off. |
+| true (Default) | AllowLocalPolicyMerge On. |
+
-Value type is bool. Supported operations are Get and Replace.
+
+
+
-**/DisableUnicastResponsesToMulticastBroadcast**
-Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+
-**/EnableLogDroppedPackets**
-Boolean value. If this value is true, firewall will log all dropped packets. The merge law for this option is to let "on" values win.
-Default value is false. Supported operations are Get and Replace.
+
+#### MdmStore/DomainProfile/AuthAppsAllowUserPrefMerge
-**/EnableLogSuccessConnections**
-Boolean value. If this value is true, firewall will log all successful inbound connections. The merge law for this option is to let "on" values win.
-Default value is false. Supported operations are Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-**/EnableLogIgnoredRules**
-Boolean value. If this value is true, firewall will log ignored firewall rules. The merge law for this option is to let "on" values win.
-Default value is false. Supported operations are Get and Replace.
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AuthAppsAllowUserPrefMerge
+```
+
-**/LogMaxFileSize**
-Integer value that specifies the size, in kilobytes, of the log file where dropped packets, successful connections and ignored rules are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
-Default value is 1024. Supported operations are Get and Replace
+
+
+This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
-**/LogFilePath**
-String value that represents the file path to the log where firewall logs dropped packets, successful connections and ignored rules. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. Default value is "%systemroot%\system32\LogFiles\Firewall\pfirewall.log". Supported operations are Get and Replace
+
+
+
-**/DisableInboundNotifications**
-Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+
+**Description framework properties**:
-**/AuthAppsAllowUserPrefMerge**
-Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
-**/GlobalPortsAllowUserPrefMerge**
-Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+
+**Allowed values**:
-**/AllowLocalPolicyMerge**
-Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-Default value is true.
+| Value | Description |
+|:--|:--|
+| false | AuthAppsAllowUserPrefMerge Off. |
+| true (Default) | AuthAppsAllowUserPrefMerge On. |
+
-Value type is bool. Supported operations are Add, Get and Replace.
+
+
+
-**/AllowLocalIpsecPolicyMerge**
-Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-Default value is true.
+
-Value type is bool. Supported operations are Add, Get and Replace.
+
+#### MdmStore/DomainProfile/DefaultInboundAction
-**/DefaultOutboundAction**
-This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will allow all outbound traffic unless it's explicitly specified not to allow.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-- 0x00000000 - allow
-- 0x00000001 - block
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultInboundAction
+```
+
-Default value is 0 (allow).
-Value type is integer. Supported operations are Add, Get and Replace.
+
+
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+
-Sample syncxml to provision the firewall settings to evaluate
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Allow Inbound By Default. |
+| 1 (Default) | Block Inbound By Default. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DomainProfile/DefaultOutboundAction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultOutboundAction
+```
+
+
+
+
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allow Outbound By Default. |
+| 1 | Block Outbound By Default. |
+
+
+
+
+**Example**:
```xml
@@ -315,217 +500,5222 @@ Sample syncxml to provision the firewall settings to evaluate
-
```
+
-**/DefaultInboundAction**
-This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.
+
-- 0x00000000 - allow
-- 0x00000001 - block
+
+#### MdmStore/DomainProfile/DisableInboundNotifications
-Default value is 1 (block).
-Value type is integer. Supported operations are Add, Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-**/DisableStealthModeIpsecSecuredPacketExemption**
-Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableInboundNotifications
+```
+
-**FirewallRules**
-A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
-**FirewallRules/_FirewallRuleName_**
-Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
-Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**FirewallRules/_FirewallRuleName_/App**
-Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
+
+**Description framework properties**:
-- PackageFamilyName
-- FilePath
-- FQBN
-- ServiceName
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
-If not specified, the default is All.
-Supported operation is Get.
+
+**Allowed values**:
-**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
-This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+| Value | Description |
+|:--|:--|
+| false (Default) | Firewall May Display Notification. |
+| true | Firewall Must Not Display Notification. |
+
-**FirewallRules/_FirewallRuleName_/App/FilePath**
-This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**FirewallRules/_FirewallRuleName_/App/Fqbn**
-Fully Qualified Binary Name
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
-**FirewallRules/_FirewallRuleName_/App/ServiceName**
-This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+#### MdmStore/DomainProfile/DisableStealthMode
-**FirewallRules/_FirewallRuleName_/Protocol**
-0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-If not specified, the default is All.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-**FirewallRules/_FirewallRuleName_/LocalPortRanges**
-Comma separated list of ranges. For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableStealthMode
+```
+
-**FirewallRules/_FirewallRuleName_/RemotePortRanges**
-Comma separated list of ranges, For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
-**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
-Comma separated list of ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the “\*” character. For specific ICMP types and codes, use the “:” character to separate the type and code, for example, 3:4, 1:\*. The “\*” character can be used to represent any code. The “\*” character cannot be used to specify any type; examples such as “\*:4” or “\*:\*” are invalid.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+**Description framework properties**:
-**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
-Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [EnableFirewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
-- "*" indicates any local address. If present, the local address must be the only token included.
-- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
-- A valid IPv4 address.
-- A valid IPv6 address.
-- An IPv4 address range in the format of "start address - end address" with no spaces included.
-- An IPv6 address range in the format of "start address - end address" with no spaces included.
+
+**Allowed values**:
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+| Value | Description |
+|:--|:--|
+| false (Default) | Use Stealth Mode. |
+| true | Disable Stealth Mode. |
+
-**FirewallRules/*FirewallRuleName*/RemoteAddressRanges**
-List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+
+
+
-- "*" indicates any remote address. If present, the address must be the only token included.
-- "Defaultgateway"
-- "DHCP"
-- "DNS"
-- "WINS"
-- "Intranet"
-- "RmtIntranet"
-- "Internet"
-- "Ply2Renders"
-- "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive.
-- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
-- A valid IPv4 address.
-- A valid IPv6 address.
-- An IPv4 address range in the format of "start address - end address" with no spaces included.
-- An IPv6 address range in the format of "start address - end address" with no spaces included.
+
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
+
+#### MdmStore/DomainProfile/DisableStealthModeIpsecSecuredPacketExemption
-**FirewallRules/_FirewallRuleName_/Description**
-Specifies the description of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-**FirewallRules/_FirewallRuleName_/Enabled**
-Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
-If not specified - a new rule is enabled by default.
-Boolean value. Supported operations are Get and Replace.
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableStealthModeIpsecSecuredPacketExemption
+```
+
-**FirewallRules/_FirewallRuleName_/Profiles**
-Specifies the profiles to which the rule belongs: Domain, Private, or Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types.
-If not specified, the default is All.
-Value type is integer. Supported operations are Get and Replace.
+
+
+This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
-**FirewallRules/_FirewallRuleName_/Action**
-Specifies the action for the rule.
-Supported operation is Get.
+
+
+
-**FirewallRules/_FirewallRuleName_/Action/Type**
-Specifies the action the rule enforces. Supported values:
+
+**Description framework properties**:
-- 0 - Block
-- 1 - Allow
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
-If not specified, the default is allow.
-Value type is integer. Supported operations are Get and Replace.
+
+**Allowed values**:
-**FirewallRules/_FirewallRuleName_/Direction**
-The rule is enabled based on the traffic direction as following. Supported values:
+| Value | Description |
+|:--|:--|
+| false | FALSE. |
+| true (Default) | TRUE. |
+
-- IN - the rule applies to inbound traffic.
-- OUT - the rule applies to outbound traffic.
-- If not specified, the default is Out.
+
+
+
-Value type is string. Supported operations are Get and Replace.
+
-**FirewallRules/_FirewallRuleName_/InterfaceTypes**
-Comma separated list of interface types. Valid values:
+
+#### MdmStore/DomainProfile/DisableUnicastResponsesToMulticastBroadcast
-- RemoteAccess
-- Wireless
-- Lan
-- MBB (i.e. Mobile Broadband)
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-If not specified, the default is All.
-Value type is string. Supported operations are Get and Replace.
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableUnicastResponsesToMulticastBroadcast
+```
+
-**FirewallRules/_FirewallRuleName_/EdgeTraversal**
-Indicates whether edge traversal is enabled or disabled for this rule.
-The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
-New rules have the EdgeTraversal property disabled by default.
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+
+
+This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
-**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**
-Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**FirewallRules/_FirewallRuleName_/Status**
-Provides information about the specific version of the rule in deployment for monitoring purposes.
-Value type is string. Supported operation is Get.
+
+**Description framework properties**:
-**FirewallRules/_FirewallRuleName_/Name**
-Name of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
-**FirewallRules/_FirewallRuleName_/RemoteAddressDynamicKeywords**
-Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+**Allowed values**:
+| Value | Description |
+|:--|:--|
+| false (Default) | Unicast Responses Not Blocked. |
+| true | Unicast Responses Blocked. |
+
-**MdmStore/DynamicKeywords**
-Interior node.
-Supported operation is Get.
+
+
+
-**MdmStore/DynamicKeywords/Addresses**
-Interior node.
-Supported operation is Get.
+
-**MdmStore/DynamicKeywords/Addresses/Id**
+
+#### MdmStore/DomainProfile/EnableFirewall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+```
+
+
+
+
+This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disable Firewall. |
+| true (Default) | Enable Firewall. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DomainProfile/EnableLogDroppedPackets
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Dropped Packets. |
+| true | Enable Logging Of Dropped Packets. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DomainProfile/EnableLogIgnoredRules
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogIgnoredRules
+```
+
+
+
+
+This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Ignored Rules. |
+| true | Enable Logging Of Ignored Rules. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DomainProfile/EnableLogSuccessConnections
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogSuccessConnections
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Successful Connections. |
+| true | Enable Logging Of Successful Connections. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DomainProfile/GlobalPortsAllowUserPrefMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/GlobalPortsAllowUserPrefMerge
+```
+
+
+
+
+This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | GlobalPortsAllowUserPrefMerge Off. |
+| true (Default) | GlobalPortsAllowUserPrefMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DomainProfile/LogFilePath
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath
+```
+
+
+
+
+This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | %systemroot%\system32\LogFiles\Firewall\pfirewall.log |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DomainProfile/LogMaxFileSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogMaxFileSize
+```
+
+
+
+
+This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 1024 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DomainProfile/Shielded
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DomainProfile/Shielded
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Shielding Off. |
+| true | Shielding On. |
+
+
+
+
+
+
+
+
+
+### MdmStore/DynamicKeywords
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/DynamicKeywords/Addresses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses
+```
+
+
+
+
+A list of dynamic keyword addresses for use within firewall rules. Dynamic keyword addresses can either be a simple alias object or fully-qualified domain names which will be auto-resolved in the presence of the Microsoft Defender Advanced Threat Protection Service.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MdmStore/DynamicKeywords/Addresses/{Id}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}
+```
+
+
+
+
A unique GUID string identifier for this dynamic keyword address.
-Value type is string. Supported operations are Add, Delete, and Get.
+
-**MdmStore/DynamicKeywords/Addresses/Id/Keyword**
-A String representing a keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain Name (wildcards accepted, for example "contoso.com" or "*.contoso.com").
-Value type is string. Supported operations are Add, Delete, and Get.
+
+
+
-**MdmStore/DynamicKeywords/Addresses/Id/Addresses**
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+
+
+
+
+
+###### MdmStore/DynamicKeywords/Addresses/{Id}/Addresses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/Addresses
+```
+
+
+
+
Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value should not be set if AutoResolve is true.
-
Valid tokens include:
-- A subnet specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
-- A valid IPv4 address.
-- A valid IPv6 address.
-- An IPv4 address range in the format of "start address-end address" with no spaces included.
-- An IPv6 address range in the format of "start address-end address" with no spaces included.
-Supported operations are Add, Delete, Replace, and Get.
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included.
+
-**MdmStore/DynamicKeywords/Addresses/Id/AutoResolve**
-Boolean value. If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a Fully Qualified Domain Name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present.
-Value type is string. Supported operations are Add, Delete, and Get.
-Value type is string. Supported operations are Add, Delete, and Get.
+
+
+
+
+**Description framework properties**:
-## Related topics
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+| Dependency [AutoResolve False] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/[Id]/AutoResolve` Dependency Allowed Value: `false` Dependency Allowed Value Type: `ENUM` |
+
-[Configuration service provider reference](index.yml)
+
+
+
+
+
+
+
+###### MdmStore/DynamicKeywords/Addresses/{Id}/AutoResolve
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/AutoResolve
+```
+
+
+
+
+If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | AutoResolve False. |
+| true | AutoResolve True. |
+
+
+
+
+
+
+
+
+
+###### MdmStore/DynamicKeywords/Addresses/{Id}/Keyword
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/Keyword
+```
+
+
+
+
+A String representing keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain name (wildcards accepted, for example "contoso.com" or "*.contoso.com"). If the AutoResolve value is false, then this can be any identifier string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+### MdmStore/FirewallRules
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules
+```
+
+
+
+
+A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/FirewallRules/{FirewallRuleName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}
+```
+
+
+
+
+Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `^[^|/]*$` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/Action
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Action
+```
+
+
+
+
+Specifies the action for the rule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### MdmStore/FirewallRules/{FirewallRuleName}/Action/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Action/Type
+```
+
+
+
+
+Specifies the action the rule enforces:
+0 - Block
+1 - Allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Block. |
+| 1 (Default) | Allow. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App
+```
+
+
+
+
+Rules that control connections for an app, program or service.
+
+Specified based on the intersection of the following nodes.
+
+PackageFamilyName
+FilePath
+FQBN
+ServiceName.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### MdmStore/FirewallRules/{FirewallRuleName}/App/FilePath
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/FilePath
+```
+
+
+
+
+FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### MdmStore/FirewallRules/{FirewallRuleName}/App/Fqbn
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/Fqbn
+```
+
+
+
+
+Fully Qualified Binary Name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### MdmStore/FirewallRules/{FirewallRuleName}/App/PackageFamilyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/PackageFamilyName
+```
+
+
+
+
+PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### MdmStore/FirewallRules/{FirewallRuleName}/App/ServiceName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/ServiceName
+```
+
+
+
+
+This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/Description
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Description
+```
+
+
+
+
+Specifies the description of the rule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/Direction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Direction
+```
+
+
+
+
+Comma separated list. The rule is enabled based on the traffic direction as following.
+
+IN - the rule applies to inbound traffic.
+OUT - the rule applies to outbound traffic.
+
+If not specified the default is OUT.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | OUT |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| IN | The rule applies to inbound traffic. |
+| OUT (Default) | The rule applies to outbound traffic. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/EdgeTraversal
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/EdgeTraversal
+```
+
+
+
+
+Indicates whether edge traversal is enabled or disabled for this rule.
+
+The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
+
+New rules have the EdgeTraversal property disabled by default.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 | Enabled. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Enabled
+```
+
+
+
+
+Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+If not specified - a new rule is disabled by default.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 | Enabled. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/IcmpTypesAndCodes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H1 [10.0.19043] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/IcmpTypesAndCodes
+```
+
+
+
+
+
+
+
+
+Comma separated list of ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the "\*" character. For specific ICMP types and codes, use the ":" character to separate the type and code, for example, 3:4, 1:\*. The "\*" character can be used to represent any code. The "\*" character cannot be used to specify any type; examples such as "\*:4" or "\*:\*" are invalid. If not specified, the default is All.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/InterfaceTypes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/InterfaceTypes
+```
+
+
+
+
+String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MBB", and "All".
+If more than one interface type is specified, the strings must be separated by a comma.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | All |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| RemoteAccess | RemoteAccess. |
+| Wireless | Wireless. |
+| Lan | Lan. |
+| MBB | MobileBroadband. |
+| All (Default) | All. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/LocalAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalAddressRanges
+```
+
+
+
+
+Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
+Valid tokens include:
+"*" indicates any local address. If present, this must be the only token included.
+
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/LocalPortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalPortRanges
+```
+
+
+
+
+Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/LocalUserAuthorizedList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalUserAuthorizedList
+```
+
+
+
+
+Specifies the list of authorized local users for the app container.
+This is a string in Security Descriptor Definition Language (SDDL) format..
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | `` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Name
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId
+```
+
+
+
+
+Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_".
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[A-Za-z0-9_.:/]+$` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/Profiles
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Profiles
+```
+
+
+
+
+Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Flag | Description |
+|:--|:--|
+| 0x1 | FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains. |
+| 0x2 | FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they are in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD. |
+| 0x4 | FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator are not trusted. |
+| 0x7FFFFFFF | FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets. |
+| 0x80000000 | FW_PROFILE_TYPE_CURRENT: This value represents the current profiles to which the firewall and advanced security components determine the host is connected at the moment of the call. This value can be specified only in method calls, and it cannot be combined with other flags. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/Protocol
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Protocol
+```
+
+
+
+
+0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-255]` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressDynamicKeywords
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressDynamicKeywords
+```
+
+
+
+
+Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressRanges
+```
+
+
+
+
+Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+"*" indicates any remote address. If present, this must be the only token included.
+"Defaultgateway"
+"DHCP"
+"DNS"
+"WINS"
+"Intranet"
+"RemoteCorpNetwork"
+"Internet"
+"PlayToRenderers"
+"LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/RemotePortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemotePortRanges
+```
+
+
+
+
+Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/FirewallRules/{FirewallRuleName}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Status
+```
+
+
+
+
+Provides information about the specific version of the rule in deployment for monitoring purposes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### MdmStore/Global
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/BinaryVersionSupported
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/BinaryVersionSupported
+```
+
+
+
+
+This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/CRLcheck
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/CRLcheck
+```
+
+
+
+
+This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disables CRL checking. |
+| 1 | Specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. |
+| 2 | Means that checking is required and that certificate validation fails if any error is encountered during CRL processing. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/CurrentProfiles
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/CurrentProfiles
+```
+
+
+
+
+Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/DisableStatefulFtp
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/DisableStatefulFtp
+```
+
+
+
+
+This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Stateful FTP enabled. |
+| true | Stateful FTP disabled. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/EnablePacketQueue
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/EnablePacketQueue
+```
+
+
+
+
+This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0x0 |
+
+
+
+**Allowed values**:
+
+| Flag | Description |
+|:--|:--|
+| 0x0 (Default) | Indicates that all queuing is to be disabled. |
+| 0x1 | Specifies that inbound encrypted packets are to be queued. |
+| 0x2 | Specifies that packets are to be queued after decryption is performed for forwarding. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/IPsecExempt
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/IPsecExempt
+```
+
+
+
+
+This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0x0 |
+
+
+
+**Allowed values**:
+
+| Flag | Description |
+|:--|:--|
+| 0x0 (Default) | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NONE: No IPsec exemptions. |
+| 0x1 | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC: Exempt neighbor discover IPv6 ICMP type-codes from IPsec. |
+| 0x2 | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ICMP: Exempt ICMP from IPsec. |
+| 0x4 | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ROUTER_DISC: Exempt router discover IPv6 ICMP type-codes from IPsec. |
+| 0x8 | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_DHCP: Exempt both IPv4 and IPv6 DHCP traffic from IPsec. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/OpportunisticallyMatchAuthSetPerKM
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/OpportunisticallyMatchAuthSetPerKM
+```
+
+
+
+
+This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don't support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | FALSE. |
+| true | TRUE. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/PolicyVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/PolicyVersion
+```
+
+
+
+
+This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/PolicyVersionSupported
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/PolicyVersionSupported
+```
+
+
+
+
+Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/PresharedKeyEncoding
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/PresharedKeyEncoding
+```
+
+
+
+
+Specifies the preshared key encoding that is used. MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES](/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909) enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_NONE: Preshared key is not encoded. Instead, it is kept in its wide-character format. This symbolic constant has a value of 0. |
+| 1 (Default) | FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8: Encode the preshared key using UTF-8. This symbolic constant has a value of 1. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/Global/SaIdleTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/Global/SaIdleTime
+```
+
+
+
+
+This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[300-3600]` |
+| Default Value | 300 |
+
+
+
+
+
+
+
+
+
+### MdmStore/HyperVFirewallRules
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules
+```
+
+
+
+
+A list of rules controlling traffic through the Windows Firewall for Hyper-V containers. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/HyperVFirewallRules/{FirewallRuleName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}
+```
+
+
+
+
+Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `^[^|/]*$` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action
+```
+
+
+
+
+Specifies the action for the rule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type
+```
+
+
+
+
+Specifies the action the rule enforces:
+0 - Block
+1 - Allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Block. |
+| 1 (Default) | Allow. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction
+```
+
+
+
+
+Comma separated list. The rule is enabled based on the traffic direction as following.
+
+IN - the rule applies to inbound traffic.
+OUT - the rule applies to outbound traffic.
+
+If not specified the default is OUT.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | OUT |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| IN | The rule applies to inbound traffic. |
+| OUT (Default) | The rule applies to outbound traffic. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Enabled
+```
+
+
+
+
+Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+If not specified - a new rule is disabled by default.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 | Enabled. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalAddressRanges
+```
+
+
+
+
+Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
+Valid tokens include:
+"*" indicates any local address. If present, this must be the only token included.
+
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalPortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalPortRanges
+```
+
+
+
+
+Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority
+```
+
+
+
+
+0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-255]` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Protocol
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Protocol
+```
+
+
+
+
+0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-65535]` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemoteAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemoteAddressRanges
+```
+
+
+
+
+Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+"*" indicates any remote address. If present, this must be the only token included.
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemotePortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemotePortRanges
+```
+
+
+
+
+Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Status
+```
+
+
+
+
+Provides information about the specific version of the rule in deployment for monitoring purposes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/VMCreatorId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/VMCreatorId
+```
+
+
+
+
+This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+
+
+
+
+
+### MdmStore/HyperVVMSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings
+```
+
+
+
+
+Settings for the Windows Firewall for Hyper-V containers. Each setting applies on a per-VM Creator basis.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/HyperVVMSettings/{VMCreatorId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}
+```
+
+
+
+
+VM Creator ID that these settings apply to. Valid format is a GUID.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultInboundAction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultInboundAction
+```
+
+
+
+
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Allow Inbound By Default. |
+| 1 (Default) | Block Inbound By Default. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultOutboundAction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultOutboundAction
+```
+
+
+
+
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allow Outbound By Default. |
+| 1 | Block Outbound By Default. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVVMSettings/{VMCreatorId}/EnableFirewall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/EnableFirewall
+```
+
+
+
+
+This value is an on/off switch for the firewall and advanced security enforcement.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disable Firewall. |
+| true (Default) | Enable Firewall. |
+
+
+
+
+
+
+
+
+
+##### MdmStore/HyperVVMSettings/{VMCreatorId}/EnableLoopback
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/EnableLoopback
+```
+
+
+
+
+This value is an on/off switch for loopback traffic. This determines if this VM type is able to send/receive loopback traffic.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable loopback. |
+| true | Enable loopback. |
+
+
+
+
+
+
+
+
+
+### MdmStore/PrivateProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/AllowLocalIpsecPolicyMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalIpsecPolicyMerge
+```
+
+
+
+
+This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | AllowLocalIpsecPolicyMerge Off. |
+| true (Default) | AllowLocalIpsecPolicyMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/AllowLocalPolicyMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalPolicyMerge
+```
+
+
+
+
+This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | AllowLocalPolicyMerge Off. |
+| true (Default) | AllowLocalPolicyMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/AuthAppsAllowUserPrefMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AuthAppsAllowUserPrefMerge
+```
+
+
+
+
+This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | AuthAppsAllowUserPrefMerge Off. |
+| true (Default) | AuthAppsAllowUserPrefMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/DefaultInboundAction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultInboundAction
+```
+
+
+
+
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Allow Inbound By Default. |
+| 1 (Default) | Block Inbound By Default. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/DefaultOutboundAction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultOutboundAction
+```
+
+
+
+
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allow Outbound By Default. |
+| 1 | Block Outbound By Default. |
+
+
+
+
+**Example**:
+
+```xml
+
+
+
+
+
+ 2010
+
+
+ ./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultOutboundAction
+
+
+ int
+
+ 1
+
+
+
+
+
+```
+
+
+
+
+
+#### MdmStore/PrivateProfile/DisableInboundNotifications
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableInboundNotifications
+```
+
+
+
+
+This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Firewall May Display Notification. |
+| true | Firewall Must Not Display Notification. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/DisableStealthMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableStealthMode
+```
+
+
+
+
+This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Use Stealth Mode. |
+| true | Disable Stealth Mode. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/DisableStealthModeIpsecSecuredPacketExemption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableStealthModeIpsecSecuredPacketExemption
+```
+
+
+
+
+This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | FALSE. |
+| true (Default) | TRUE. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/DisableUnicastResponsesToMulticastBroadcast
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableUnicastResponsesToMulticastBroadcast
+```
+
+
+
+
+This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Unicast Responses Not Blocked. |
+| true | Unicast Responses Blocked. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/EnableFirewall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+```
+
+
+
+
+This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disable Firewall. |
+| true (Default) | Enable Firewall. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/EnableLogDroppedPackets
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Dropped Packets. |
+| true | Enable Logging Of Dropped Packets. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/EnableLogIgnoredRules
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogIgnoredRules
+```
+
+
+
+
+This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Ignored Rules. |
+| true | Enable Logging Of Ignored Rules. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/EnableLogSuccessConnections
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogSuccessConnections
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Successful Connections. |
+| true | Enable Logging Of Successful Connections. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/GlobalPortsAllowUserPrefMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/GlobalPortsAllowUserPrefMerge
+```
+
+
+
+
+This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | GlobalPortsAllowUserPrefMerge Off. |
+| true (Default) | GlobalPortsAllowUserPrefMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/LogFilePath
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath
+```
+
+
+
+
+This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | %systemroot%\system32\LogFiles\Firewall\pfirewall.log |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/LogMaxFileSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogMaxFileSize
+```
+
+
+
+
+This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 1024 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PrivateProfile/Shielded
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/Shielded
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Shielding Off. |
+| true | Shielding On. |
+
+
+
+
+
+
+
+
+
+### MdmStore/PublicProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge
+```
+
+
+
+
+This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | AllowLocalIpsecPolicyMerge Off. |
+| true (Default) | AllowLocalIpsecPolicyMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/AllowLocalPolicyMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge
+```
+
+
+
+
+This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | AllowLocalPolicyMerge Off. |
+| true (Default) | AllowLocalPolicyMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/AuthAppsAllowUserPrefMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AuthAppsAllowUserPrefMerge
+```
+
+
+
+
+This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | AuthAppsAllowUserPrefMerge Off. |
+| true (Default) | AuthAppsAllowUserPrefMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/DefaultInboundAction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultInboundAction
+```
+
+
+
+
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Allow Inbound By Default. |
+| 1 (Default) | Block Inbound By Default. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/DefaultOutboundAction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultOutboundAction
+```
+
+
+
+
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allow Outbound By Default. |
+| 1 | Block Outbound By Default. |
+
+
+
+
+**Example**:
+
+```xml
+
+
+
+
+
+ 2010
+
+
+ ./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultOutboundAction
+
+
+ int
+
+ 1
+
+
+
+
+
+```
+
+
+
+
+
+#### MdmStore/PublicProfile/DisableInboundNotifications
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableInboundNotifications
+```
+
+
+
+
+This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Firewall May Display Notification. |
+| true | Firewall Must Not Display Notification. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/DisableStealthMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableStealthMode
+```
+
+
+
+
+This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Use Stealth Mode. |
+| true | Disable Stealth Mode. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/DisableStealthModeIpsecSecuredPacketExemption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableStealthModeIpsecSecuredPacketExemption
+```
+
+
+
+
+This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | FALSE. |
+| true (Default) | TRUE. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/DisableUnicastResponsesToMulticastBroadcast
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableUnicastResponsesToMulticastBroadcast
+```
+
+
+
+
+This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Unicast Responses Not Blocked. |
+| true | Unicast Responses Blocked. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/EnableFirewall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+```
+
+
+
+
+This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disable Firewall. |
+| true (Default) | Enable Firewall. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/EnableLogDroppedPackets
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Dropped Packets. |
+| true | Enable Logging Of Dropped Packets. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/EnableLogIgnoredRules
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogIgnoredRules
+```
+
+
+
+
+This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Ignored Rules. |
+| true | Enable Logging Of Ignored Rules. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/EnableLogSuccessConnections
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogSuccessConnections
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Logging Of Successful Connections. |
+| true | Enable Logging Of Successful Connections. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/GlobalPortsAllowUserPrefMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/GlobalPortsAllowUserPrefMerge
+```
+
+
+
+
+This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | GlobalPortsAllowUserPrefMerge Off. |
+| true (Default) | GlobalPortsAllowUserPrefMerge On. |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/LogFilePath
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath
+```
+
+
+
+
+This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | %systemroot%\system32\LogFiles\Firewall\pfirewall.log |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/LogMaxFileSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize
+```
+
+
+
+
+This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 1024 |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+
+
+
+
+
+
+#### MdmStore/PublicProfile/Shielded
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Firewall/MdmStore/PublicProfile/Shielded
+```
+
+
+
+
+This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+| Dependency [Enable Firewall] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall` Dependency Allowed Value: `true` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Shielding Off. |
+| true | Shielding On. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index c270f2f6f9..a55d7cb441 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -1,38 +1,80 @@
---
title: Firewall DDF file
-description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider.
+description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/27/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
-# Firewall CSP
+
+# Firewall DDF file
-This topic shows the OMA DM device description framework (DDF) for the **Firewall** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
+The following XML file contains the device description framework (DDF) for the Firewall configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ Firewall
+ ./Vendor/MSFT
+
+
+
+
+ Root node for the Firewall configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ MdmStore
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- Firewall
- ./Vendor/MSFT
+ Global
- Root node for the Firewall configuration service provider.
@@ -43,17 +85,18 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
-
+
- MdmStore
+ PolicyVersionSupported
+ Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
-
+
@@ -62,1214 +105,2973 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
-
+
+
+
+ CurrentProfiles
+
+
+
+
+ Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DisableStatefulFtp
+
+
+
+
+
+ false
+ This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Stateful FTP enabled
+
+
+ true
+ Stateful FTP disabled
+
+
+
+
+
+ SaIdleTime
+
+
+
+
+
+ 300
+ This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [300-3600]
+
+
+
+
+ PresharedKeyEncoding
+
+
+
+
+
+ 1
+ Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_NONE: Preshared key is not encoded. Instead, it is kept in its wide-character format. This symbolic constant has a value of 0.
+
+
+ 1
+ FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8: Encode the preshared key using UTF-8. This symbolic constant has a value of 1.
+
+
+
+
+
+ IPsecExempt
+
+
+
+
+
+ 0x0
+ This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0x0
+ FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NONE: No IPsec exemptions.
+
+
+ 0x1
+ FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC: Exempt neighbor discover IPv6 ICMP type-codes from IPsec.
+
+
+ 0x2
+ FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ICMP: Exempt ICMP from IPsec.
+
+
+ 0x4
+ FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ROUTER_DISC: Exempt router discover IPv6 ICMP type-codes from IPsec.
+
+
+ 0x8
+ FW_GLOBAL_CONFIG_IPSEC_EXEMPT_DHCP: Exempt both IPv4 and IPv6 DHCP traffic from IPsec.
+
+
+
+
+
+ CRLcheck
+
+
+
+
+
+ This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disables CRL checking
+
+
+ 1
+ Specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
+
+
+ 2
+ Means that checking is required and that certificate validation fails if any error is encountered during CRL processing
+
+
+
+
+
+ PolicyVersion
+
+
+
+
+ This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BinaryVersionSupported
+
+
+
+
+ This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ OpportunisticallyMatchAuthSetPerKM
+
+
+
+
+
+ This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ FALSE
+
+
+ true
+ TRUE
+
+
+
+
+
+ EnablePacketQueue
+
+
+
+
+
+ 0x0
+ This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0x0
+ Indicates that all queuing is to be disabled
+
+
+ 0x1
+ Specifies that inbound encrypted packets are to be queued
+
+
+ 0x2
+ Specifies that packets are to be queued after decryption is performed for forwarding
+
+
+
+
+
+
+ DomainProfile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableFirewall
+
+
+
+
+ true
+ This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disable Firewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+ DisableStealthMode
+
+
+
+
+
+ false
+ This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Use Stealth Mode
+
+
+ true
+ Disable Stealth Mode
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ Shielded
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Shielding Off
+
+
+ true
+ Shielding On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableUnicastResponsesToMulticastBroadcast
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Unicast Responses Not Blocked
+
+
+ true
+ Unicast Responses Blocked
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogDroppedPackets
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Dropped Packets
+
+
+ true
+ Enable Logging Of Dropped Packets
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogSuccessConnections
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Successful Connections
+
+
+ true
+ Enable Logging Of Successful Connections
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogIgnoredRules
+
+
+
+
+
+ false
+ This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Ignored Rules
+
+
+ true
+ Enable Logging Of Ignored Rules
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ LogMaxFileSize
+
+
+
+
+
+ 1024
+ This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+ [0-4294967295]
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ LogFilePath
+
+
+
+
+
+ %systemroot%\system32\LogFiles\Firewall\pfirewall.log
+ This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableInboundNotifications
+
+
+
+
+
+ false
+ This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Firewall May Display Notification
+
+
+ true
+ Firewall Must Not Display Notification
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AuthAppsAllowUserPrefMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AuthAppsAllowUserPrefMerge Off
+
+
+ true
+ AuthAppsAllowUserPrefMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ GlobalPortsAllowUserPrefMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ GlobalPortsAllowUserPrefMerge Off
+
+
+ true
+ GlobalPortsAllowUserPrefMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AllowLocalPolicyMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AllowLocalPolicyMerge Off
+
+
+ true
+ AllowLocalPolicyMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AllowLocalIpsecPolicyMerge
+
+
+
+
+
+ true
+ This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AllowLocalIpsecPolicyMerge Off
+
+
+ true
+ AllowLocalIpsecPolicyMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DefaultOutboundAction
+
+
+
+
+
+ 0
+ This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allow Outbound By Default
+
+
+ 1
+ Block Outbound By Default
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DefaultInboundAction
+
+
+
+
+
+ 1
+ This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allow Inbound By Default
+
+
+ 1
+ Block Inbound By Default
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableStealthModeIpsecSecuredPacketExemption
+
+
+
+
+
+ true
+ This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ FALSE
+
+
+ true
+ TRUE
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+
+ PrivateProfile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableFirewall
+
+
+
+
+
+
+ true
+ This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disable Firewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+ DisableStealthMode
+
+
+
+
+
+ false
+ This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Use Stealth Mode
+
+
+ true
+ Disable Stealth Mode
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ Shielded
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Shielding Off
+
+
+ true
+ Shielding On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableUnicastResponsesToMulticastBroadcast
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Unicast Responses Not Blocked
+
+
+ true
+ Unicast Responses Blocked
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogDroppedPackets
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Dropped Packets
+
+
+ true
+ Enable Logging Of Dropped Packets
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogSuccessConnections
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Successful Connections
+
+
+ true
+ Enable Logging Of Successful Connections
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogIgnoredRules
+
+
+
+
+
+ false
+ This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Ignored Rules
+
+
+ true
+ Enable Logging Of Ignored Rules
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ LogMaxFileSize
+
+
+
+
+
+ 1024
+ This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+ [0-4294967295]
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ LogFilePath
+
+
+
+
+
+ %systemroot%\system32\LogFiles\Firewall\pfirewall.log
+ This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableInboundNotifications
+
+
+
+
+
+ false
+ This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Firewall May Display Notification
+
+
+ true
+ Firewall Must Not Display Notification
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AuthAppsAllowUserPrefMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AuthAppsAllowUserPrefMerge Off
+
+
+ true
+ AuthAppsAllowUserPrefMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ GlobalPortsAllowUserPrefMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ GlobalPortsAllowUserPrefMerge Off
+
+
+ true
+ GlobalPortsAllowUserPrefMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AllowLocalPolicyMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AllowLocalPolicyMerge Off
+
+
+ true
+ AllowLocalPolicyMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AllowLocalIpsecPolicyMerge
+
+
+
+
+
+ true
+ This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AllowLocalIpsecPolicyMerge Off
+
+
+ true
+ AllowLocalIpsecPolicyMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DefaultOutboundAction
+
+
+
+
+
+ 0
+ This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allow Outbound By Default
+
+
+ 1
+ Block Outbound By Default
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DefaultInboundAction
+
+
+
+
+
+ 1
+ This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allow Inbound By Default
+
+
+ 1
+ Block Inbound By Default
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableStealthModeIpsecSecuredPacketExemption
+
+
+
+
+
+ true
+ This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ FALSE
+
+
+ true
+ TRUE
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+
+ PublicProfile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableFirewall
+
+
+
+
+
+ true
+ This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disable Firewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+ DisableStealthMode
+
+
+
+
+
+ false
+ This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Use Stealth Mode
+
+
+ true
+ Disable Stealth Mode
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ Shielded
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Shielding Off
+
+
+ true
+ Shielding On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableUnicastResponsesToMulticastBroadcast
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Unicast Responses Not Blocked
+
+
+ true
+ Unicast Responses Blocked
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogDroppedPackets
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Dropped Packets
+
+
+ true
+ Enable Logging Of Dropped Packets
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogSuccessConnections
+
+
+
+
+
+ false
+ This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Successful Connections
+
+
+ true
+ Enable Logging Of Successful Connections
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ EnableLogIgnoredRules
+
+
+
+
+
+ false
+ This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+ false
+ Disable Logging Of Ignored Rules
+
+
+ true
+ Enable Logging Of Ignored Rules
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ LogMaxFileSize
+
+
+
+
+
+ 1024
+ This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+ [0-4294967295]
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ LogFilePath
+
+
+
+
+
+ %systemroot%\system32\LogFiles\Firewall\pfirewall.log
+ This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.0
+
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableInboundNotifications
+
+
+
+
+
+ false
+ This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Firewall May Display Notification
+
+
+ true
+ Firewall Must Not Display Notification
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AuthAppsAllowUserPrefMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AuthAppsAllowUserPrefMerge Off
+
+
+ true
+ AuthAppsAllowUserPrefMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ GlobalPortsAllowUserPrefMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ GlobalPortsAllowUserPrefMerge Off
+
+
+ true
+ GlobalPortsAllowUserPrefMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AllowLocalPolicyMerge
+
+
+
+
+
+ true
+ This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AllowLocalPolicyMerge Off
+
+
+ true
+ AllowLocalPolicyMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ AllowLocalIpsecPolicyMerge
+
+
+
+
+
+ true
+ This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AllowLocalIpsecPolicyMerge Off
+
+
+ true
+ AllowLocalIpsecPolicyMerge On
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DefaultOutboundAction
+
+
+
+
+
+ 0
+ This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allow Outbound By Default
+
+
+ 1
+ Block Outbound By Default
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DefaultInboundAction
+
+
+
+
+
+ 1
+ This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allow Inbound By Default
+
+
+ 1
+ Block Inbound By Default
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+ DisableStealthModeIpsecSecuredPacketExemption
+
+
+
+
+
+ true
+ This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ FALSE
+
+
+ true
+ TRUE
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
+
+
+
+
+ HyperVVMSettings
+
+
+
+
+ Settings for the Windows Firewall for Hyper-V containers. Each setting applies on a per-VM Creator basis.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ VM Creator ID that these settings apply to. Valid format is a GUID
+
+
+
+
+
+
+
+
+
+ VMCreatorId
+
+
+
+
+
+
+
+ \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
+
- Global
+ EnableFirewall
-
+
+ true
+ This value is an on/off switch for the firewall and advanced security enforcement.
-
+
-
+
-
+
+
+
+ false
+ Disable Firewall
+
+
+ true
+ Enable Firewall
+
+
-
- PolicyVersionSupported
-
-
-
-
- Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CurrentProfiles
-
-
-
-
- Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableStatefulFtp
-
-
-
-
-
-
-
- FALSE
- This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SaIdleTime
-
-
-
-
-
-
-
- 300
- This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PresharedKeyEncoding
-
-
-
-
-
-
-
- 1
- Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IPsecExempt
-
-
-
-
-
-
-
- 0
- This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CRLcheck
-
-
-
-
-
-
-
- This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PolicyVersion
-
-
-
-
- This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BinaryVersionSupported
-
-
-
-
- This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- OpportunisticallyMatchAuthSetPerKM
-
-
-
-
-
-
-
- This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnablePacketQueue
-
-
-
-
-
-
-
- 0
- This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- DomainProfile
+ DefaultOutboundAction
+
+ 0
+ This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
-
+
-
+
-
+
+
+
+ 0
+ Allow Outbound By Default
+
+
+ 1
+ Block Outbound By Default
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
-
- EnableFirewall
-
-
-
-
-
-
- 1
- This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableStealthMode
-
-
-
-
-
-
- 0
- This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Shielded
-
-
-
-
-
- 0
- This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableUnicastResponsesToMulticastBroadcast
-
-
-
-
-
-
- 0
- This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableInboundNotifications
-
-
-
-
-
-
- 0
- This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AuthAppsAllowUserPrefMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- GlobalPortsAllowUserPrefMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowLocalPolicyMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowLocalIpsecPolicyMerge
-
-
-
-
-
-
- 1
- This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefaultOutboundAction
-
-
-
-
-
-
- 0
- This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefaultInboundAction
-
-
-
-
-
-
- 1
- This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableStealthModeIpsecSecuredPacketExemption
-
-
-
-
-
-
- 1
- This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- PrivateProfile
+ DefaultInboundAction
+
+ 1
+ This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
-
+
-
+
-
+
+
+
+ 0
+ Allow Inbound By Default
+
+
+ 1
+ Block Inbound By Default
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall
+
+
+ true
+ Enable Firewall
+
+
+
+
+
-
- EnableFirewall
-
-
-
-
-
-
- 1
- This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableStealthMode
-
-
-
-
-
-
- 0
- This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Shielded
-
-
-
-
-
- 0
- This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableUnicastResponsesToMulticastBroadcast
-
-
-
-
-
-
- 0
- This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableInboundNotifications
-
-
-
-
-
-
- 0
- This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AuthAppsAllowUserPrefMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- GlobalPortsAllowUserPrefMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowLocalPolicyMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowLocalIpsecPolicyMerge
-
-
-
-
-
-
- 1
- This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefaultOutboundAction
-
-
-
-
-
-
- 0
- This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefaultInboundAction
-
-
-
-
-
-
- 1
- This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableStealthModeIpsecSecuredPacketExemption
-
-
-
-
-
-
- 1
- This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- PublicProfile
+ EnableLoopback
-
+
+ false
+ This value is an on/off switch for loopback traffic. This determines if this VM type is able to send/receive loopback traffic.
-
+
-
+
-
+
+
+
+ false
+ Disable loopback
+
+
+ true
+ Enable loopback
+
+
-
- EnableFirewall
-
-
-
-
-
-
- 1
- This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableStealthMode
-
-
-
-
-
-
- 0
- This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Shielded
-
-
-
-
-
- 0
- This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableUnicastResponsesToMulticastBroadcast
-
-
-
-
-
-
- 0
- This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableInboundNotifications
-
-
-
-
-
-
- 0
- This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AuthAppsAllowUserPrefMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- GlobalPortsAllowUserPrefMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowLocalPolicyMerge
-
-
-
-
-
-
- 1
- This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowLocalIpsecPolicyMerge
-
-
-
-
-
-
- 1
- This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefaultOutboundAction
-
-
-
-
-
-
- 0
- This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefaultInboundAction
-
-
-
-
-
-
- 1
- This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableStealthModeIpsecSecuredPacketExemption
-
-
-
-
-
-
- 1
- This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+
+ FirewallRules
+
+
+
+
+ A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+
+
+
+
+
+
+
+
+
+ FirewallRuleName
+
+
+
+
+
+
+
+ ^[^|/]*$
+
+
+
- FirewallRules
+ App
- A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed.
+ Rules that control connections for an app, program or service.
+
+Specified based on the intersection of the following nodes.
+
+PackageFamilyName
+FilePath
+FQBN
+ServiceName
@@ -1280,11 +3082,11 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
-
+
-
+ PackageFamilyName
@@ -1292,227 +3094,220 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+ PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-
+
-
+
- FirewallRuleName
-
+
-
- App
-
-
-
-
- Rules that control connections for an app, program or service.
-
-Specified based on the intersection of the following nodes.
-
-PackageFamilyName
-FilePath
-FQBN
-ServiceName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- PackageFamilyName
-
-
-
-
-
-
-
- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FilePath
-
-
-
-
-
-
-
- FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Fqbn
-
-
-
-
-
-
-
- Fully Qualified Binary Name
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ServiceName
-
-
-
-
-
-
-
- This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Protocol
-
-
-
-
-
-
-
- 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalPortRanges
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RemotePortRanges
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalAddressRanges
-
-
-
-
-
-
-
- Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
+
+
+ FilePath
+
+
+
+
+
+
+
+ FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Fqbn
+
+
+
+
+
+
+
+ Fully Qualified Binary Name
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServiceName
+
+
+
+
+
+
+
+ This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Protocol
+
+
+
+
+
+
+
+ 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-255]
+
+
+
+
+ LocalPortRanges
+
+
+
+
+
+
+
+ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemotePortRanges
+
+
+
+
+
+
+
+ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IcmpTypesAndCodes
+
+
+
+
+
+
+
+
+ String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma.
+ To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code.
+ The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19043
+ 1.0
+
+
+
+
+
+
+
+ LocalAddressRanges
+
+
+
+
+
+
+
+ Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any local address. If present, this must be the only token included.
@@ -1520,30 +3315,33 @@ A subnet can be specified using either the subnet mask or network prefix notatio
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RemoteAddressRanges
-
-
-
-
-
-
-
- Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteAddressRanges
+
+
+
+
+
+
+
+ Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
"*" indicates any remote address. If present, this must be the only token included.
"Defaultgateway"
"DHCP"
@@ -1558,288 +3356,1057 @@ A subnet can be specified using either the subnet mask or network prefix notatio
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Description
-
-
-
-
-
-
-
- Specifies the description of the rule.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Enabled
-
-
-
-
-
- Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteAddressDynamicKeywords
+
+
+
+
+
+
+
+ Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.0
+
+
+ \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
+
+
+
+ Description
+
+
+
+
+
+
+
+ Specifies the description of the rule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enabled
+
+
+
+
+
+ Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is disabled by default.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Profiles
-
-
-
-
-
- Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Action
-
-
-
-
- Specifies the action for the rule.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Type
-
-
-
-
-
- 1
- Specifies the action the rule enforces:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disabled
+
+
+ 1
+ Enabled
+
+
+
+
+
+ Profiles
+
+
+
+
+
+ Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0x1
+ FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains.
+
+
+ 0x2
+ FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they are in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD.
+
+
+ 0x4
+ FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator are not trusted.
+
+
+ 0x7FFFFFFF
+ FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets.
+
+
+ 0x80000000
+ FW_PROFILE_TYPE_CURRENT: This value represents the current profiles to which the firewall and advanced security components determine the host is connected at the moment of the call. This value can be specified only in method calls, and it cannot be combined with other flags.
+
+
+
+
+
+ Action
+
+
+
+
+ Specifies the action for the rule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+
+ 1
+ Specifies the action the rule enforces:
0 - Block
1 - Allow
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Direction
-
-
-
-
-
- IN
- Comma separated list. The rule is enabled based on the traffic direction as following.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Block
+
+
+ 1
+ Allow
+
+
+
+
+
+
+ Direction
+
+
+
+
+
+ OUT
+ Comma separated list. The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic.
OUT - the rule applies to outbound traffic.
-If not specified the detault is IN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InterfaceTypes
-
-
-
-
-
- All
- String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All".
- If more than one interface type is specified, the strings must be separated by a comma.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EdgeTraversal
-
-
-
-
-
-
-
- Indicates whether edge traversal is enabled or disabled for this rule.
+If not specified the detault is OUT.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IN
+ The rule applies to inbound traffic.
+
+
+ OUT
+ The rule applies to outbound traffic.
+
+
+
+
+
+ InterfaceTypes
+
+
+
+
+
+
+
+ All
+
+ String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MBB", and "All".
+ If more than one interface type is specified, the strings must be separated by a comma.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteAccess
+ RemoteAccess
+
+
+ Wireless
+ Wireless
+
+
+ Lan
+ Lan
+
+
+ MBB
+ MobileBroadband
+
+
+ All
+ All
+
+
+
+
+
+
+ EdgeTraversal
+
+
+
+
+
+
+
+ Indicates whether edge traversal is enabled or disabled for this rule.
The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
New rules have the EdgeTraversal property disabled by default.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalUserAuthorizedList
-
-
-
-
-
-
-
- Specifies the list of authorized local users for the app container.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disabled
+
+
+ 1
+ Enabled
+
+
+
+
+
+ LocalUserAuthorizedList
+
+
+
+
+
+
+
+ Specifies the list of authorized local users for the app container.
This is a string in Security Descriptor Definition Language (SDDL) format..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Provides information about the specific verrsion of the rule in deployment for monitoring purposes.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Name
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PolicyAppId
+
+
+
+
+
+
+
+ Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_".
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.1
+
+
+ ^[A-Za-z0-9_.:/]+$
+
+
+
+
+ Status
+
+
+
+
+ Provides information about the specific verrsion of the rule in deployment for monitoring purposes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HyperVFirewallRules
+
+
+
+
+ A list of rules controlling traffic through the Windows Firewall for Hyper-V containers. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+
+
+
+
+
+
+
+
+
+ FirewallRuleName
+
+
+
+
+
+
+
+ ^[^|/]*$
+
+
+
+
+ Priority
+
+
+
+
+
+
+
+ 0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-255]
+
+
+
+
+ Direction
+
+
+
+
+
+ OUT
+ Comma separated list. The rule is enabled based on the traffic direction as following.
+
+IN - the rule applies to inbound traffic.
+OUT - the rule applies to outbound traffic.
+
+If not specified the detault is OUT.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IN
+ The rule applies to inbound traffic.
+
+
+ OUT
+ The rule applies to outbound traffic.
+
+
+
+
+
+ VMCreatorId
+
+
+
+
+
+
+
+ This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
+
+
+ Protocol
+
+
+
+
+
+
+
+ 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-65535]
+
+
+
+
+ LocalAddressRanges
+
+
+
+
+
+
+
+ Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
+Valid tokens include:
+"*" indicates any local address. If present, this must be the only token included.
+
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LocalPortRanges
+
+
+
+
+
+
+
+ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteAddressRanges
+
+
+
+
+
+
+
+ Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+"*" indicates any remote address. If present, this must be the only token included.
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemotePortRanges
+
+
+
+
+
+
+
+ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Action
+
+
+
+
+ Specifies the action for the rule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+
+ 1
+ Specifies the action the rule enforces:
+0 - Block
+1 - Allow
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Block
+
+
+ 1
+ Allow
+
+
+
+
+
+
+ Enabled
+
+
+
+
+
+ Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+If not specified - a new rule is disabled by default.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disabled
+
+
+ 1
+ Enabled
+
+
+
+
+
+ Status
+
+
+
+
+ Provides information about the specific verrsion of the rule in deployment for monitoring purposes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DynamicKeywords
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.0
+
+
+
+ Addresses
+
+
+
+
+ A list of dynamic keyword addresses for use within firewall rules. Dynamic keyword addresses can either be a simple alias object or fully-qualified domain names which will be autoresolved in the presence of the Microsoft Defender Advanced Threat Protection Service.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A unique GUID string identifier for this dynamic keyword address.
+
+
+
+
+
+
+
+
+
+ Id
+
+
+
+
+
+
+
+ \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
+
+
+ Keyword
+
+
+
+
+
+
+ A String reprsenting keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain name (wildcards accepted, for example "contoso.com" or "*.contoso.com"). If the AutoResolve value is false, then this can be any identifier string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Addresses
+
+
+
+
+
+
+
+ Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value should not be set if AutoResolve is true.
+ Valid tokens include:
+ A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+ A valid IPv6 address.
+ An IPv4 address range in the format of "start address - end address" with no spaces included.
+ An IPv6 address range in the format of "start address - end address" with no spaces included.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/[Id]/AutoResolve
+
+
+ false
+ AutoResolve False
+
+
+
+
+
+
+
+
+ AutoResolve
+
+
+
+
+
+
+ false
+ If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ AutoResolve False
+
+
+ true
+ AutoResolve True
+
+
+
+
+
```
+
+## Related articles
+
+[Firewall configuration service provider reference](firewall-csp.md)
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 63c5843f83..a7eb92f01a 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -1,29 +1,23 @@
---
-title: Device HealthAttestation CSP
-description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
-ms.reviewer:
+title: HealthAttestation CSP
+description: Learn more about the HealthAttestation CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 4/5/2022
+ms.topic: reference
---
-# Device HealthAttestation CSP
+
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+# HealthAttestation CSP
+
+
The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
The following list is a description of the functions performed by the Device HealthAttestation CSP:
@@ -32,32 +26,782 @@ The following list is a description of the functions performed by the Device Hea
- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
+
+
+The following list shows the HealthAttestation configuration service provider nodes:
+
+- ./Vendor/MSFT/HealthAttestation
+ - [AttestStatus](#atteststatus)
+ - [Certificate](#certificate)
+ - [CorrelationID](#correlationid)
+ - [CurrentProtocolVersion](#currentprotocolversion)
+ - [ForceRetrieve](#forceretrieve)
+ - [GetAttestReport](#getattestreport)
+ - [GetServiceCorrelationIDs](#getservicecorrelationids)
+ - [HASEndpoint](#hasendpoint)
+ - [MaxSupportedProtocolVersion](#maxsupportedprotocolversion)
+ - [Nonce](#nonce)
+ - [PreferredMaxProtocolVersion](#preferredmaxprotocolversion)
+ - [Status](#status)
+ - [TpmReadyStatus](#tpmreadystatus)
+ - [TriggerAttestation](#triggerattestation)
+ - [VerifyHealth](#verifyhealth)
+
+
+
+## AttestStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/AttestStatus
+```
+
+
+
+
+AttestStatus maintains the success or failure status code for the last attestation session.
+
+
+
+
+The status is always cleared prior to making the attest service call.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+**Example**:
+
+- Templated SyncML Call:
+
+ ```xml
+
+
+
+
+
+
+ ./Device/Vendor/MSFT/HealthAttestation/AttestStatus
+
+
+
+
+
+
+
+ ```
+
+- Sample Response:
+
+ ```console
+ If Successful: 0
+ If Failed: A corresponding HRESULT error code. Example: 0x80072efd, WININET_E_CANNOT_CONNECT
+ ```
+
+
+
+
+
+## Certificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/Certificate
+```
+
+
+
+
+Instructs the DHA-CSP to forward DHA-Data to the MDM server.
+
+
+
+
+Value type is a base64 string.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## CorrelationID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/CorrelationID
+```
+
+
+
+
+Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## CurrentProtocolVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/CurrentProtocolVersion
+```
+
+
+
+
+Provides the current protocol version that the client is using to communicate with the Health Attestation Service.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## ForceRetrieve
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/ForceRetrieve
+```
+
+
+
+
+Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | False. |
+| true | True. |
+
+
+
+
+
+
+
+
+
+## GetAttestReport
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/GetAttestReport
+```
+
+
+
+
+Retrieve attestation session report if exists.
+
+
+
+
+The report is stored in a registry key in the respective MDM enrollment store.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+**Example**:
+
+- Templated SyncML Call:
+
+ ```xml
+
+
+
+
+
+
+ ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport
+
+
+
+
+
+
+
+ ```
+
+- Sample data:
+
+ ```console
+ If Success: JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc
+ If failed: Previously cached report if available (the token may have already expired per the attestation policy).
+ OR Sync ML 404 error if no cached report available.
+ ```
+
+
+
+
+
+## GetServiceCorrelationIDs
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs
+```
+
+
+
+
+Retrieve service correlation IDs if exist.
+
+
+
+
+If there's more than one correlation ID, they're separated by ";" in the string.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+**Example**:
+
+- Templated SyncML Call:
+
+ ```xml
+
+
+
+
+
+
+ ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs
+
+
+
+
+
+
+
+ ```
+
+- Sample data:
+
+ ```console
+ If success: GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM
+ If Trigger Attestation call failed and no previous data is present: The field remains empty.
+ Otherwise, the last service correlation id will be returned.
+ In a successful attestation there are two calls between client and MAA and for each call the GUID is separated by semicolon.
+ ```
+
+
+
+
+
+## HASEndpoint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/HASEndpoint
+```
+
+
+
+
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | has.spserv.microsoft.com. |
+
+
+
+
+
+
+
+
+
+## MaxSupportedProtocolVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/MaxSupportedProtocolVersion
+```
+
+
+
+
+Returns the maximum protocol version that this client can support.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Nonce
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/Nonce
+```
+
+
+
+
+Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Default Value | \0 |
+
+
+
+
+
+
+
+
+
+## PreferredMaxProtocolVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/PreferredMaxProtocolVersion
+```
+
+
+
+
+Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 3 |
+
+
+
+
+
+
+
+
+
+## Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/Status
+```
+
+
+
+
+Provides the current status of the device health request. For the complete list of status values, see [HealthAttestation CSP status and error codes](#healthattestation-csp-status-and-error-codes).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## TpmReadyStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/TpmReadyStatus
+```
+
+
+
+
+Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## TriggerAttestation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/TriggerAttestation
+```
+
+
+
+
+Notifies the device to trigger an attestation session asynchronously.
+
+
+
+
+If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+**Example**:
+
+- Templated SyncML Call:
+
+ ```xml
+
+
+
+ VERIFYHEALTHV2
+
+
+
+ ./Vendor/MSFT/HealthAttestation/TriggerAttestation
+
+
+
+ {
+ rpID : "rpID", serviceEndpoint : "MAA endpoint",
+ nonce : "nonce", aadToken : "aadToken", "cv" : "CorrelationVector"
+ }
+
+
+
+
+
+
+ ```
+
+- Data fields:
+
+ - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
+ - serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
+ - nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks.
+ - aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service.
+ - cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes.
+
+- Sample ``:
+
+ ```json
+ {
+ "rpid" : "https://www.contoso.com/attestation",
+ "endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01",
+ "nonce" : "5468697320697320612054657374204e6f6e6365",
+ "aadToken" : "dummytokenstring",
+ "cv" : "testonboarded"
+ }
+ ```
+
+
+
+
+
+## VerifyHealth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/HealthAttestation/VerifyHealth
+```
+
+
+
+
+Notifies the device to prepare a device health verification request.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+
## Windows 11 Device health attestation
Windows 11 introduces an update to the device health attestation feature. This update helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces more child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation.
The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device.
-### Terms
+Terms used:
- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
-
- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
-
- **MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)**: The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
-
-- **MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**: The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.
-
- The following list of operations is performed by MAA-CSP:
-
+- **MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**: The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service. The following list of operations is performed by MAA-CSP:
- Receives attestation trigger requests from a HealthAttestation enabled MDM provider.
- The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.
- Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.
- Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.
-
- **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint.
-
- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it's digitally signed. JWTs can be signed using a secret or a public/private key pair.
### Attestation Flow with Microsoft Azure Attestation Service
@@ -72,197 +816,6 @@ Attestation flow can be broadly in three main steps:
For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol).
-### Configuration Service Provider Nodes
-
-Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service.
-
-```console
-./Vendor/MSFT
-HealthAttestation
-----...
-----TriggerAttestation |
-----AttestStatus | Added in Windows 11
-----GetAttestReport |
-----GetServiceCorrelationIDs |
-----VerifyHealth
-----Status
-----ForceRetrieve
-----Certificate
-----Nonce
-----CorrelationID
-----HASEndpoint
-----TpmReadyStatus
-----CurrentProtocolVersion
-----PreferredMaxProtocolVersion
-----MaxSupportedProtocolVersion
-```
-
-**./Vendor/MSFT/HealthAttestation**
-
-The root node for the device HealthAttestation configuration service provider.
-
-**TriggerAttestation** (Required)
-
-Node type: EXECUTE
-
-This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned.
-
-Templated SyncML Call:
-
-```xml
-
-
-
- VERIFYHEALTHV2
-
-
-
- ./Vendor/MSFT/HealthAttestation/TriggerAttestation
-
-
-
- {
- rpID : "rpID", serviceEndpoint : "MAA endpoint",
- nonce : "nonce", aadToken : "aadToken", "cv" : "CorrelationVector"
- }
-
-
-
-
-
-
-```
-
-Data fields:
-
-- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
-- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
-- nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks.
-- aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service.
-- cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes.
-
-Sample Data:
-
-```json
-
-{
-"rpid" : "https://www.contoso.com/attestation",
-"endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01",
-"nonce" : "5468697320697320612054657374204e6f6e6365",
-"aadToken" : "dummytokenstring",
-"cv" : "testonboarded"
-}
-
-```
-
-**AttestStatus**
-
-Node type: GET
-
-This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step.
-The status is always cleared prior to making the attest service call.
-
-Templated SyncML Call:
-
-```xml
-
-
-
-
-
-
- ./Device/Vendor/MSFT/HealthAttestation/AttestStatus
-
-
-
-
-
-
-
-```
-
-Sample Data:
-
-```console
-If Successful: 0
-If Failed: A corresponding HRESULT error code
-Example: 0x80072efd, WININET_E_CANNOT_CONNECT
-```
-
-**GetAttestReport**
-
-Node type: GET
-
-This node will retrieve the attestation report per the call made by the TriggerAttestation, if there's any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store.
-
-Templated SyncML Call:
-
-```xml
-
-
-
-
-
-
- ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport
-
-
-
-
-
-
-
-```
-
-Sample data:
-
-```console
-If Success:
-JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc
-If failed:
-Previously cached report if available (the token may have already expired per the attestation policy).
-OR Sync ML 404 error if not cached report available.
-```
-
-**GetServiceCorrelationIDs**
-
-Node type: GET
-
-This node will retrieve the service-generated correlation IDs for the given MDM provider. If there's more than one correlation ID, they're separated by “;” in the string.
-
-Templated SyncML Call:
-
-```xml
-
-
-
-
-
-
- ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs
-
-
-
-
-
-
-
-```
-
-Sample data:
-
-```console
-If success:
-GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM
-If Trigger Attestation call failed and no previous data is present. The field remains empty.
-Otherwise, the last service correlation id will be returned. In a successful attestation there are two
-calls between client and MAA and for each call the GUID is separated by semicolon.
-```
-
-> [!NOTE]
-> MAA CSP nodes are available on arm64 but isn't currently supported.
-
-
### MAA CSP Integration Steps
1. Set up an MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal).
@@ -278,136 +831,136 @@ calls between client and MAA and for each call the GUID is separated by semicolo
};
authorizationrules {
- => permit();
+ => permit();
};
- issuancerules{
+ issuancerules {
- // SecureBoot enabled
- c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));
- c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));
- ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);
+ // SecureBoot enabled
+ c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));
+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));
+ ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);
- // Retrieve bool properties
- c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));
- c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));
- ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);
+ // Retrieve bool properties
+ c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));
+ c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));
+ ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);
- // Bitlocker Boot Status, The first non zero measurement or zero.
- c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
- c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]")));
- [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true);
- ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false);
+ // Bitlocker Boot Status, The first non zero measurement or zero.
+ c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]")));
+ [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true);
+ ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false);
- // Elam Driver (windows defender) Loaded
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));
- [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true);
- ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false);
+ // Elam Driver (windows defender) Loaded
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));
+ [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true);
+ ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false);
- // Boot debugging
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));
- c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
- ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);
+ // Boot debugging
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));
+ c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
+ ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);
- // Kernel Debugging
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));
- c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
- ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);
+ // Kernel Debugging
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));
+ c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
+ ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);
- // DEP Policy
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]")));
- ![type=="depPolicy"] => issue(type="depPolicy", value=0);
+ // DEP Policy
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]")));
+ ![type=="depPolicy"] => issue(type="depPolicy", value=0);
- // Test Signing
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING")));
- c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false));
- ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);
+ // Test Signing
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING")));
+ c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false));
+ ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);
- // Flight Signing
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING")));
- c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));
- ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);
+ // Flight Signing
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING")));
+ c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));
+ ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);
- // VSM enabled
- c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
- c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED")));
- c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));
- c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true));
- ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false);
- c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);
+ // VSM enabled
+ c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED")));
+ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));
+ c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true));
+ ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false);
+ c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);
- // HVCI
- c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));
- c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));
- ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);
+ // HVCI
+ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));
+ c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));
+ ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);
- // IOMMU
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));
- c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));
- ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);
+ // IOMMU
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));
+ c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));
+ ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);
- // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements
- // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
- c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
- c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
- [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");
+ // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements
+ // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
+ c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
+ c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
+ [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");
- // Find the first EVENT_APPLICATION_SVN.
- c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq"));
- c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));
- c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
+ // Find the first EVENT_APPLICATION_SVN.
+ c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq"));
+ c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));
+ c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
- // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN
- c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
+ // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN
+ c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
- // OS Rev List Info
- c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]")));
+ // OS Rev List Info
+ c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]")));
- // Safe mode
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));
- c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));
- ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);
+ // Safe mode
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));
+ c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));
+ ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);
- // Win PE
- c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE")));
- c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));
- ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);
+ // Win PE
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE")));
+ c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));
+ ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);
- // CI Policy
- c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));
+ // CI Policy
+ c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));
- // Secure Boot Custom Policy
- c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]")));
+ // Secure Boot Custom Policy
+ c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]")));
- // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
- c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
- c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
- [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it's not present
+ // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
+ c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
+ c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
+ [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it's not present
- //Finding the Boot App SVN
- // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR
- c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));
- c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq"));
- c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));
+ //Finding the Boot App SVN
+ // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR
+ c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));
+ c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq"));
+ c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));
- // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.
- c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
- c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]"));
- c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));
+ // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.
+ c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
+ c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]"));
+ c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));
- // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12.
- c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
- c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
- c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
+ // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12.
+ c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
+ c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
+ c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
- // Finding the Boot Rev List Info
- c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]")));
+ // Finding the Boot Rev List Info
+ c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]")));
};
```
-3. Call TriggerAttestation with your rpid, Azure Active Directory token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm).
+3. Call TriggerAttestation with your `rpid`, `Azure Active Directory token` and the `attestURI`: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm).
4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties: GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy.
@@ -468,74 +1021,46 @@ calls between client and MAA and for each call the GUID is separated by semicolo
More information about TPM attestation can be found here: [Microsoft Azure Attestation](/azure/attestation/).
-
## Windows 10 Device HealthAttestation
-### Terms
+Terms used:
- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
-
- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
-
- **DHA-Enabled device (Device HealthAttestation enabled device)**: A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
+- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. The following list of transactions is performed in one DHA-Session:
-- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
-
- The following list of transactions is performed in one DHA-Session:
+ 
- DHA-CSP and DHA-Service communication:
- DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
- DHA-Service replies with an encrypted data blob (DHA-EncBlob)
-
- DHA-CSP and MDM-Server communication:
- MDM-Server sends a device health verification request to DHA-CSP
- DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob
-
- MDM-Server and DHA-Service communication:
- MDM-Server posts data it receives from devices to DHA-Service
- DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report)
-
- 
-
- **DHA session data (Device HealthAttestation session data)**: The following list of data is produced or consumed in one DHA-Transaction:
-
- DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.
- DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
- - DHA-SignedBlob: it's a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
+ - DHA-SignedBlob: it's a signed snapshot of the current state of a device's runtime that is captured by DHA-CSP at device health attestation time.
- DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
-
- DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
- DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
-
- DHA-Report: the report that is issued by DHA-Service to MDM-Server
- Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
-
-- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
-
- DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
-
- The following list of operations is performed by DHA-Enabled-MDM
-
+- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature. DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system. The following list of operations is performed by DHA-Enabled-MDM:
- Enables the DHA feature on a DHA-Enabled device
- Issues device health attestation requests to enrolled/managed devices
- Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification
- Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
-
-- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties can't be spoofed.
-
- The following list of operations is performed by DHA-CSP:
-
+- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device's TPM and firmware to measure critical security properties of the device's BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties can't be spoofed. The following list of operations is performed by DHA-CSP:
- Collects device boot data (DHA-BootData) from a managed device
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
-
-- **DHA-Service (Device HealthAttestation Service)**: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
-
- DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
-
- The following list of operations is performed by DHA-Service:
-
+- **DHA-Service (Device HealthAttestation Service)**: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel. DHA-Service is available in two flavors: "DHA-Cloud" and "DHA-Server2016". DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios. The following list of operations is performed by DHA-Service:
- Receives device boot data (DHA-BootData) from a DHA-Enabled device
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
@@ -545,91 +1070,10 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
|DHA-Service type|Description|Operation cost|
|--- |--- |--- |
-|Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
Available in Windows for free
Running on a high-availability and geo-balanced cloud infrastructure
Supported by most DHA-Enabled device management solutions as the default device attestation service provider
Accessible to all enterprise-managed devices via following:
FQDN = has.spserv.microsoft.com port
Port = 443
Protocol = TCP|No cost
|
-|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
Hosted on an enterprise owned and managed server device/hardware
Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
Accessible to all enterprise-managed devices via following settings:
FQDN = (enterprise assigned)
Port = (enterprise assigned)
Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
|
+|Device Health Attestation - Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
Available in Windows for free
Running on a high-availability and geo-balanced cloud infrastructure
Supported by most DHA-Enabled device management solutions as the default device attestation service provider
Accessible to all enterprise-managed devices via following:
FQDN = has.spserv.microsoft.com port
Port = 443
Protocol = TCP|No cost
|
+|Device Health Attestation - On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
Hosted on an enterprise owned and managed server device/hardware
Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
Accessible to all enterprise-managed devices via following settings:
FQDN = (enterprise assigned)
Port = (enterprise assigned)
Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
|
|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
Offered to Windows Server 2016 customers with no extra licensing cost (no added licensing cost for enabling/running DHA-Service)
Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
Accessible to all enterprise-managed devices via following settings:
FQDN = (enterprise assigned)
Port = (enterprise assigned)
Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
|
-### CSP diagram and node descriptions
-
-The following shows the Device HealthAttestation configuration service provider in tree format.
-
-```console
-./Vendor/MSFT
-HealthAttestation
-----VerifyHealth
-----Status
-----ForceRetrieve
-----Certificate
-----Nonce
-----CorrelationID
-----HASEndpoint
-----TpmReadyStatus
-----CurrentProtocolVersion
-----PreferredMaxProtocolVersion
-----MaxSupportedProtocolVersion
-```
-
-**./Vendor/MSFT/HealthAttestation**
-
-The root node for the device HealthAttestation configuration service provider.
-
-**VerifyHealth** (Required)
-
-Notifies the device to prepare a device health verification request.
-
-The supported operation is Execute.
-
-**Status** (Required)
-
-Provides the current status of the device health request.
-
-The supported operation is Get.
-
-The following list shows some examples of supported values. For the complete list of status, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
-
-- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
-- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
-- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
-- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
-
-**ForceRetrieve** (Optional)
-
-Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
-
-Boolean value. The supported operation is Replace.
-
-**Certificate** (Required)
-
-Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-
-Value type is b64. The supported operation is Get.
-
-**Nonce** (Required)
-
-Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
-
-The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
-
-The supported operations are Get and Replace.
-
-**CorrelationId** (Required)
-
-Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-
-Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
-
-**HASEndpoint** (Optional)
-
-Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN isn't assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
-
-Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
-
-**TpmReadyStatus** (Required)
-
-Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
-
-Value type is integer. The supported operation is Get.
-
### DHA-CSP integration steps
The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM):
@@ -645,7 +1089,7 @@ The following list of validation and development tasks are required for integrat
Each step is described in detail in the following sections of this topic.
-### Step 1: Verify HTTPS access
+### Step 1: Verify HTTPS access
Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS).
@@ -696,12 +1140,12 @@ SSL-Session:
Verify return code: 20 (unable to get local issuer certificate)
```
-### Step 2: Assign an enterprise trusted DHA-Service
+### Step 2: Assign an enterprise trusted DHA-Service
There are three types of DHA-Service:
-- Device Health Attestation – Cloud (owned and operated by Microsoft)
-- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
+- Device Health Attestation - Cloud (owned and operated by Microsoft)
+- Device Health Attestation - On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
- Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud)
DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider.
@@ -722,7 +1166,7 @@ The following example shows a sample call that instructs a managed device to com
```
-### Step 3: Instruct client to prepare health data for verification
+### Step 3: Instruct client to prepare health data for verification
Send a SyncML call to start collection of the DHA-Data.
@@ -748,7 +1192,7 @@ The following example shows a sample call that triggers collection and verificat
```
-### Step 4: Take action based on the client's response
+### Step 4: Take action based on the client's response
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
@@ -774,9 +1218,9 @@ Here's a sample alert that is issued by DHA_CSP:
```
-- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
+- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [HealthAttestation CSP status and error codes](#healthattestation-csp-status-and-error-codes).
-### Step 5: Instruct the client to forward health attestation data for verification
+### Step 5: Instruct the client to forward health attestation data for verification
Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
@@ -812,9 +1256,9 @@ Here's an example:
```
-### Step 6: Forward device health attestation data to DHA-service
+### Step 6: Forward device health attestation data to DHA-service
-In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node).
+In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node).
When the MDM-Server receives the above data, it must:
@@ -836,7 +1280,8 @@ When the MDM-Server receives the above data, it must:
- DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: `https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3`
- DHA-OnPrem or DHA-EMC: `https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3`
-### Step 7: Receive response from the DHA-service
+
+### Step 7: Receive response from the DHA-service
When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
@@ -844,7 +1289,7 @@ When the Microsoft Device Health Attestation Service receives a request for veri
- Validates the data it has received.
- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format.
-### Step 8: Take appropriate policy action based on evaluation results
+### Step 8: Take appropriate policy action based on evaluation results
After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be:
@@ -852,506 +1297,6 @@ After the MDM server receives the verified data, the information can be used to
- Allow the device to access the resources, but flag the device for further investigation.
- Prevent a device from accessing resources.
-The following list of data points is verified by the DHA-Service in DHA-Report version 3:
-
-- [Issued](#issued )
-- [AIKPresent](#aikpresent)
-- [ResetCount](#resetcount) *
-- [RestartCount](#restartcount) *
-- [DEPPolicy](#deppolicy)
-- [BitlockerStatus](#bitlockerstatus) **
-- [BootManagerRevListVersion](#bootmanagerrevlistversion)
-- [CodeIntegrityRevListVersion](#codeintegrityrevlistversion)
-- [SecureBootEnabled](#securebootenabled)
-- [BootDebuggingEnabled](#bootdebuggingenabled)
-- [OSKernelDebuggingEnabled](#oskerneldebuggingenabled)
-- [CodeIntegrityEnabled](#codeintegrityenabled)
-- [TestSigningEnabled](#testsigningenabled)
-- [SafeMode](#safemode)
-- [WinPE](#winpe)
-- [ELAMDriverLoaded](#elamdriverloaded) ***
-- [VSMEnabled](#vsmenabled)
-- [PCRHashAlgorithmID](#pcrhashalgorithmid)
-- [BootAppSVN](#bootappsvn)
-- [BootManagerSVN](#bootmanagersvn)
-- [TpmVersion](#tpmversion)
-- [PCR0](#pcr0)
-- [SBCPHash](#sbcphash)
-- [CIPolicy](#cipolicy)
-- [BootRevListInfo](#bootrevlistinfo)
-- [OSRevListInfo](#osrevlistinfo)
-- [HealthStatusMismatchFlags](#healthstatusmismatchflags)
-
-\* TPM 2.0 only
-\*\* Reports if BitLocker was enabled during initial boot.
-\*\*\* The "Hybrid Resume" must be disabled on the device. Reports first-party ELAM "Defender" was loaded during boot.
-
-Each of these data points is described in further detail in the following sections, along with the recommended actions to take.
-
-**Issued**
-
-The date and time DHA-report was evaluated or issued to MDM.
-
-**AIKPresent**
-
-When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
-
-If AIKPresent = True (1), then allow access.
-
-If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-
-**ResetCount** (Reported only for devices that support TPM 2.0)
-
-This attribute reports the number of times a PC device has hibernated or resumed.
-
-**RestartCount** (Reported only for devices that support TPM 2.0)
-
-This attribute reports the number of times a PC device has rebooted.
-
-**DEPPolicy**
-
-A device can be trusted more if the DEP Policy is enabled on the device.
-
-Data Execution Prevention (DEP) Policy defines a set of hardware and software technologies that perform extra checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
-
-DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
-
-- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
-- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
-
-If DEPPolicy = 1 (On), then allow access.
-
-If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-
-DEP policy evaluation is a non binary status when queried. It is then mapped to an On/Off state.
-
-|DEP policy level |Description | Attestation reported level | Property value |
-|--------------|-----------|------------|-------------|
-|OptIn (default configuration) |Only Windows system components and services have DEP applied. | 0 | 2 |
-|OptOut |DEP is enabled for all processes. Administrators can manually create a list of specific applications that do not have DEP applied. | 1 | 3 |
-|AlwaysOn |DEP is enabled for all processess. | 3 | 1 |
-|AlwaysOff |DEP is not enabled for any process. | 2 | 0 |
-
-
-**BitLockerStatus** (at boot time)
-
-When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
-
-Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen.
-
-If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM has verified the state of the computer.
-
-If BitLockerStatus = 1 (On), then allow access.
-
-If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-
-**BootManagerRevListVersion**
-
-This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
-
-If BootManagerRevListVersion = [CurrentVersion], then allow access.
-
-If `BootManagerRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI and MBI assets.
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-
-**CodeIntegrityRevListVersion**
-
-This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it's exposed to security risks (revoked), and enforce an appropriate policy action.
-
-If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
-
-If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI and MBI assets.
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-
-**SecureBootEnabled**
-
-When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this requirement before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot.
-
-If SecureBootEnabled = 1 (True), then allow access.
-
-If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-
-**BootDebuggingEnabled**
-
-Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
-
-Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
-
-- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**.
-- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**.
-
-If BootdebuggingEnabled = 0 (False), then allow access.
-
-If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
-
-**OSKernelDebuggingEnabled**
-
-OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
-
-If OSKernelDebuggingEnabled = 0 (False), then allow access.
-
-If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-
-**CodeIntegrityEnabled**
-
-When code integrity is enabled, code execution is restricted to integrity verified code.
-
-Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
-
-On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-
-If CodeIntegrityEnabled = 1 (True), then allow access.
-
-If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-
-**TestSigningEnabled**
-
-When test signing is enabled, the device doesn't enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
-
-Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
-
-- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**.
-- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**.
-
-If TestSigningEnabled = 0 (False), then allow access.
-
-If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI and MBI assets.
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
-
-**SafeMode**
-
-Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
-
-If SafeMode = 0 (False), then allow access.
-
-If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-
-**WinPE**
-
-Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
-
-If WinPE = 0 (False), then allow access.
-
-If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
-
-**ELAMDriverLoaded** (Windows Defender)
-
-To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
-
-In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.
-
-If a device is expected to use a third-party antivirus program, ignore the reported state.
-
-If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
-
-If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-
-**Bcdedit.exe /set {current} vsmlaunchtype auto**
-
-If ELAMDriverLoaded = 1 (True), then allow access.
-
-If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-
-**VSMEnabled**
-
-Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.
-
-VSM can be enabled by using the following command in WMI or a PowerShell script:
-
-`bcdedit.exe /set {current} vsmlaunchtype auto`
-
-If VSMEnabled = 1 (True), then allow access.
-If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Disallow access to HBI assets.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue
-
-**PCRHashAlgorithmID**
-
-This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
-
-**BootAppSVN**
-
-This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
-
-If reported BootAppSVN equals an accepted value, then allow access.
-
-If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Direct the device to an enterprise honeypot, to further monitor the device's activities.
-
-**BootManagerSVN**
-
-This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
-
-If reported BootManagerSVN equals an accepted value, then allow access.
-
-If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Direct the device to an enterprise honeypot, to further monitor the device's activities.
-
-**TPMVersion**
-
-This attribute identifies the version of the TPM that is running on the attested device. TPMVersion node provides to replies "1" and "2":
-
-- 1 means TPM specification version 1.2
-- 2 means TPM specification version 2.0
-
-Based on the reply you receive from TPMVersion node:
-
-- If reported TPMVersion equals an accepted value, then allow access.
-- If reported TPMVersion doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- - Disallow all access
- - Direct the device to an enterprise honeypot, to further monitor the device's activities.
-
-**PCR0**
-
-The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
-
-Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison.
-
-If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action.
-If PCR[0] equals an accepted allowlist value, then allow access.
-
-If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Direct the device to an enterprise honeypot, to further monitor the device's activities.
-
-**SBCPHash**
-
-SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
-
-If SBCPHash isn't present, or is an accepted allow-listed value, then allow access.
-
-If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Place the device in a watch list to monitor the device more closely for potential risks.
-
-**CIPolicy**
-
-This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
-
-If CIPolicy isn't present, or is an accepted allow-listed value, then allow access.
-
-If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Place the device in a watch list to monitor the device more closely for potential risks.
-
-**BootRevListInfo**
-
-This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
-
-If reported BootRevListInfo version equals an accepted value, then allow access.
-
-If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Direct the device to an enterprise honeypot, to further monitor the device's activities.
-
-**OSRevListInfo**
-
-This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
-
-If reported OSRevListInfo version equals an accepted value, then allow access.
-
-If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
-
-- Disallow all access.
-- Direct the device to an enterprise honeypot, to further monitor the device's activities.
-
-**HealthStatusMismatchFlags**
-
-HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
-
-If an issue is detected, a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
-
-### Device HealthAttestation CSP status and error codes
-
-Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED
-Error description: This state is the initial state for devices that have never participated in a DHA-Session.
-
-Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED
-Error description: This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
-
-Error code: 2 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED
-Error description: This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
-
-Error code: 3 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE
-Error description: This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.
-
-Error code: 4 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL
-Error description: Deprecated in Windows 10, version 1607.
-
-Error code: 5 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL
-Error description: DHA-CSP failed to get a claim quote.
-
-Error code: 6 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY
-Error description: DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
-
-Error code: 7 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL
-Error description: DHA-CSP failed in retrieving Windows AIK
-
-Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL
-Error description: Deprecated in Windows 10, version 1607.
-
-Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION
-Error description: Invalid TPM version (TPM version isn't 1.2 or 2.0)
-
-Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL
-Error description: Nonce wasn't found in the registry.
-
-Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL
-Error description: Correlation ID wasn't found in the registry.
-
-Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL
-Error description: Deprecated in Windows 10, version 1607.
-
-Error code: 13 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL
-Error description: Deprecated in Windows 10, version 1607.
-
-Error code: 14 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL
-Error description: Failure in Encoding functions. (Extremely unlikely scenario)
-
-Error code: 15 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL
-Error description: Deprecated in Windows 10, version 1607.
-
-Error code: 16 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML
-Error description: DHA-CSP failed to load the payload it received from DHA-Service
-
-Error code: 17 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML
-Error description: DHA-CSP received a corrupted response from DHA-Service.
-
-Error code: 18 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML
-Error description: DHA-CSP received an empty response from DHA-Service.
-
-Error code: 19 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK
-Error description: DHA-CSP failed in decrypting the AES key from the EK challenge.
-
-Error code: 20 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK
-Error description: DHA-CSP failed in decrypting the health cert with the AES key.
-
-Error code: 21 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB
-Error description: DHA-CSP failed in exporting the AIK Public Key.
-
-Error code: 22 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY
-Error description: DHA-CSP failed in trying to create a claim with AIK attestation data.
-
-Error code: 23 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB
-Error description: DHA-CSP failed in appending the AIK Pub to the request blob.
-
-Error code: 24 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT
-Error description: DHA-CSP failed in appending the AIK Cert to the request blob.
-
-Error code: 25 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE
-Error description: DHA-CSP failed to obtain a Session handle.
-
-Error code: 26 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE
-Error description: DHA-CSP failed to connect to the DHA-Service.
-
-Error code: 27 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHAND
-Error description: DHA-CSP failed to create an HTTP request handle.
-
-Error code: 28 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION
-Error description: DHA-CSP failed to set options.
-
-Error code: 29 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS
-Error description: DHA-CSP failed to add request headers.
-
-Error code: 30 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST
-Error description: DHA-CSP failed to send the HTTP request.
-
-Error code: 31 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE
-Error description: DHA-CSP failed to receive a response from the DHA-Service.
-
-Error code: 32 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS
-Error description: DHA-CSP failed to query headers when trying to get HTTP status code.
-
-Error code: 33 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE
-Error description: DHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
-
-Error code: 34 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE
-Error description: DHA-CSP received an empty response along with an HTTP error code from DHA-Service.
-
-Error code: 35 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER
-Error description: DHA-CSP failed to impersonate user.
-
-Error code: 36 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR
-Error description: DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
-
-Error code: 0xFFFF | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN
-Error description: DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
-
-Error code: 400 | Error name: Bad_Request_From_Client
-Error description: DHA-CSP has received a bad (malformed) attestation request.
-
-Error code: 404 | Error name: Endpoint_Not_Reachable
-Error description: DHA-Service isn't reachable by DHA-CSP
-
### DHA-Report V3 schema
```xml
@@ -1455,6 +1400,287 @@ Error description: DHA-Service isn't reachable by DHA-CSP
```
+The following list of data points is verified by the DHA-Service in DHA-Report version 3.
+
+- **Issued**: The date and time DHA-report was evaluated or issued to MDM.
+
+- **AIKPresent**: When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn't have an EK certificate.
+
+ If AIKPresent = True (1), then allow access.
+
+ If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+ - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+
+- **ResetCount** (Reported only for devices that support TPM 2.0): This attribute reports the number of times a PC device has hibernated or resumed.
+
+- **RestartCount** (Reported only for devices that support TPM 2.0): This attribute reports the number of times a PC device has rebooted.
+
+- **DEPPolicy**: A device can be trusted more if the DEP Policy is enabled on the device.
+
+ Data Execution Prevention (DEP) Policy defines a set of hardware and software technologies that perform extra checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+
+ DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+
+ - To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
+ - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
+
+ If DEPPolicy = 1 (On), then allow access.
+
+ If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+ - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+
+ DEP policy evaluation is a non binary status when queried. It is then mapped to an On/Off state.
+
+ |DEP policy level |Description | Attestation reported level | Property value |
+ |--------------|-----------|------------|-------------|
+ |OptIn (default configuration) |Only Windows system components and services have DEP applied. | 0 | 2 |
+ |OptOut |DEP is enabled for all processes. Administrators can manually create a list of specific applications that do not have DEP applied. | 1 | 3 |
+ |AlwaysOn |DEP is enabled for all processess. | 3 | 1 |
+ |AlwaysOff |DEP is not enabled for any process. | 2 | 0 |
+
+- **BitLockerStatus** (Reports if BitLocker was enabled during initial boot.):
+
+ When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
+
+ Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen.
+
+ If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM has verified the state of the computer.
+
+ If BitLockerStatus = 1 (On), then allow access.
+
+ If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+ - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+
+- **BootManagerRevListVersion**: This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
+
+ If BootManagerRevListVersion = [CurrentVersion], then allow access.
+
+ If `BootManagerRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI and MBI assets.
+ - Place the device in a watch list to monitor the device more closely for potential risks.
+ - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+
+- **CodeIntegrityRevListVersion**: This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it's exposed to security risks (revoked), and enforce an appropriate policy action.
+
+ If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+
+ If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI and MBI assets.
+ - Place the device in a watch list to monitor the device more closely for potential risks.
+ - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+
+- **SecureBootEnabled**: When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this requirement before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot.
+
+ If SecureBootEnabled = 1 (True), then allow access.
+
+ If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+ - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+
+- **BootDebuggingEnabled**: Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
+
+ Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+
+ - To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**.
+ - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**.
+
+ If BootdebuggingEnabled = 0 (False), then allow access.
+
+ If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Place the device in a watch list to monitor the device more closely for potential risks.
+ - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
+
+- **OSKernelDebuggingEnabled**: OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
+
+ If OSKernelDebuggingEnabled = 0 (False), then allow access.
+
+ If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Place the device in a watch list to monitor the device more closely for potential risks.
+ - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+
+- **CodeIntegrityEnabled**: When code integrity is enabled, code execution is restricted to integrity verified code.
+
+ Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
+
+ On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+
+ If CodeIntegrityEnabled = 1 (True), then allow access.
+
+ If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+ - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+
+- **TestSigningEnabled**: When test signing is enabled, the device doesn't enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
+
+ Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+
+ - To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**.
+ - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**.
+
+ If TestSigningEnabled = 0 (False), then allow access.
+
+ If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI and MBI assets.
+ - Place the device in a watch list to monitor the device more closely for potential risks.
+ - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
+
+- **SafeMode**: Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
+
+ If SafeMode = 0 (False), then allow access.
+
+ If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+
+- **WinPE**: Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
+
+ If WinPE = 0 (False), then allow access.
+
+ If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
+
+- **ELAMDriverLoaded** (Windows Defender): To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
+
+ In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.
+
+ If a device is expected to use a third-party antivirus program, ignore the reported state.
+
+ If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+
+ If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+
+- **VSMEnabled**: Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.
+
+ VSM can be enabled by using the following command in WMI or a PowerShell script:
+
+ `bcdedit.exe /set {current} vsmlaunchtype auto`
+
+ If VSMEnabled = 1 (True), then allow access.
+ If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Disallow access to HBI assets.
+ - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue
+
+- **PCRHashAlgorithmID**: This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
+
+- **BootAppSVN**: This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
+
+ If reported BootAppSVN equals an accepted value, then allow access.
+
+ If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Direct the device to an enterprise honeypot, to further monitor the device's activities.
+
+- **BootManagerSVN**: This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
+
+ If reported BootManagerSVN equals an accepted value, then allow access.
+
+ If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Direct the device to an enterprise honeypot, to further monitor the device's activities.
+
+- **TPMVersion**: This attribute identifies the version of the TPM that is running on the attested device. TPMVersion node provides to replies "1" and "2":
+
+ - 1 means TPM specification version 1.2
+ - 2 means TPM specification version 2.0
+
+ Based on the reply you receive from TPMVersion node:
+
+ - If reported TPMVersion equals an accepted value, then allow access.
+ - If reported TPMVersion doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
+ - Disallow all access
+ - Direct the device to an enterprise honeypot, to further monitor the device's activities.
+
+- **PCR0**: The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
+
+ Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison.
+
+ If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action.
+ If PCR[0] equals an accepted allowlist value, then allow access.
+
+ If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Direct the device to an enterprise honeypot, to further monitor the device's activities.
+
+- **SBCPHash**: SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
+
+ If SBCPHash isn't present, or is an accepted allow-listed value, then allow access.
+
+ If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Place the device in a watch list to monitor the device more closely for potential risks.
+
+- **CIPolicy**: This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
+
+ If CIPolicy isn't present, or is an accepted allow-listed value, then allow access.
+
+ If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Place the device in a watch list to monitor the device more closely for potential risks.
+
+- **BootRevListInfo**: This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
+
+ If reported BootRevListInfo version equals an accepted value, then allow access.
+
+ If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Direct the device to an enterprise honeypot, to further monitor the device's activities.
+
+- **OSRevListInfo**: This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
+
+ If reported OSRevListInfo version equals an accepted value, then allow access.
+
+ If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
+
+ - Disallow all access.
+ - Direct the device to an enterprise honeypot, to further monitor the device's activities.
+
+- **HealthStatusMismatchFlags**: HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
+
+ If an issue is detected, a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
+
### DHA-Report example
```xml
@@ -1492,10 +1718,60 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio
```
+### HealthAttestation CSP status and error codes
+
+| Error Code | Error Name | Error Description |
+|---|---|---|
+| 0 | HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED | This state is the initial state for devices that have never participated in a DHA-Session. |
+| 1 | HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED | This state signifies that MDM client's Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. |
+| 2 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED | This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. |
+| 3 | HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE | This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. |
+| 4 | HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL | Deprecated in Windows 10, version 1607. |
+| 5 | HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL | DHA-CSP failed to get a claim quote. |
+| 6 | HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY | DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. |
+| 7 | HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL | DHA-CSP failed in retrieving Windows AIK |
+| 8 | HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL | Deprecated in Windows 10, version 1607. |
+| 9 | HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION | Invalid TPM version (TPM version isn't 1.2 or 2.0) |
+| 10 | HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL | Nonce wasn't found in the registry. |
+| 11 | HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL | Correlation ID wasn't found in the registry. |
+| 12 | HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL | Deprecated in Windows 10, version 1607. |
+| 13 | HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL | Deprecated in Windows 10, version 1607. |
+| 14 | HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL | Failure in Encoding functions. (Extremely unlikely scenario) |
+| 15 | HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL | Deprecated in Windows 10, version 1607. |
+| 16 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML | DHA-CSP failed to load the payload it received from DHA-Service. |
+| 17 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML | DHA-CSP received a corrupted response from DHA-Service. |
+| 18 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY | DHA-CSP received an empty response from DHA-Service. |
+| 19 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK | DHA-CSP failed in decrypting the AES key from the EK challenge. |
+| 20 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK | DHA-CSP failed in decrypting the health cert with the AES key. |
+| 21 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB | DHA-CSP failed in exporting the AIK Public Key. |
+| 22 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY | DHA-CSP failed in trying to create a claim with AIK attestation data. |
+| 23 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB | DHA-CSP failed in appending the AIK Pub to the request blob. |
+| 24 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT | DHA-CSP failed in appending the AIK Cert to the request blob. |
+| 25 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE | DHA-CSP failed to obtain a Session handle. |
+| 26 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE | DHA-CSP failed to connect to the DHA-Service. |
+| 27 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHAND | DHA-CSP failed to create an HTTP request handle. |
+| 28 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION | DHA-CSP failed to set options. |
+| 29 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS | DHA-CSP failed to add request headers. |
+| 30 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST | DHA-CSP failed to send the HTTP request. |
+| 31 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE | DHA-CSP failed to receive a response from the DHA-Service. |
+| 32 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS | DHA-CSP failed to query headers when trying to get HTTP status code. |
+| 33 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE | DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. |
+| 34 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE | DHA-CSP received an empty response along with an HTTP error code from DHA-Service. |
+| 35 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER | DHA-CSP failed to impersonate user. |
+| 36 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR | DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. |
+| 0xFFFF | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN | DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. |
+| 400 | Bad_Request_From_Client | DHA-CSP has received a bad (malformed) attestation request. |
+| 404 | Endpoint_Not_Reachable | DHA-Service isn't reachable by DHA-CSP |
+
## Security Considerations
+
DHA anchors its trust in the TPM and its measurements. If TPM measurements can be spoofed or tampered, DHA can't provide any guarantee of device health for that device.
+
For more information, see [PC Client TPM Certification](https://trustedcomputinggroup.org/resource/pc-client-tpm-certification/).
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index 74a707236c..3870db4bb5 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,458 +1,432 @@
---
-title: HealthAttestation DDF
-description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider.
-ms.reviewer:
+title: HealthAttestation DDF file
+description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/27/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
-# HealthAttestation DDF
+
+# HealthAttestation DDF file
-This topic shows the OMA DM device description framework (DDF) for the **HealthAttestation** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the HealthAttestation configuration service provider.
```xml
-
-
-
-
- 1.2
- $(runtime.windows)\system32\hascsp.dll
-
- {9DCCCE22-C057-424E-B8D1-67935988B174}
-
- HealthAttestation
- ./Vendor/MSFT
-
-
-
-
- The root node for the device HealthAttestation configuration service provider.
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.4/MDM/HealthAttestation
-
-
- 10.0.10586
- 1.0
-
-
-
-
-
-
-
- VerifyHealth
-
-
-
-
- Notifies the device to prepare a device health verification request.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Status
-
-
-
-
- Provides the current status of the device health request. For the complete list of status see https://learn.microsoft.com/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ForceRetrieve
-
-
-
-
-
- False
- Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- false
- False
-
-
- true
- True
-
-
-
-
-
- Certificate
-
-
-
-
- Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Nonce
-
-
-
-
-
- \0
- Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- CorrelationID
-
-
-
-
- Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- HASEndpoint
-
-
-
-
-
- has.spserv.microsoft.com.
- Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- TpmReadyStatus
-
-
-
-
- Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 10.0.14393
- 1.1
-
-
-
-
- CurrentProtocolVersion
-
-
-
-
- Provides the current protocol version that the client is using to communicate with the Health Attestation Service.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 10.0.16299
- 1.3
-
-
-
-
- PreferredMaxProtocolVersion
-
-
-
-
-
- 3
- Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 10.0.16299
- 1.3
-
-
-
-
-
-
- MaxSupportedProtocolVersion
-
-
-
-
- Returns the maximum protocol version that this client can support.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 10.0.16299
- 1.3
-
-
-
-
- TriggerAttestation
-
-
-
-
- Notifies the device to trigger an attestation session asynchronously.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 99.9.99999
- 1.4
-
-
-
-
-
-
- GetAttestReport
-
-
-
-
- Retrieve attestation session report if exists.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 99.9.99999
- 1.4
-
-
-
-
- AttestStatus
-
-
-
-
- AttestStatus maintains the success or failure status code for the last attestation session.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 99.9.99999
- 1.4
-
-
-
-
- GetServiceCorrelationIDs
-
-
-
-
- Retrieve service correlation IDs if exist.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 99.9.99999
- 1.4
-
-
-
-
-
-
-
-
-
+
+]>
+
+ 1.2
+
+
+
+ HealthAttestation
+ ./Vendor/MSFT
+
+
+
+
+ The root node for the device HealthAttestation configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ VerifyHealth
+
+
+
+
+ Notifies the device to prepare a device health verification request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ForceRetrieve
+
+
+
+
+
+ False
+ Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ Certificate
+
+
+
+
+ Instructs the DHA-CSP to forward DHA-Data to the MDM server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Nonce
+
+
+
+
+
+ \0
+ Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CorrelationID
+
+
+
+
+ Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HASEndpoint
+
+
+
+
+
+ has.spserv.microsoft.com.
+ Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TpmReadyStatus
+
+
+
+
+ Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+
+ CurrentProtocolVersion
+
+
+
+
+ Provides the current protocol version that the client is using to communicate with the Health Attestation Service.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+ PreferredMaxProtocolVersion
+
+
+
+
+
+ 3
+ Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+
+
+ MaxSupportedProtocolVersion
+
+
+
+
+ Returns the maximum protocol version that this client can support.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+ TriggerAttestation
+
+
+
+
+ Notifies the device to trigger an attestation session asynchronously.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.4
+
+
+
+
+ GetAttestReport
+
+
+
+
+ Retrieve attestation session report if exists.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.4
+
+
+
+
+ AttestStatus
+
+
+
+
+ AttestStatus maintains the success or failure status code for the last attestation session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.4
+
+
+
+
+ GetServiceCorrelationIDs
+
+
+
+
+ Retrieve service correlation IDs if exist.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.4
+
+
+
+
+
```
-## Related topics
+## Related articles
-
-[HealthAttestation configuration service provider](healthattestation-csp.md)
-
-
-
-
+[HealthAttestation configuration service provider reference](healthattestation-csp.md)
diff --git a/windows/client-management/mdm/language-pack-management-ddf-file.md b/windows/client-management/mdm/language-pack-management-ddf-file.md
new file mode 100644
index 0000000000..398f64ec81
--- /dev/null
+++ b/windows/client-management/mdm/language-pack-management-ddf-file.md
@@ -0,0 +1,378 @@
+---
+title: LanguagePackManagement DDF file
+description: View the XML file containing the device description framework (DDF) for the LanguagePackManagement configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+# LanguagePackManagement DDF file
+
+The following XML file contains the device description framework (DDF) for the LanguagePackManagement configuration service provider.
+
+```xml
+
+]>
+
+ 1.2
+
+
+
+ LanguagePackManagement
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+ CSP for managing language packs and language settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.9999
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ InstalledLanguages
+
+
+
+
+ Languages currently installed on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Language tag of an installed language on the device. Delete to uninstall.
+
+
+
+
+
+
+
+
+
+ Language ID
+
+
+
+
+
+
+
+
+ Providers
+
+
+
+
+ Numeric representation of how a language is installed. 1 - The system language pack is installed; 2 - The Local Experience Pack is installed; 3 - Both are installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LanguageFeatures
+
+
+
+
+ Numeric representation of the language features installed. Basic Typing - 1 (0x1), Fonts - 2 (0x2), Handwriting - 4 (0x4), Speech - 8 (0x8), TextToSpeech - 16 (0x10), OCR - 32 (0x20), LocaleData - 64 (0x40), SupplementFonts - 128 (0x80).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Install
+
+
+
+
+ Language to be installed or being installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Language tag of the language to be installed or being installed.
+
+
+
+
+
+
+
+
+
+ Language ID
+
+
+
+
+ Language tag of the language to be installed or being installed.
+
+
+
+ Status
+
+
+
+
+ Status of the language queued for install. 0 – not started; 1 – in progress; 2 – succeeded; 3 – failed; 4 – partially succeeded.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ Error code of queued language installation. 0 if there is no error.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CopyToDeviceInternationalSettings
+
+
+
+
+
+
+
+ false
+ Copies the language to the international settings (i.e., locale, input layout, speech recognizer, preferred UI language) of the device immediately after installation if the value is true. Default value is false.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Don't copy the language to the international settings immediately after installation.
+
+
+ true
+ Copy the language to the international settings immediately after installation.
+
+
+
+
+
+ EnableLanguageFeatureInstallations
+
+
+
+
+
+
+
+ true
+ Enables installations of all available language features when the value is true. Default value is true.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+ Install all available language features.
+
+
+ false
+ Install only the required language features.
+
+
+
+
+
+ StartInstallation
+
+
+
+
+ Execution node to queue a language for installation on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LanguageSettings
+
+
+
+
+ Language settings of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SystemPreferredUILanguages
+
+
+
+
+
+ System Preferred UI Language of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related articles
+
+[LanguagePackManagement configuration service provider reference](language-pack-management-csp.md)
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index f5c69b2fcd..9c4f8440b5 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -1,512 +1,837 @@
---
-title: Local Administrator Password Solution CSP
-description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
-ms.author: jsimmons
-author: jay98014
-ms.reviewer: vinpa
+title: LAPS CSP
+description: Learn more about the LAPS CSP.
+author: vinaypamnani-msft
manager: aaroncz
-ms.topic: reference
+ms.author: vinpa
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-ms.localizationpriority: medium
-ms.date: 09/20/2022
+ms.topic: reference
---
-# Local Administrator Password Solution CSP
+
-The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.
+
+# LAPS CSP
> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+
+
+
+The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
+
+> [!NOTE]
> Windows LAPS currently is available only in [Windows 11 Insider Preview Build 25145 and later](/windows-insider/flight-hub/#active-development-builds-of-windows-11). Support for the Windows LAPS Azure Active Directory scenario is currently in private preview, and limited to a small number of customers who have a direct engagement with engineering. Once public preview is declared in 2023, all customers will be able to evaluate this AAD scenario.
> [!TIP]
> This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
+
-The following example shows the LAPS CSP in tree format.
+
+The following list shows the LAPS configuration service provider nodes:
-```xml
-./Device/Vendor/MSFT
-LAPS
-----Policies
---------BackupDirectory
---------PasswordAgeDays
---------PasswordLength
---------PasswordComplexity
---------PasswordExpirationProtectionEnabled
---------AdministratorAccountName
---------ADPasswordEncryptionEnabled
---------ADPasswordEncryptionPrincipal
---------ADEncryptedPasswordHistorySize
---------PostAuthenticationResetDelay
---------PostAuthenticationActions
-----Actions
---------ResetPassword
---------ResetPasswordStatus
+- ./Device/Vendor/MSFT/LAPS
+ - [Actions](#actions)
+ - [ResetPassword](#actionsresetpassword)
+ - [ResetPasswordStatus](#actionsresetpasswordstatus)
+ - [Policies](#policies)
+ - [ADEncryptedPasswordHistorySize](#policiesadencryptedpasswordhistorysize)
+ - [AdministratorAccountName](#policiesadministratoraccountname)
+ - [ADPasswordEncryptionEnabled](#policiesadpasswordencryptionenabled)
+ - [ADPasswordEncryptionPrincipal](#policiesadpasswordencryptionprincipal)
+ - [BackupDirectory](#policiesbackupdirectory)
+ - [PasswordAgeDays](#policiespasswordagedays)
+ - [PasswordComplexity](#policiespasswordcomplexity)
+ - [PasswordExpirationProtectionEnabled](#policiespasswordexpirationprotectionenabled)
+ - [PasswordLength](#policiespasswordlength)
+ - [PostAuthenticationActions](#policiespostauthenticationactions)
+ - [PostAuthenticationResetDelay](#policiespostauthenticationresetdelay)
+
+
+
+## Actions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Actions
```
-
-The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
-
-|Setting name|Azure-joined|Hybrid-joined|
-|---|---|---|
-|BackupDirectory|Yes|Yes
-|PasswordAgeDays|Yes|Yes
-|PasswordLength|Yes|Yes|
-|PasswordComplexity|Yes|Yes|
-|PasswordExpirationProtectionEnabled|No|Yes|
-|AdministratorAccountName|Yes|Yes|
-|ADPasswordEncryptionEnabled|No|Yes|
-|ADPasswordEncryptionPrincipal|No|Yes|
-|ADEncryptedPasswordHistorySize|No|Yes|
-|PostAuthenticationResetDelay|Yes|Yes|
-|PostAuthenticationActions|Yes|Yes|
-|ResetPassword|Yes|Yes|
-|ResetPasswordStatus|Yes|Yes|
-
-> [!IMPORTANT]
-> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
-
-## ./Device/Vendor/MSFT/LAPS
-
-Defines the root node for the LAPS CSP.
-
-
-### Policies
-
-Defines the interior parent node for all configuration-related settings in the LAPS CSP.
-
-
-
-### BackupDirectory
-
-Allows the administrator to configure which directory the local administrator account password is backed up to.
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-Data type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
-The allowable settings are:
-
-|Value|Description of setting|
-|--- |--- |
-|0|Disabled (password won't be backed up)|
-|1|Back up the password to Azure AD only|
-|2|Back up the password to Active Directory only|
-
-If not specified, this setting will default to 0 (disabled).
-
-
-
-
-### PasswordAgeDays
-
-Use this policy to configure the maximum password age of the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-If not specified, this setting will default to 30 days
-
-This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD.
-
-This setting has a maximum allowed value of 365 days.
-
-
-Data type is integer.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### PasswordComplexity
-
-Use this setting to configure password complexity of the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-The allowable settings are:
-
-|Value|Description of setting|
-|--- |--- |
-|1|Large letters|
-|2|Large letters + small letters|
-|3|Large letters + small letters + numbers|
-|4|Large letters + small letters + numbers + special characters|
-
-
-If not specified, this setting will default to 4.
-
-> [!IMPORTANT]
-> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
-
-
-Data type is integer.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### PasswordLength
-
-Use this setting to configure the length of the password of the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-If not specified, this setting will default to 14 characters.
-
-This setting has a minimum allowed value of 8 characters.
-
-This setting has a maximum allowed value of 64 characters.
-
-
-Data type is integer.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### AdministratorAccountName
-
-Use this setting to configure the name of the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
-
-If specified, the specified account's password will be managed.
-
-> [!IMPORTANT]
-> If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created.
-
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### PasswordExpirationProtectionEnabled
-
-Use this setting to configure enforcement of maximum password age for the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-When this setting is set to True, planned password expiration that would result in a password age greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy.
-
-If not specified, this setting defaults to True.
-
-> [!IMPORTANT]
-> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
-
-
-Data type is boolean.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### ADPasswordEncryptionEnabled
-
-Use this setting to configure whether the password is encrypted before being stored in Active Directory.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-This setting is ignored if the password is currently being stored in Azure.
-
-If this setting is set to True, and the Active Directory domain meets the 2016 DFL prerequisite, the password is encrypted before being stored in Active Directory.
-
-If this setting is missing or set to False, or the Active Directory domain doesn't meet the DFL prerequisite, the password is stored as clear-text in Active Directory.
-
-If not specified, this setting defaults to False.
-> [!IMPORTANT]
-> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
-
-
-Data type is boolean.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### ADPasswordEncryptionPrincipal
-
-Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-This setting is ignored if the password is currently being stored in Azure.
-
-If not specified, the password can only be decrypted by the Domain Admins group in the device's domain.
-
-If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
-
-If the specified user or group account is invalid the device will fall back to using the Domain Admins group in the device's domain.
-> [!IMPORTANT]
-> The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
->
-> "S-1-5-21-2127521184-1604012920-1887927527-35197"
->
-> "contoso\LAPSAdmins"
->
-> "lapsadmins@contoso.com"
->
-> The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
-
-> [!IMPORTANT]
-> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
-
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### ADEncryptedPasswordHistorySize
-
+
+
+
+
+
+
+
+
+Defines the parent interior node for all action-related settings in the LAPS CSP.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Actions/ResetPassword
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Actions/ResetPassword
+```
+
+
+
+
+Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.
+
+
+
+
+This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+### Actions/ResetPasswordStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Actions/ResetPasswordStatus
+```
+
+
+
+
+Use this setting to query the status of the last submitted ResetPassword execute action.
+
+
+
+
+The value returned is an HRESULT code:
+
+- S_OK (0x0): The last submitted ResetPassword action succeeded.
+- E_PENDING (0x8000000): The last submitted ResetPassword action is still executing.
+- Other: The last submitted ResetPassword action encountered the returned error.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## Policies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies
+```
+
+
+
+
+Root node for LAPS policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Atomic Required | True |
+
+
+
+
+
+
+
+
+
+### Policies/ADEncryptedPasswordHistorySize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize
+```
+
+
+
+
Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.
+
+
+
> [!IMPORTANT]
> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
-
+
-Data type is integer.
+
+**Description framework properties**:
-Supported operations are Add, Get, Replace, and Delete.
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-12]` |
+| Default Value | 0 |
+| Dependency [BackupDirectory] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory` Dependency Allowed Value: `2` Dependency Allowed Value Type: `ENUM` |
+
-
-### PostAuthenticationResetDelay
-
-Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below).
-
+
+
+
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
+
-
-If not specified, this setting will default to 24 hours.
+
+### Policies/AdministratorAccountName
-This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
-This setting has a maximum allowed value of 24 hours.
-
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName
+```
+
-Data type is integer.
+
+
+Use this setting to configure the name of the managed local administrator account.
-Supported operations are Add, Get, Replace, and Delete.
-
+If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
-
-### PostAuthenticationActions
-
-Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above).
-
+If specified, the specified account's password will be managed.
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
+**Note** if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.
+
-
-This setting can have ONE of the following values:
+
+
+
-|Value|Name|Action(s) taken upon expiry of the grace period|
-|--- |--- |--- |
-|1|Reset password|The managed account password will be reset|
-|3|Reset password and log off|The managed account password will be reset and any interactive logon sessions using the managed account will be terminated|
-|5|Reset password and reboot|The managed account password will be reset and the managed device will be immediately rebooted.|
+
+**Description framework properties**:
-If not specified, this setting will default to 3.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+### Policies/ADPasswordEncryptionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled
+```
+
+
+
+
+Use this setting to configure whether the password is encrypted before being stored in Active Directory.
+
+This setting is ignored if the password is currently being stored in Azure.
+
+This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
+
+- If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory.
+
+- If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
+
+If not specified, this setting defaults to True.
+
+
+
+
+> [!IMPORTANT]
+> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | True |
+| Dependency [BackupDirectory] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory` Dependency Allowed Value: `2` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Store the password in clear-text form in Active Directory. |
+| true (Default) | Store the password in encrypted form in Active Directory. |
+
+
+
+
+
+
+
+
+
+### Policies/ADPasswordEncryptionPrincipal
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal
+```
+
+
+
+
+Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
+
+This setting is ignored if the password is currently being stored in Azure.
+
+If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
+
+If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
+
+If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.
+
+
+
+
+> [!IMPORTANT]
+> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met. The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
+>
+> - `S-1-5-21-2127521184-1604012920-1887927527-35197`
+> - `contoso\LAPSAdmins`
+> - `lapsadmins@contoso.com`
+>
+> The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [BackupDirectory] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory` Dependency Allowed Value: `2` Dependency Allowed Value Type: `ENUM` |
+
+
+
+
+
+
+
+
+
+### Policies/BackupDirectory
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory
+```
+
+
+
+
+Use this setting to configure which directory the local admin account password is backed up to.
+
+The allowable settings are:
+
+0=Disabled (password will not be backed up)
+1=Backup the password to Azure AD only
+2=Backup the password to Active Directory only
+
+If not specified, this setting will default to 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled (password will not be backed up). |
+| 1 | Backup the password to Azure AD only. |
+| 2 | Backup the password to Active Directory only. |
+
+
+
+
+
+
+
+
+
+### Policies/PasswordAgeDays
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays
+```
+
+
+
+
+Use this policy to configure the maximum password age of the managed local administrator account.
+
+If not specified, this setting will default to 30 days
+
+This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD.
+
+This setting has a maximum allowed value of 365 days.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-365]` |
+| Default Value | 30 |
+| Dependency [BackupDirectoryAADMode BackupDirectoryADMode] | Dependency Type: `DependsOn DependsOn` Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory Vendor/MSFT/LAPS/Policies/BackupDirectory` Dependency Allowed Value: ` ` Dependency Allowed Value Type: `ENUM ENUM` |
+
+
+
+
+
+
+
+
+
+### Policies/PasswordComplexity
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
+```
+
+
+
+
+Use this setting to configure password complexity of the managed local administrator account.
+
+The allowable settings are:
+
+1=Large letters
+2=Large letters + small letters
+3=Large letters + small letters + numbers
+4=Large letters + small letters + numbers + special characters
+
+If not specified, this setting will default to 4.
+
+
+
+
+> [!IMPORTANT]
+> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 4 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Large letters. |
+| 2 | Large letters + small letters. |
+| 3 | Large letters + small letters + numbers. |
+| 4 (Default) | Large letters + small letters + numbers + special characters. |
+
+
+
+
+
+
+
+
+
+### Policies/PasswordExpirationProtectionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled
+```
+
+
+
+
+Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
+
+When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
+
+If not specified, this setting defaults to True.
+
+
+
+
+> [!IMPORTANT]
+> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | True |
+| Dependency [BackupDirectory] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory` Dependency Allowed Value: `2` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Allow configured password expiriration timestamp to exceed maximum password age. |
+| true (Default) | Do not allow configured password expiriration timestamp to exceed maximum password age. |
+
+
+
+
+
+
+
+
+
+### Policies/PasswordLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PasswordLength
+```
+
+
+
+
+Use this setting to configure the length of the password of the managed local administrator account.
+
+If not specified, this setting will default to 14 characters.
+
+This setting has a minimum allowed value of 8 characters.
+
+This setting has a maximum allowed value of 64 characters.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[8-64]` |
+| Default Value | 14 |
+
+
+
+
+
+
+
+
+
+### Policies/PostAuthenticationActions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions
+```
+
+
+
+
+Use this setting to specify the actions to take upon expiration of the configured grace period.
+
+If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
+
+
+
+
> [!IMPORTANT]
> The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss.
> [!IMPORTANT]
> From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.
-
+
-Data type is integer.
+
+**Description framework properties**:
-Supported operations are Add, Get, Replace, and Delete.
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 3 |
+
-
-## Actions
+
+**Allowed values**:
-Defines the parent interior node for all action-related settings in the LAPS CSP.
-
+| Value | Description |
+|:--|:--|
+| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
+| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
+| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
+
-
-### ResetPassword
-
-Use this Execute action to request an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
-
+
+
+
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
+
-
+
+### Policies/PostAuthenticationResetDelay
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
-Data type is integer.
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay
+```
+
-Supported operations are Execute.
-
+
+
+Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
-
-### ResetPasswordStatus
-
-Use this setting to query the status of the last submitted ResetPassword action.
-
+If not specified, this setting will default to 24 hours.
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
+This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
-
-The value returned is an HRESULT code.
+This setting has a maximum allowed value of 24 hours.
+
-S_OK (0x0) - the last submitted ResetPassword action succeeded.
+
+
+
-E_PENDING (0x8000000) - the last submitted ResetPassword action is still executing.
+
+**Description framework properties**:
-other - the last submitted ResetPassword action encountered the returned error.
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-24]` |
+| Default Value | 24 |
+
-Data type is integer.
+
+
+
-Supported operations are Get.
-
+
-### SyncML examples
+
+
+## Settings Applicability
-The following examples are provided to show proper format and shouldn't be taken as a recommendation.
+The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
-#### Azure-joined device backing password up to Azure AD
+| Setting name | Azure-joined | Hybrid-joined |
+|-------------------------------------|--------------|---------------|
+| BackupDirectory | Yes | Yes |
+| PasswordAgeDays | Yes | Yes |
+| PasswordLength | Yes | Yes |
+| PasswordComplexity | Yes | Yes |
+| PasswordExpirationProtectionEnabled | No | Yes |
+| AdministratorAccountName | Yes | Yes |
+| ADPasswordEncryptionEnabled | No | Yes |
+| ADPasswordEncryptionPrincipal | No | Yes |
+| ADEncryptedPasswordHistorySize | No | Yes |
+| PostAuthenticationResetDelay | Yes | Yes |
+| PostAuthenticationActions | Yes | Yes |
+| ResetPassword | Yes | Yes |
+| ResetPasswordStatus | Yes | Yes |
-This example is configuring an Azure-joined device to back up its password to Azure Active Directory:
+## SyncML examples
+
+The following examples are provided to show the correct format and shouldn't be considered as a recommendation.
+
+### Azure-joined device backing password up to Azure AD
+
+This example shows how to configure an Azure-joined device to back up its password to Azure Active Directory:
```xml
@@ -605,9 +930,9 @@ This example is configuring an Azure-joined device to back up its password to Az
```
-#### Hybrid-joined device backing password up to Active Directory
+### Hybrid-joined device backing password up to Active Directory
-This example is configuring a hybrid device to back up its password to Active Directory with password encryption enabled:
+This example shows how to configure a hybrid device to back up its password to Active Directory with password encryption enabled:
```xml
@@ -757,9 +1082,10 @@ This example is configuring a hybrid device to back up its password to Active Di
<Final/>
```
+
+
+
## Related articles
-[Configuration service provider reference](index.yml)
-
-[Windows LAPS](/windows-server/identity/laps/laps)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
index b5ba239a7a..35784361d4 100644
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -1,101 +1,88 @@
---
title: LAPS DDF file
-description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider.
-ms.author: jsimmons
-ms.topic: article
+description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: jsimmons
-ms.localizationpriority: medium
-ms.date: 07/04/2022
-ms.reviewer: jsimmons
-manager: jsimmons
+ms.topic: reference
---
-# Local Administrator Password Solution DDF file
+
-This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider.
+# LAPS DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the LAPS configuration service provider.
```xml
-
-
-
-
- 1.2
- "%windir%\system32\LapsCSP.dll
-
- {298a6f17-03e7-4bd4-971c-544f359527b7}
+
+]>
+
+ 1.2
+
+
+
+ LAPS
+ ./Device/Vendor/MSFT
+
+
+
+
+ The root node for the LAPS configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Policies
+
+
+
+
+ Root node for LAPS policies.
+
+
+
+
+
+
+
+
+
+ Policies
+
+
+
+
+
- LAPS
- ./Device/Vendor/MSFT
+ BackupDirectory
+
+
+
- The root node for the LAPS configuration service provider.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 99.9.99999
- 1.0
-
-
-
-
-
-
- Policies
-
-
-
-
- Root node for LAPS policies.
-
-
-
-
-
-
-
-
-
- Policies
-
-
-
-
-
-
- BackupDirectory
-
-
-
-
-
-
-
- 0
- Use this setting to configure which directory the local admin account password is backed up to.
+ 0
+ Use this setting to configure which directory the local admin account password is backed up to.
The allowable settings are:
@@ -104,95 +91,109 @@ The allowable settings are:
2=Backup the password to Active Directory only
If not specified, this setting will default to 0.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- 0
- Disabled (password will not be backed up)
-
-
- 1
- Backup the password to Azure AD only
-
-
- 2
- Backup the password to Active Directory only
-
-
-
-
-
- PasswordAgeDays
-
-
-
-
-
-
-
- 30
- Use this policy to configure the maximum password age of the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disabled (password will not be backed up)
+
+
+ 1
+ Backup the password to Azure AD only
+
+
+ 2
+ Backup the password to Active Directory only
+
+
+
+
+
+ PasswordAgeDays
+
+
+
+
+
+
+
+ 30
+ Use this policy to configure the maximum password age of the managed local administrator account.
If not specified, this setting will default to 30 days
This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
This setting has a maximum allowed value of 365 days.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- [1-365]
-
-
-
-
- [7-365]
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 1
- BackupDirectory configured to Azure AD
-
-
-
-
-
-
-
-
- PasswordComplexity
-
-
-
-
-
-
-
- 4
- Use this setting to configure password complexity of the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-365]
+
+
+
+
+ [7-365]
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 1
+ BackupDirectory configured to Azure AD
+
+
+
+
+
+
+ [1-365]
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ PasswordComplexity
+
+
+
+
+
+
+
+ 4
+ Use this setting to configure password complexity of the managed local administrator account.
The allowable settings are:
@@ -202,165 +203,165 @@ The allowable settings are:
4=Large letters + small letters + numbers + special characters
If not specified, this setting will default to 4.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- 1
- Large letters
-
-
- 2
- Large letters + small letters
-
-
- 3
- Large letters + small letters + numbers
-
-
- 4
- Large letters + small letters + numbers + special characters
-
-
-
-
-
- PasswordLength
-
-
-
-
-
-
-
- 14
- Use this setting to configure the length of the password of the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Large letters
+
+
+ 2
+ Large letters + small letters
+
+
+ 3
+ Large letters + small letters + numbers
+
+
+ 4
+ Large letters + small letters + numbers + special characters
+
+
+
+
+
+ PasswordLength
+
+
+
+
+
+
+
+ 14
+ Use this setting to configure the length of the password of the managed local administrator account.
If not specified, this setting will default to 14 characters.
This setting has a minimum allowed value of 8 characters.
This setting has a maximum allowed value of 64 characters.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- [8-64]
-
-
-
-
- AdministratorAccountName
-
-
-
-
-
-
-
- Use this setting to configure the name of the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [8-64]
+
+
+
+
+ AdministratorAccountName
+
+
+
+
+
+
+
+ Use this setting to configure the name of the managed local administrator account.
If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
If specified, the specified account's password will be managed.
Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PasswordExpirationProtectionEnabled
-
-
-
-
-
-
-
- True
- Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PasswordExpirationProtectionEnabled
+
+
+
+
+
+
+
+ True
+ Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
If not specified, this setting defaults to True.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- false
- Allow configured password expiriration timestamp to exceed maximum password age
-
-
- true
- Do not allow configured password expiriration timestamp to exceed maximum password age
-
-
-
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 2
- BackupDirectory configured to Active Directory
-
-
-
-
-
-
-
-
- ADPasswordEncryptionEnabled
-
-
-
-
-
-
-
- False
- Use this setting to configure whether the password is encrypted before being stored in Active Directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Allow configured password expiriration timestamp to exceed maximum password age
+
+
+ true
+ Do not allow configured password expiriration timestamp to exceed maximum password age
+
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADPasswordEncryptionEnabled
+
+
+
+
+
+
+
+ True
+ Use this setting to configure whether the password is encrypted before being stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
@@ -370,54 +371,54 @@ If this setting is enabled, and the Active Directory domain meets the DFL prereq
If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
-If not specified, this setting defaults to False.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- false
- Store the password in clear-text form in Active Directory
-
-
- true
- Store the password in encrypted form in Active Directory
-
-
-
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 2
- BackupDirectory configured to Active Directory
-
-
-
-
-
-
-
-
- ADPasswordEncryptionPrincipal
-
-
-
-
-
-
-
- Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
+If not specified, this setting defaults to True.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Store the password in clear-text form in Active Directory
+
+
+ true
+ Store the password in encrypted form in Active Directory
+
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADPasswordEncryptionPrincipal
+
+
+
+
+
+
+
+ Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
@@ -426,229 +427,226 @@ If not specified, the password will be decryptable by the Domain Admins group in
If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 2
- BackupDirectory configured to Active Directory
-
-
-
-
-
-
-
-
- ADEncryptedPasswordHistorySize
-
-
-
-
-
-
-
- 0
- Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADEncryptedPasswordHistorySize
+
+
+
+
+
+
+
+ 0
+ Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- [0-12]
-
-
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 2
- BackupDirectory configured to Active Directory
-
-
-
-
-
-
-
-
- PostAuthenticationResetDelay
-
-
-
-
-
-
-
- 24
- Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-12]
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ PostAuthenticationResetDelay
+
+
+
+
+
+
+
+ 24
+ Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
If not specified, this setting will default to 24 hours.
This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
This setting has a maximum allowed value of 24 hours.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- [0-24]
-
-
-
-
- PostAuthenticationActions
-
-
-
-
-
-
-
- 3
- Use this setting to specify the actions to take upon expiration of the configured grace period.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-24]
+
+
+
+
+ PostAuthenticationActions
+
+
+
+
+
+
+
+ 3
+ Use this setting to specify the actions to take upon expiration of the configured grace period.
If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- 1
- Reset password: upon expiry of the grace period, the managed account password will be reset.
-
-
- 3
- Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
-
-
- 5
- Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.
-
-
-
-
-
-
- Actions
-
-
-
-
-
-
-
-
-
-
-
-
-
- Actions
-
-
-
-
-
- ResetPassword
-
-
-
-
- Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- ResetPasswordStatus
-
-
-
-
- 0
- Use this setting to query the status of the last submitted ResetPassword execute action.
-
-
-
-
-
-
-
-
-
- ResetPasswordStatus
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Reset password: upon expiry of the grace period, the managed account password will be reset.
+
+
+ 3
+ Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
+
+
+ 5
+ Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.
+
+
+
-
-
-
+
+
+ Actions
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Actions
+
+
+
+
+
+ ResetPassword
+
+
+
+
+ Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResetPasswordStatus
+
+
+
+
+ 0
+ Use this setting to query the status of the last submitted ResetPassword execute action.
+
+
+
+
+
+
+
+
+
+ ResetPasswordStatus
+
+
+
+
+
+
+
+
```
## Related articles
-[LAPS configuration service provider](laps-csp.md)
+[LAPS configuration service provider reference](laps-csp.md)
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index 4be3316fbb..44b8f2d7ae 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -1,29 +1,23 @@
---
title: NetworkProxy CSP
-description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections.
+description: Learn more about the NetworkProxy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 08/29/2018
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# NetworkProxy CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
How the settings work:
@@ -32,73 +26,330 @@ How the settings work:
- If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.
- If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.
- Otherwise, the system tries to reach the site directly.
+
-The following shows the NetworkProxy configuration service provider in tree format.
+
+The following list shows the NetworkProxy configuration service provider nodes:
-```console
-./Vendor/MSFT
-NetworkProxy
-----ProxySettingsPerUser
-----AutoDetect
-----SetupScriptUrl
-----ProxyServer
---------ProxyAddress
---------Exceptions
---------UseProxyForLocalAddresses
+- ./Vendor/MSFT/NetworkProxy
+ - [AutoDetect](#autodetect)
+ - [ProxyServer](#proxyserver)
+ - [Exceptions](#proxyserverexceptions)
+ - [ProxyAddress](#proxyserverproxyaddress)
+ - [UseProxyForLocalAddresses](#proxyserveruseproxyforlocaladdresses)
+ - [ProxySettingsPerUser](#proxysettingsperuser)
+ - [SetupScriptUrl](#setupscripturl)
+
+
+
+## AutoDetect
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/NetworkProxy/AutoDetect
```
+
-**./Vendor/MSFT/NetworkProxy**
-The root node for the NetworkProxy configuration service provider.
-
-**ProxySettingsPerUser**
-Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-> [!Note]
-> Per user proxy configuration setting is not supported using a configuration file, only modifying registry settings on a local machine.
-
-**AutoDetect**
+
+
Automatically detect settings. If enabled, the system tries to find the path to a PAC script.
+
-Valid values:
+
+
+
-- 0 - Disabled
-- 1 (default) - Enabled
+
+**Description framework properties**:
-The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Delete, Get, Replace |
+| Default Value | 1 |
+
-**SetupScriptUrl**
-Address to the PAC script you want to use.
+
+**Allowed values**:
-The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 (Default) | Enabled. |
+
-**ProxyServer**
+
+
+
+
+
+
+
+## ProxyServer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/NetworkProxy/ProxyServer
+```
+
+
+
+
Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.
+
-Supported operation is Get.
+
+
+
-**ProxyAddress**
-Address to the proxy server. Specify an address in the format <server>[“:”<port>].
+
+**Description framework properties**:
-The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**Exceptions**
-Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries.
+
+
+
-The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
+
-**UseProxyForLocalAddresses**
-Specifies whether the proxy server should be used for local (intranet) addresses.
+
+### ProxyServer/Exceptions
-Valid values:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-- 0 (default) - Use proxy server for local addresses
-- 1 - Do not use proxy server for local addresses
+
+```Device
+./Vendor/MSFT/NetworkProxy/ProxyServer/Exceptions
+```
+
-The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
+
+
+Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries.
+
-## Configuration Example
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+
+
+
+
+
+
+### ProxyServer/ProxyAddress
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/NetworkProxy/ProxyServer/ProxyAddress
+```
+
+
+
+
+Address to the proxy server. Specify an address in the format ``[":"``].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### ProxyServer/UseProxyForLocalAddresses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/NetworkProxy/ProxyServer/UseProxyForLocalAddresses
+```
+
+
+
+
+Specifies whether the proxy server should be used for local (intranet) addresses.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Use proxy server for local addresses. |
+| 1 | Do not use proxy server for local addresses. |
+
+
+
+
+
+
+
+
+
+## ProxySettingsPerUser
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/NetworkProxy/ProxySettingsPerUser
+```
+
+
+
+
+When set to 0, it enables proxy configuration as global, machine wide.
+
+
+
+
+> [!NOTE]
+> Per user proxy configuration setting is not supported using a configuration file, only modifying registry settings on a local machine.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Proxy configuration is global, machine wide. |
+| 1 (Default) | Proxy configuration is per user. |
+
+
+
+
+
+
+
+
+
+## SetupScriptUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/NetworkProxy/SetupScriptUrl
+```
+
+
+
+
+Address to the PAC script you want to use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+
+## Examples
These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace. Only enter the portion of code needed in the **Replace** section.
@@ -149,3 +400,10 @@ These generic code portions for the options **ProxySettingsPerUser**, **Autodete
```
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md
index b83fb6eab6..06042fcea6 100644
--- a/windows/client-management/mdm/networkproxy-ddf.md
+++ b/windows/client-management/mdm/networkproxy-ddf.md
@@ -1,178 +1,262 @@
---
title: NetworkProxy DDF file
-description: AppNetworkProxyLocker DDF file
+description: View the XML file containing the device description framework (DDF) for the NetworkProxy configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
# NetworkProxy DDF file
-This topic shows the OMA DM device description framework (DDF) for the **NetworkProxy** configuration service provider.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the NetworkProxy configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ NetworkProxy
+ ./Vendor/MSFT
+
+
+
+
+ The root node for the NetworkProxy configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- NetworkProxy
- ./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.0/MDM/NetworkProxy
-
-
-
- AutoDetect
-
-
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SetupScriptUrl
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ProxyServer
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProxyAddress
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Exceptions
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UseProxyForLocalAddresses
-
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ ProxySettingsPerUser
+
+
+
+
+
+
+ 1
+ When set to 0, it enables proxy configuration as global, machine wide.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.0
+
+
+
+ 0
+ Proxy configuration is global, machine wide.
+
+
+ 1
+ Proxy configuration is per user.
+
+
+
+
+ AutoDetect
+
+
+
+
+
+
+ 1
+ Automatically detect settings. If enabled, the system tries to find the path to a PAC script.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disabled
+
+
+ 1
+ Enabled
+
+
+
+
+
+ SetupScriptUrl
+
+
+
+
+
+
+ Address to the PAC script you want to use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProxyServer
+
+
+
+
+ Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProxyAddress
+
+
+
+
+
+
+ [“:”]. ]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Exceptions
+
+
+
+
+
+
+ Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UseProxyForLocalAddresses
+
+
+
+
+
+
+ 0
+ Specifies whether the proxy server should be used for local (intranet) addresses. Valid values:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Use proxy server for local addresses
+
+
+ 1
+ Do not use proxy server for local addresses
+
+
+
+
+
+
```
+
+## Related articles
+
+[NetworkProxy configuration service provider reference](networkproxy-csp.md)
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 70a952ccd4..6d224dd68d 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -1,139 +1,381 @@
---
title: NetworkQoSPolicy CSP
-description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703.
+description: Learn more about the NetworkQoSPolicy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/22/2021
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# NetworkQoSPolicy CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703.
The following conditions are supported:
+
- Network traffic from a specific application name
- Network traffic from specific source or destination ports
- Network traffic from a specific IP protocol (TCP, UDP, or both)
The following actions are supported:
+
- Layer 2 tagging using a IEEE 802.1p priority value
- Layer 3 tagging using a differentiated services code point (DSCP) value
> [!NOTE]
> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices:
+>
> - Azure AD Hybrid joined devices.
> - Devices that use both GPO and CSP at the same time.
>
> The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703.
+
-The following example shows the NetworkQoSPolicy configuration service provider in tree format.
+
+The following list shows the NetworkQoSPolicy configuration service provider nodes:
+
+- ./Device/Vendor/MSFT/NetworkQoSPolicy
+ - [{Name}](#name)
+ - [AppPathNameMatchCondition](#nameapppathnamematchcondition)
+ - [DestinationPortMatchCondition](#namedestinationportmatchcondition)
+ - [DSCPAction](#namedscpaction)
+ - [IPProtocolMatchCondition](#nameipprotocolmatchcondition)
+ - [PriorityValue8021Action](#namepriorityvalue8021action)
+ - [SourcePortMatchCondition](#namesourceportmatchcondition)
+ - [Version](#version)
+
+
+
+## {Name}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}
```
-./Device/Vendor/MSFT
-NetworkQoSPolicy
-----Version
-----Name
---------IPProtocolMatchCondition
---------AppPathNameMatchCondition
---------SourcePortMatchCondition
---------DestinationPortMatchCondition
---------PriorityValue8021Action
---------DSCPAction
+
+
+
+
+The value of this node should be a policy name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | UniqueName: The value of this node should be a policy name. |
+
+
+
+
+
+
+
+
+
+### {Name}/AppPathNameMatchCondition
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/AppPathNameMatchCondition
```
-**NetworkQoSPolicy**
-
The root node for the NetworkQoSPolicy configuration service provider.
+
-**Version**
-
Specifies the version information.
+
+
+Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
+
-
The data type is int.
+
+
+
-
The only supported operation is Get.
+
+**Description framework properties**:
-***Name***
-
Node for the QoS policy name.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-***Name*/IPProtocolMatchCondition**
-
Specifies the IP protocol used to match the network traffic.
+
+
+
-
The data type is int.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
-
The supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/DestinationPortMatchCondition
+```
+
-***Name*/AppPathNameMatchCondition**
-
Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`.
+
+
+Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number].
+
-
The data type is char.
+
+
+
-
The supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-***Name*/SourcePortMatchCondition**
-
Specifies a single port or a range of ports to be used to match the network traffic source.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
Valid values are:
+
+
+
-- A range of source ports: _[first port number]_-_[last port number]_
-- A single source port: _[port number]_
+
-
The data type is char.
+
+### {Name}/DSCPAction
-
The supported operations are Add, Get, Delete, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
-***Name*/DestinationPortMatchCondition**
-
Specifies a single source port or a range of ports to be used to match the network traffic destination.
+
+```Device
+./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/DSCPAction
+```
+
-
Valid values are:
+
+
+The differentiated services code point (DSCP) value to apply to matching network traffic. Valid values are 0-63.
+
-- A range of destination ports: _[first port number]_-_[last port number]_
-- A single destination port: _[port number]_
+
+
+
-
The data type is char.
+
+**Description framework properties**:
-
The supported operations are Add, Get, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-63]` |
+
-***Name*/PriorityValue8021Action**
-
Specifies the IEEE 802.1p priority value to apply to matching network traffic.
+
+
+
-
Valid values are 0-7.
+
-
The data type is int.
+
+### {Name}/IPProtocolMatchCondition
-
The supported operations are Add, Get, Delete, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
-***Name*/DSCPAction**
-
The Differentiated Services Code Point (DSCP) value to apply to matching network traffic.
+
+```Device
+./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/IPProtocolMatchCondition
+```
+
-
Valid values are 0-63.
+
+
+Specifies the IP protocol used to match the network traffic. Valid values are 0: Both TCP and UDP (default), 1: TCP, 2: UDP.
+
-
The data type is int.
+
+
+
-
The supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-## Related topics
+
+
+
-Read more about the XML DDF structure to create this policy by following the links below:
+
-- [More Information about DDF and structure](networkqospolicy-ddf.md)
-- [CSP DDF files download](configuration-service-provider-ddf.md)
+
+### {Name}/PriorityValue8021Action
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/PriorityValue8021Action
+```
+
+
+
+
+The IEEE 802.1p value to apply to matching network traffice. Valid values are 0-7.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-7]` |
+
+
+
+
+
+
+
+
+
+### {Name}/SourcePortMatchCondition
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/SourcePortMatchCondition
+```
+
+
+
+
+Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## Version
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NetworkQoSPolicy/Version
+```
+
+
+
+
+Version information.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index f90310942f..c2846f500d 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,285 +1,273 @@
---
-title: NetworkQoSPolicy DDF
-description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+title: NetworkQoSPolicy DDF file
+description: View the XML file containing the device description framework (DDF) for the NetworkQoSPolicy configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
-# NetworkQoSPolicy DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **NetworkQoSPolicy** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# NetworkQoSPolicy DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the NetworkQoSPolicy configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ NetworkQoSPolicy
+ ./Device/Vendor/MSFT
+
+
+
+
+ The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19042
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Version
+
+
+
+
+ Version information.
+
+
+
+
+
+
+
+
+
+ Version
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The value of this node should be a policy name.
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ The value of this node should be a policy name.
+
+
- NetworkQoSPolicy
- ./Device/Vendor/MSFT
+ IPProtocolMatchCondition
+
+
+
+ 0
+ Specifies the IP protocol used to match the network traffic. Valid values are 0: Both TCP and UDP (default), 1: TCP, 2: UDP.
-
+
-
+
-
+
+ IPProtocolMatchCondition
- com.microsoft/1.0/MDM/NetworkQoSPolicy
-
+
-
- Version
-
-
-
-
- Version information.
-
-
-
-
-
-
-
-
-
- Version
-
- text/plain
-
-
-
-
-
-
-
-
-
-
-
-
- The value of this node should be a policy name.
-
-
-
-
-
-
-
-
-
- Name
-
-
-
-
-
- PolicyStore
-
-
-
-
-
-
-
- The location where the QoS policy is stored.
-
-
-
-
-
-
-
-
-
- PolicyStore
-
- text/plain
-
-
-
-
- IPProtocolMatchCondition
-
-
-
-
-
-
-
- 0
- Specifies the IP protocol used to match the network traffic. Valid values are 0: Both TCP and UDP (default), 1: TCP, 2: UDP.
-
-
-
-
-
-
-
-
-
- IPProtocolMatchCondition
-
- text/plain
-
-
-
-
- AppPathNameMatchCondition
-
-
-
-
-
-
-
- Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
-
-
-
-
-
-
-
-
-
- AppPathNameMatchCondition
-
- text/plain
-
-
-
-
- SourcePortMatchCondition
-
-
-
-
-
-
-
- Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number].
-
-
-
-
-
-
-
-
-
- SourcePortMatchCondition
-
- text/plain
-
-
-
-
- DestinationPortMatchCondition
-
-
-
-
-
-
-
- Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number].
-
-
-
-
-
-
-
-
-
- DestinationPortMatchCondition
-
- text/plain
-
-
-
-
- PriorityValue8021Action
-
-
-
-
-
-
-
- The IEEE 802.1p value to apply to matching network traffice. Valid values are 0-7.
-
-
-
-
-
-
-
-
-
- PriorityValue8021Action
-
- text/plain
-
-
-
-
- DSCPAction
-
-
-
-
-
-
-
- The differentiated services code point (DSCP) value to apply to matching network traffic. Valid values are 0-63.
-
-
-
-
-
-
-
-
-
- DSCPAction
-
- text/plain
-
-
-
-
+
+ AppPathNameMatchCondition
+
+
+
+
+
+
+
+ Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
+
+
+
+
+
+
+
+
+
+ AppPathNameMatchCondition
+
+
+
+
+
+
+
+
+ SourcePortMatchCondition
+
+
+
+
+
+
+
+ Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number].
+
+
+
+
+
+
+
+
+
+ SourcePortMatchCondition
+
+
+
+
+
+
+
+
+ DestinationPortMatchCondition
+
+
+
+
+
+
+
+ Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number].
+
+
+
+
+
+
+
+
+
+ DestinationPortMatchCondition
+
+
+
+
+
+
+
+
+ PriorityValue8021Action
+
+
+
+
+
+
+
+ The IEEE 802.1p value to apply to matching network traffice. Valid values are 0-7.
+
+
+
+
+
+
+
+
+
+ PriorityValue8021Action
+
+
+
+
+ [0-7]
+
+
+
+
+ DSCPAction
+
+
+
+
+
+
+
+ The differentiated services code point (DSCP) value to apply to matching network traffic. Valid values are 0-63.
+
+
+
+
+
+
+
+
+
+ DSCPAction
+
+
+
+
+ [0-63]
+
+
+
+
+
```
-
-
-
-
-
-
-
-
+## Related articles
+[NetworkQoSPolicy configuration service provider reference](networkqospolicy-csp.md)
diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md
index b7fa0fbc34..e3a206ff86 100644
--- a/windows/client-management/mdm/nodecache-csp.md
+++ b/windows/client-management/mdm/nodecache-csp.md
@@ -1,29 +1,23 @@
---
title: NodeCache CSP
-description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache.
-ms.reviewer:
+description: Learn more about the NodeCache CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.topic: reference
---
+
+
+
# NodeCache CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes.
NodeCache supports the comparison of hash values instead of actual node values:
@@ -35,90 +29,345 @@ application/x-nodemon-sha256
```
NodeCache will hash the values and compare with a hash value that was sent down by the server. This process supports checking a parent node and its children recursively.
+
-The following example shows the NodeCache configuration service provider in tree format.
+
+The following list shows the NodeCache configuration service provider nodes:
+
+- ./Device/Vendor/MSFT/NodeCache
+ - [{ProviderID}](#deviceproviderid)
+ - [CacheVersion](#deviceprovideridcacheversion)
+ - [ChangedNodes](#deviceprovideridchangednodes)
+ - [ChangedNodesData](#deviceprovideridchangednodesdata)
+ - [Nodes](#deviceprovideridnodes)
+ - [{NodeID}](#deviceprovideridnodesnodeid)
+ - [AutoSetExpectedValue](#deviceprovideridnodesnodeidautosetexpectedvalue)
+ - [ExpectedValue](#deviceprovideridnodesnodeidexpectedvalue)
+ - [NodeURI](#deviceprovideridnodesnodeidnodeuri)
+- ./User/Vendor/MSFT/NodeCache
+ - [{ProviderID}](#userproviderid)
+ - [CacheVersion](#userprovideridcacheversion)
+ - [ChangedNodes](#userprovideridchangednodes)
+ - [ChangedNodesData](#userprovideridchangednodesdata)
+ - [Nodes](#userprovideridnodes)
+ - [{NodeID}](#userprovideridnodesnodeid)
+ - [AutoSetExpectedValue](#userprovideridnodesnodeidautosetexpectedvalue)
+ - [ExpectedValue](#userprovideridnodesnodeidexpectedvalue)
+ - [NodeURI](#userprovideridnodesnodeidnodeuri)
+
+
+
+## Device/{ProviderID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}
```
-./User/Vendor/MSFT
-NodeCache
-----ProviderID
---------CacheVersion
---------ChangedNodes
---------ChangedNodesData
---------Nodes
-------------NodeID
-----------------NodeURI
-----------------ExpectedValue
-----------------AutoSetExpectedValue
+
+
+
+Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the [w7 APPLICATION](w7-application-csp.md) configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.
+
-./Device/Vendor/MSFT
-NodeCache
-----ProviderID
---------CacheVersion
---------ChangedNodes
---------ChangedNodesData
---------Nodes
-------------NodeID
-----------------NodeURI
-----------------ExpectedValue
-----------------AutoSetExpectedValue
+
+
+
+
+**Description framework properties**:
-./User/Vendor/MSFT
-./Device/Vendor/MSFT
-NodeCache
-----ProviderID
---------CacheVersion
---------ChangedNodes
---------ChangedNodesData
---------Nodes
-------------NodeID
-----------------NodeURI
-----------------ExpectedValue
-----------------AutoSetExpectedValue
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. |
+
+
+
+
+
+
+
+
+
+### Device/{ProviderID}/CacheVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}/CacheVersion
```
-**./Device/Vendor/MSFT and ./User/Vendor/MSFT**
-Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax.
+
-***ProviderID***
-Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic.
+
+
+Character string representing the cache version set by the server.
+
-Supported operations are Get, Add, and Delete.
+
+
+
-***ProviderID*/CacheVersion**
-Optional. Character string representing the cache version set by the server. Scope is dynamic.
+
+**Description framework properties**:
-Data type is string. Supported operations are Get, Add, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
-***ProviderID*/ChangedNodes**
-Optional. List of nodes whose values don't match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic.
+
+
+
-Data type is string. Supported operation is Get.
+
-***ProviderID*/ChangedNodesData**
-Added in Windows 10, version 1703. Optional. XML containing nodes whose values don't match their expected values as specified in /NodeID/ExpectedValue.
+
+### Device/{ProviderID}/ChangedNodes
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-***ProviderID*/Nodes**
-Required. Root node for cached nodes. Scope is dynamic.
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}/ChangedNodes
+```
+
-Supported operation is Get.
+
+
+List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue.
+
-**/Nodes/***NodeID*
-Optional. Information about each cached node is stored under *NodeID* as specified by the server. This value must not contain a comma. Scope is dynamic.
+
+
+
-Supported operations are Get, Add, and Delete.
+
+**Description framework properties**:
-**/*NodeID*/NodeURI**
-Required. This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. Scope is dynamic.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Data type is string. Supported operations are Get, Add, and Delete.
+
+
+
-**/*NodeID*/ExpectedValue**
-Required. The server expects this value to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent.
+
-Supported operations are Get, Add, and Delete.
+
+### Device/{ProviderID}/ChangedNodesData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}/ChangedNodesData
+```
+
+
+
+
+XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/{ProviderID}/Nodes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes
+```
+
+
+
+
+Root node for cached nodes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProviderID}/Nodes/{NodeID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}
+```
+
+
+
+
+Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+##### Device/{ProviderID}/Nodes/{NodeID}/AutoSetExpectedValue
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/AutoSetExpectedValue
+```
+
+
+
+
+This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProviderID}/Nodes/{NodeID}/ExpectedValue
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/ExpectedValue
+```
+
+
+
+
+This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value.
+
+
+
+
+Supported values are string and x-nodemon-nonexistent.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get |
+
+
+
+
+**Example**:
Here's an example for setting the ExpectedValue to nonexistent.
@@ -127,7 +376,7 @@ Here's an example for setting the ExpectedValue to nonexistent.
10
- ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/ExpectedValue
+ ./Device/Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/ExpectedValuechr
@@ -136,60 +385,449 @@ Here's an example for setting the ExpectedValue to nonexistent.
```
+
-**/*NodeID*/AutoSetExpectedValue**
-Added in Windows 10, version 1703. Required. This parameter's value automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI.
+
-Supported operations are Add, Get, and Delete.
+
+##### Device/{ProviderID}/Nodes/{NodeID}/NodeURI
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/NodeURI
+```
+
+
+
+
+This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+## User/{ProviderID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}
+```
+
+
+
+
+Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the [w7 APPLICATION](w7-application-csp.md) configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. |
+
+
+
+
+
+
+
+
+
+### User/{ProviderID}/CacheVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}/CacheVersion
+```
+
+
+
+
+Character string representing the cache version set by the server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProviderID}/ChangedNodes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}/ChangedNodes
+```
+
+
+
+
+List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/{ProviderID}/ChangedNodesData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}/ChangedNodesData
+```
+
+
+
+
+XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/{ProviderID}/Nodes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes
+```
+
+
+
+
+Root node for cached nodes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProviderID}/Nodes/{NodeID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}
+```
+
+
+
+
+Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+##### User/{ProviderID}/Nodes/{NodeID}/AutoSetExpectedValue
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/AutoSetExpectedValue
+```
+
+
+
+
+This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProviderID}/Nodes/{NodeID}/ExpectedValue
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/ExpectedValue
+```
+
+
+
+
+This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value.
+
+
+
+
+Supported values are string and x-nodemon-nonexistent.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get |
+
+
+
+
+**Example**:
+
+Here's an example for setting the ExpectedValue to nonexistent.
+
+```xml
+
+ 10
+
+
+ ./User/Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/ExpectedValue
+
+
+ chr
+ application/x-nodemon-nonexistent
+
+
+
+```
+
+
+
+
+
+##### User/{ProviderID}/Nodes/{NodeID}/NodeURI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/NodeURI
+```
+
+
+
+
+This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+
## A typical DM session with the NodeCache configuration service provider
-
-1. The device connects to a DM server.
-
-2. The server queries the **NodeCache** version by issuing a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/CacheVersion LocURI
-
-3. If the device **CacheVersion** and the server-side cache differ (due to a device crash or server crash), the server can clear the server-side cache and go to Step 5.
-
-4. The server updates the server-side cache:
-
- 1. Sends a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/ChangedNodes LocURI
-
- 2. Response is a list of changed node IDs. Each ID in the list corresponds to a node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes root
-
- 3. For each node in the invalid nodes list, the server sends a `GET` command to retrieve the actual value of the node. For example, `GET `, where `NodeURI` is a full device LocURI that corresponds to the invalid cache node.
-
- 4. Nodes in the server-side cache are updated with the actual values received from the device.
-
- 5. For each updated node, a `REPLACE` command is sent to the device to update the device-side cache:
-
- `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/Nodes/NodeID/ExpectedValue => ActualValue`
-
- 6. A new cache version is created and sent to the device:
-
- `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/CacheVersion => new_version`
-
- The `new_version` value is stored by the server.
-
-5. The management server retrieves the corresponding value from the server-side cache:
-
- 1. If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device.
-
- 2. If a value doesn't exist in the server-side cache, do the following tasks:
-
- 1. Create a new entry with a unique *NodeID* in the server-side cache.
-
- 2. Query the device to retrieve the actual value of the URI.
-
- 3. Create a new node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes with *NodeID* value.
-
- 4. Set up **NodeURI** and **ExpectedValue** for the ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes/*NodeID* node.
-
- 5. Update the **CachedNodes** version.
+1. The device connects to a DM server.
+2. The server queries the **NodeCache** version by issuing a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/CacheVersion LocURI
+3. If the device **CacheVersion** and the server-side cache differ (due to a device crash or server crash), the server can clear the server-side cache and go to Step 5.
+4. The server updates the server-side cache:
+ 1. Sends a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/ChangedNodes LocURI
+ 2. Response is a list of changed node IDs. Each ID in the list corresponds to a node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes root
+ 3. For each node in the invalid nodes list, the server sends a `GET` command to retrieve the actual value of the node. For example, `GET `, where `NodeURI` is a full device LocURI that corresponds to the invalid cache node.
+ 4. Nodes in the server-side cache are updated with the actual values received from the device.
+ 5. For each updated node, a `REPLACE` command is sent to the device to update the device-side cache:
+ `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/Nodes/NodeID/ExpectedValue => ActualValue`
+ 6. A new cache version is created and sent to the device:
+ `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/CacheVersion => new_version`
+ The `new_version` value is stored by the server.
+5. The management server retrieves the corresponding value from the server-side cache:
+ 1. If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device.
+ 2. If a value doesn't exist in the server-side cache, do the following tasks:
+ 1. Create a new entry with a unique *NodeID* in the server-side cache.
+ 2. Query the device to retrieve the actual value of the URI.
+ 3. Create a new node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes with *NodeID* value.
+ 4. Set up **NodeURI** and **ExpectedValue** for the ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes/*NodeID* node.
+ 5. Update the **CachedNodes** version.
## OMA DM examples
-
Creating settings for node caching:
```xml
@@ -346,44 +984,45 @@ Replacing the cache version, node URI, and expected value:
For AutoSetExpectedValue, a Replace operation with empty data will query the ./DevDetail/Ext/Microsoft/DeviceName.
```xml
-
- 2001
-
-
- ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20
-
-
- node
-
-
-
-
- 2002
-
-
- ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/NodeURI
-
- ./DevDetail/Ext/Microsoft/DeviceName
-
-
-
- 2003
-
-
- ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/AutoSetExpectedValue
-
-
-
-
+
+ 2001
+
+
+ ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20
+
+
+ node
+
+
+
+
+ 2002
+
+
+ ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/NodeURI
+
+ ./DevDetail/Ext/Microsoft/DeviceName
+
+
+
+ 2003
+
+
+ ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/AutoSetExpectedValue
+
+
+
+
```
-A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue returns what the Device Name was when the AutoSet was called.
+A Get operation on `./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue` returns what the Device Name was when the AutoSet was called.
A Get operation on the ChangedNodesData returns an encoded XML. Here's an example:
```xml
U09NRU5FV1ZBTFVF
```
+
It represents this example:
```xml
@@ -397,19 +1036,10 @@ Id is the node ID that was added by the MDM server, and Uri is the path that the
If a Uri is not set, the node will always be reported as changed, as in Node ID 10.
The value inside of the node tag is the actual value returned by the Uri, which means that for Node ID 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
+
+
-## Related topics
-
-
-[Configuration service provider reference](index.yml)
-
-
-
-
-
-
-
-
-
+## Related articles
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md
index f5f3d05408..9b143a00d7 100644
--- a/windows/client-management/mdm/nodecache-ddf-file.md
+++ b/windows/client-management/mdm/nodecache-ddf-file.md
@@ -1,40 +1,160 @@
---
title: NodeCache DDF file
-description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the NodeCache configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/21/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# NodeCache DDF file
-
-This topic shows the OMA DM device description framework (DDF) for the **NodeCache** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the NodeCache configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ NodeCache
+ ./User/Vendor/MSFT
+
+
+
+
+ The root node for the NodeCache object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+ Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.
+
+
+
+
+
+
+
+
+
+ ProviderID
+
+
+
+
+ It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.
+
+
- NodeCache
- ./User/Vendor/MSFT
+ CacheVersion
+
+
+
+
+
+
+ Character string representing the cache version set by the server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChangedNodes
- The root node for the NodeCache object.
+ List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChangedNodesData
+
+
+
+
+ XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+
+ Nodes
+
+
+
+
+ Root node for cached nodes
@@ -42,110 +162,53 @@ The XML below is the current version for this CSP.
-
+
- com.microsoft/1.2/MDM/NodeCache
+
-
+
+
-
+
- Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.
+ Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma.
-
+
- ProviderID
+ NodeID
-
+
+
+
+
+
+
- CacheVersion
+ NodeURI
-
-
+
+
- Character string representing the cache version set by the server.
+ This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree.
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ChangedNodes
-
-
-
-
- List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ChangedNodesData
-
-
-
-
- XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Nodes
-
-
-
-
- Root node for cached nodes
-
-
-
@@ -153,224 +216,24 @@ The XML below is the current version for this CSP.
-
+
+
+
-
-
-
-
-
-
-
-
- Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma.
-
-
-
-
-
-
-
-
-
- NodeID
-
-
-
-
-
- NodeURI
-
-
-
-
-
-
- This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedValue
-
-
-
-
-
-
- This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AutoSetExpectedValue
-
-
-
-
-
-
- This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- NodeCache
- ./Device/Vendor/MSFT
-
-
-
-
- The root node for the NodeCache object.
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.2/MDM/NodeCache
-
-
-
-
-
-
-
-
-
-
- Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.
-
-
-
-
-
-
-
-
-
- ProviderID
-
-
-
-
- CacheVersion
+ ExpectedValue
-
-
+
+
- Character string representing the cache version set by the server.
+ This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value.
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ChangedNodes
-
-
-
-
- List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ChangedNodesData
-
-
-
-
- XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Nodes
-
-
-
-
- Root node for cached nodes
-
-
-
@@ -378,119 +241,300 @@ The XML below is the current version for this CSP.
-
+
+
+
+
+
+
+ AutoSetExpectedValue
+
+
+
+
+
+
+ This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
-
-
-
-
-
-
-
-
- Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma.
-
-
-
-
-
-
-
-
-
- NodeID
-
-
-
-
-
- NodeURI
-
-
-
-
-
-
- This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExpectedValue
-
-
-
-
-
-
- This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AutoSetExpectedValue
-
-
-
-
-
-
- This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+ NodeCache
+ ./Device/Vendor/MSFT
+
+
+
+
+ The root node for the NodeCache object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+ Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.
+
+
+
+
+
+
+
+
+
+ ProviderID
+
+
+
+
+ It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.
+
+
+
+ CacheVersion
+
+
+
+
+
+
+ Character string representing the cache version set by the server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChangedNodes
+
+
+
+
+ List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ChangedNodesData
+
+
+
+
+ XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+
+ Nodes
+
+
+
+
+ Root node for cached nodes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma.
+
+
+
+
+
+
+
+
+
+ NodeID
+
+
+
+
+
+
+
+
+
+
+ NodeURI
+
+
+
+
+
+
+ This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedValue
+
+
+
+
+
+
+ This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoSetExpectedValue
+
+
+
+
+
+
+ This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+
+
+
+
```
-## Related topics
-
-
-[NodeCache configuration service provider](nodecache-csp.md)
-
-
-
-
-
-
-
-
-
+## Related articles
+[NodeCache configuration service provider reference](nodecache-csp.md)
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index ce956ea412..525461336f 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -1,102 +1,521 @@
---
title: Office CSP
-description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703.
+description: Learn more about the Office CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 08/15/2018
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Office CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
+
-This CSP was added in Windows 10, version 1703.
+
+The following list shows the Office configuration service provider nodes:
-For more information, see [Office DDF](office-ddf.md).
+- ./Device/Vendor/MSFT/Office
+ - [Installation](#deviceinstallation)
+ - [{id}](#deviceinstallationid)
+ - [FinalStatus](#deviceinstallationidfinalstatus)
+ - [Install](#deviceinstallationidinstall)
+ - [Status](#deviceinstallationidstatus)
+ - [CurrentStatus](#deviceinstallationcurrentstatus)
+- ./User/Vendor/MSFT/Office
+ - [Installation](#userinstallation)
+ - [{id}](#userinstallationid)
+ - [FinalStatus](#userinstallationidfinalstatus)
+ - [Install](#userinstallationidinstall)
+ - [Status](#userinstallationidstatus)
+ - [CurrentStatus](#userinstallationcurrentstatus)
+
-The following shows the Office configuration service provider in tree format.
+
+## Device/Installation
-```console
-./Vendor/MSFT
-Office
-----Installation
---------id
-------------Install
-------------Status
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
-./Device/Vendor/MSFT
-Office
-----Installation
---------id
-------------Install
-------------Status
-
-
-./Vendor/MSFT
-./Device/Vendor/MSFT
-Office
-----Installation
---------id
-------------Install
-------------Status
+
+```Device
+./Device/Vendor/MSFT/Office/Installation
```
+
-**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
-The root node for the Office configuration service provider.
+
+
+Installation options for the office CSP.
+
-**Installation**
-Specifies the options for the Microsoft Office installation.
+
+
+
-The supported operations are Add, Delete, and Get.
+
+**Description framework properties**:
-**Installation/_id_**
-Specifies a unique identifier that represents the ID of the Microsoft Office product to install.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-The supported operations are Add, Delete, and Get.
+
+
+
-**Installation/_id_/Install**
-Installs Office by using the XML data specified in the configuration.xml file.
+
-The supported operations are Get and Execute.
+
+### Device/Installation/{id}
-**Installation/_id_/Status**
-The Microsoft Office installation status.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-The only supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/Office/Installation/{id}
+```
+
-**Installation/_id_/FinalStatus**
-Added in Windows 10, version 1809. Indicates the status of the Final Office 365 installation.
+
+
+A unique identifier which represents the installation instance id.
+
-The only supported operation is Get.
+
+
+
-Behavior:
-- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
-- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
- - When status = 0: 70 (succeeded)
- - When status!= 0: 60 (failed)
+
+**Description framework properties**:
-**Installation/CurrentStatus**
-Returns an XML of current Office 365 installation status on the device.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A unique identifier which represents the installation instance id. |
+
-The only supported operation is Get.
+
+
+
+
+
+
+#### Device/Installation/{id}/FinalStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Office/Installation/{id}/FinalStatus
+```
+
+
+
+
+Final Office 365 installation status.
+
+
+
+
+- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
+- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
+ - When status = 0: 70 (succeeded)
+ - When status != 0: 60 (failed)
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/Installation/{id}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Office/Installation/{id}/Install
+```
+
+
+
+
+The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+#### Device/Installation/{id}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Office/Installation/{id}/Status
+```
+
+
+
+
+The installation status of the CSP.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/Installation/CurrentStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Office/Installation/CurrentStatus
+```
+
+
+
+
+The current Office 365 installation status on the machine.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/Installation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Office/Installation
+```
+
+
+
+
+Installation options for the office CSP.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/Installation/{id}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Office/Installation/{id}
+```
+
+
+
+
+A unique identifier which represents the installation instance id.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A unique identifier which represents the installation instance id. |
+
+
+
+
+
+
+
+
+
+#### User/Installation/{id}/FinalStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Office/Installation/{id}/FinalStatus
+```
+
+
+
+
+Final Office 365 installation status.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/Installation/{id}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Office/Installation/{id}/Install
+```
+
+
+
+
+The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+#### User/Installation/{id}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Office/Installation/{id}/Status
+```
+
+
+
+
+The installation status of the CSP.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/Installation/CurrentStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Office/Installation/CurrentStatus
+```
+
+
+
+
+The current Office 365 installation status on the machine.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
## Examples
Sample SyncML to install Microsoft 365 Apps for business Retail from current channel.
@@ -147,38 +566,45 @@ To get the current status of Office 365 on the device.
```xml
-
-
- 7
-
-
- ./Vendor/MSFT/Office/Installation/CurrentStatus
-
-
-
-
-
+
+
+ 7
+
+
+ ./Vendor/MSFT/Office/Installation/CurrentStatus
+
+
+
+
+
```
## Status code
-|Status|Description|Comment|
-|--- |--- |--- |
-|0|Installation succeeded|OK|
-|997|Installation in progress||
-|13|ERROR_INVALID_DATA Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure|
-|1460|ERROR_TIMEOUT Failed to download ODT|Failure|
-|1602|ERROR_INSTALL_USEREXIT User canceled the installation|Failure|
-|1603|ERROR_INSTALL_FAILURE Failed any pre-req check.
SxS (Tried to install when 2016 MSI is installed)
Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
-|17000|ERROR_PROCESSPOOL_INITIALIZATION Failed to start C2RClient|Failure|
-|17001|ERROR_QUEUE_SCENARIO Failed to queue installation scenario in C2RClient|Failure|
-|17002|ERROR_COMPLETING_SCENARIO Failed to complete the process. Possible reasons:
Installation canceled by user
Installation canceled by another installation
Out of disk space during installation
Unknown language ID|Failure|
-|17003|ERROR_ANOTHER_RUNNING_SCENARIO Another scenario is running|Failure|
-|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP Possible reasons:
Unknown SKUs
Content does't exist on CDN
Such as trying to install an unsupported LAP, like zh-sg
CDN issue that content is not available
Signature check issue, such as failed the signature check for Office content
User canceled|Failure|
-|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure|
-|17006|ERROR_SCENARIO_CANCELLED Blocked update by running apps|Failure|
-|17007|ERROR_REMOVE_INSTALLATION_NEEDED The client is requesting client clean-up in a "Remove Installation" scenario|Failure|
-|17100|ERROR_HANDLING_COMMAND_LINE C2RClient command-line error|Failure|
-|0x80004005|E_FAIL ODT cannot be used to install Volume license|Failure|
-|0x8000ffff|E_UNEXPECTED Tried to uninstall when there is no C2R Office on the machine.|Failure|
+| Status | Description | Comment |
+|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
+| 0 | Installation succeeded | OK |
+| 997 | Installation in progress | |
+| 13 | ERROR_INVALID_DATA Cannot verify signature of the downloaded Office Deployment Tool (ODT) | Failure |
+| 1460 | ERROR_TIMEOUT Failed to download ODT | Failure |
+| 1602 | ERROR_INSTALL_USEREXIT User canceled the installation | Failure |
+| 1603 | ERROR_INSTALL_FAILURE Failed any pre-req check.
SxS (Tried to install when 2016 MSI is installed)
Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.) | Failure |
+| 17000 | ERROR_PROCESSPOOL_INITIALIZATION Failed to start C2RClient | Failure |
+| 17001 | ERROR_QUEUE_SCENARIO Failed to queue installation scenario in C2RClient | Failure |
+| 17002 | ERROR_COMPLETING_SCENARIO Failed to complete the process. Possible reasons:
Installation canceled by user
Installation canceled by another installation
Out of disk space during installation
Unknown language ID | Failure |
+| 17003 | ERROR_ANOTHER_RUNNING_SCENARIO Another scenario is running | Failure |
+| 17004 | ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP Possible reasons:
Unknown SKUs
Content does't exist on CDN
Such as trying to install an unsupported LAP, like zh-sg
CDN issue that content is not available
Signature check issue, such as failed the signature check for Office content
User canceled | Failure |
+| 17005 | ERROR_SCENARIO_CANCELLED_AS_PLANNED | Failure |
+| 17006 | ERROR_SCENARIO_CANCELLED Blocked update by running apps | Failure |
+| 17007 | ERROR_REMOVE_INSTALLATION_NEEDED The client is requesting client clean-up in a "Remove Installation" scenario | Failure |
+| 17100 | ERROR_HANDLING_COMMAND_LINE C2RClient command-line error | Failure |
+| 0x80004005 | E_FAIL ODT cannot be used to install Volume license | Failure |
+| 0x8000ffff | E_UNEXPECTED Tried to uninstall when there is no C2R Office on the machine. | Failure |
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index 9dec2a31e2..85276e8c25 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -1,61 +1,112 @@
---
-title: Office DDF
-description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+title: Office DDF file
+description: View the XML file containing the device description framework (DDF) for the Office configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 08/15/2018
+ms.topic: reference
---
-# Office DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# Office DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1809.
+The following XML file contains the device description framework (DDF) for the Office configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ Office
+ ./User/Vendor/MSFT
+
+
+
+
+ Root of the office CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Installation
+
+
+
+
+ Installation options for the office CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
- Office
- ./User/Vendor/MSFT
+
+
+
+
- Root of the office CSP.
+ A unique identifier which represents the installation instance id.
-
+
-
+
+ id
- com.microsoft/1.5/MDM/Office
+
+
+ A unique identifier which represents the installation instance id.
+
- Installation
+ Install
+
- Installation options for the office CSP.
+ The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.
-
+
@@ -64,149 +115,21 @@ The XML below is for Windows 10, version 1809.
-
+
+
+
-
-
-
-
-
-
-
-
-
- A unique identifier which represents the instalation instance id.
-
-
-
-
-
-
-
-
-
- id
-
-
-
-
-
- Install
-
-
-
-
-
- The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- The installation status of the CSP.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FinalStatus
-
-
-
-
- Final Office 365 installation status.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CurrentStatus
-
-
-
-
- The current Office 365 installation status on the machine
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Office
- ./Device/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.5/MDM/Office
-
-
- Installation
+ Status
+ The installation status of the CSP.
-
+
@@ -215,117 +138,237 @@ The XML below is for Windows 10, version 1809.
-
+
-
- id
-
-
-
-
-
-
- A unique identifier which represents the instalation instance id.
-
-
-
-
-
-
-
-
-
- id
-
-
-
-
-
- Install
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FinalStatus
-
-
-
-
- Final Office 365 installation status.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CurrentStatus
-
-
-
-
- The current Office 365 installation status on the machine
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+ FinalStatus
+
+
+
+
+ Final Office 365 installation status.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.5
+
+
+
+ CurrentStatus
+
+
+
+
+ The current Office 365 installation status on the machine
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+
+
+ Office
+ ./Device/Vendor/MSFT
+
+
+
+
+ Root of the office CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Installation
+
+
+
+
+ Installation options for the office CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A unique identifier which represents the installation instance id.
+
+
+
+
+
+
+
+
+
+ id
+
+
+
+
+ A unique identifier which represents the installation instance id.
+
+
+
+ Install
+
+
+
+
+
+ The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ The installation status of the CSP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FinalStatus
+
+
+
+
+ Final Office 365 installation status.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.5
+
+
+
+
+
+ CurrentStatus
+
+
+
+
+ The current Office 365 installation status on the machine
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+
```
+
+## Related articles
+
+[Office configuration service provider reference](office-csp.md)
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 79b9684766..34cd8ae204 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -1,378 +1,2443 @@
---
title: PassportForWork CSP
-description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work).
-ms.reviewer:
+description: Learn more about the PassportForWork CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/19/2019
+ms.topic: reference
---
+
+
+
# PassportForWork CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
-
> [!IMPORTANT]
-> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
-
-### User configuration diagram
+> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+
-The following example shows the PassportForWork configuration service provider in tree format.
+
+The following list shows the PassportForWork configuration service provider nodes:
-```console
-./User/Vendor/MSFT
-PassportForWork
--------TenantId
-----------Policies
--------------UsePassportForWork
--------------RequireSecurityDevice
--------------EnablePinRecovery
--------------PINComplexity
-----------------MinimumPINLength
-----------------MaximumPINLength
-----------------UppercaseLetters
-----------------LowercaseLetters
-----------------SpecialCharecters
-----------------Digits
-----------------History
-----------------Expiration
+- ./Device/Vendor/MSFT/PassportForWork
+ - [{TenantId}](#devicetenantid)
+ - [Policies](#devicetenantidpolicies)
+ - [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
+ - [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices)
+ - [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12)
+ - [PINComplexity](#devicetenantidpoliciespincomplexity)
+ - [Digits](#devicetenantidpoliciespincomplexitydigits)
+ - [Expiration](#devicetenantidpoliciespincomplexityexpiration)
+ - [History](#devicetenantidpoliciespincomplexityhistory)
+ - [LowercaseLetters](#devicetenantidpoliciespincomplexitylowercaseletters)
+ - [MaximumPINLength](#devicetenantidpoliciespincomplexitymaximumpinlength)
+ - [MinimumPINLength](#devicetenantidpoliciespincomplexityminimumpinlength)
+ - [SpecialCharacters](#devicetenantidpoliciespincomplexityspecialcharacters)
+ - [UppercaseLetters](#devicetenantidpoliciespincomplexityuppercaseletters)
+ - [Remote](#devicetenantidpoliciesremote)
+ - [UseRemotePassport](#devicetenantidpoliciesremoteuseremotepassport)
+ - [RequireSecurityDevice](#devicetenantidpoliciesrequiresecuritydevice)
+ - [UseCertificateForOnPremAuth](#devicetenantidpoliciesusecertificateforonpremauth)
+ - [UseCloudTrustForOnPremAuth](#devicetenantidpoliciesusecloudtrustforonpremauth)
+ - [UseHelloCertificatesAsSmartCardCertificates](#devicetenantidpoliciesusehellocertificatesassmartcardcertificates)
+ - [UsePassportForWork](#devicetenantidpoliciesusepassportforwork)
+ - [Biometrics](#devicebiometrics)
+ - [EnableESSwithSupportedPeripherals](#devicebiometricsenableesswithsupportedperipherals)
+ - [FacialFeaturesUseEnhancedAntiSpoofing](#devicebiometricsfacialfeaturesuseenhancedantispoofing)
+ - [UseBiometrics](#devicebiometricsusebiometrics)
+ - [DeviceUnlock](#devicedeviceunlock)
+ - [GroupA](#devicedeviceunlockgroupa)
+ - [GroupB](#devicedeviceunlockgroupb)
+ - [Plugins](#devicedeviceunlockplugins)
+ - [DynamicLock](#devicedynamiclock)
+ - [DynamicLock](#devicedynamiclockdynamiclock)
+ - [Plugins](#devicedynamiclockplugins)
+ - [SecurityKey](#devicesecuritykey)
+ - [UseSecurityKeyForSignin](#devicesecuritykeyusesecuritykeyforsignin)
+ - [UseBiometrics](#deviceusebiometrics)
+- ./User/Vendor/MSFT/PassportForWork
+ - [{TenantId}](#usertenantid)
+ - [Policies](#usertenantidpolicies)
+ - [EnablePinRecovery](#usertenantidpoliciesenablepinrecovery)
+ - [PINComplexity](#usertenantidpoliciespincomplexity)
+ - [Digits](#usertenantidpoliciespincomplexitydigits)
+ - [Expiration](#usertenantidpoliciespincomplexityexpiration)
+ - [History](#usertenantidpoliciespincomplexityhistory)
+ - [LowercaseLetters](#usertenantidpoliciespincomplexitylowercaseletters)
+ - [MaximumPINLength](#usertenantidpoliciespincomplexitymaximumpinlength)
+ - [MinimumPINLength](#usertenantidpoliciespincomplexityminimumpinlength)
+ - [SpecialCharacters](#usertenantidpoliciespincomplexityspecialcharacters)
+ - [UppercaseLetters](#usertenantidpoliciespincomplexityuppercaseletters)
+ - [RequireSecurityDevice](#usertenantidpoliciesrequiresecuritydevice)
+ - [UsePassportForWork](#usertenantidpoliciesusepassportforwork)
+
+
+
+## Device/{TenantId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}
```
+
-### Device configuration diagram
+
+
+This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
+
-The following example shows the PassportForWork configuration service provider in tree format.
+
+
+To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
+
-```console
-./Device/Vendor/MSFT
-PassportForWork
--------TenantId
-----------Policies
--------------UsePassportForWork
--------------RequireSecurityDevice
--------------ExcludeSecurityDevices
-----------------TPM12
--------------EnablePinRecovery
--------------UserCertificateForOnPremAuth
--------------PINComplexity
-----------------MinimumPINLength
-----------------MaximumPINLength
-----------------UppercaseLetters
-----------------LowercaseLetters
-----------------SpecialCharacters
-----------------Digits
-----------------History
-----------------Expiration
--------------Remote
-----------------UseRemotePassport
--------------UseHelloCertificatesAsSmartCardCertificates
--------UseBiometrics
--------Biometrics
-----------UseBiometrics
-----------FacialFeaturesUseEnhancedAntiSpoofing
-----------EnableESSwithSupportedPeripherals
--------DeviceUnlock
-----------GroupA
-----------GroupB
-----------Plugins
--------DynamicLock
-----------DynamicLock
-----------Plugins
--------SecurityKey
-----------UseSecurityKeyForSignin
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell. |
+
+
+
+
+
+
+
+
+
+### Device/{TenantId}/Policies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies
```
+
-**PassportForWork**
-Root node for PassportForWork configuration service provider.
+
+
+Root node for policies.
+
-***TenantId***
-A globally unique identifier (GUID), without curly braces (`{`, `}`), that's used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
+
+
+
-***TenantId*/Policies**
-Node for defining the Windows Hello for Business policy settings.
+
+**Description framework properties**:
-***TenantId*/Policies/UsePassportForWork**
-Boolean value that sets Windows Hello for Business as a method for signing into Windows.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
-Default value is true. If you set this policy to false, the user can't provision Windows Hello for Business.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
-***TenantId*/Policies/RequireSecurityDevice**
-Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an extra security benefit over software so that data stored in it can't be used on other devices.
+
+#### Device/{TenantId}/Policies/EnablePinRecovery
-Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there isn't a usable TPM. If you don't configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnablePinRecovery
+```
+
-***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1703. Root node for excluded security devices.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+
+
+If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
-***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
+- If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
-Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
+- If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
-If you disable or don't configure this policy setting, TPM revision 1.2 modules will be used with Windows Hello for Business.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-***TenantId*/Policies/EnablePinRecovery**
-Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service.
-This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
-Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.
+
+**Allowed values**:
-If you disable or don't configure this policy setting, the PIN recovery secret won't be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+
+
-***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT)
-Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.
+
-If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
+
+#### Device/{TenantId}/Policies/ExcludeSecurityDevices
-If you disable or don't configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices
+```
+
-***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT)
+
+
+Root node for excluded security devices.
+
+
+
+
+> [!NOTE]
+> Not supported on Windows Holographic and Windows Holographic for Business.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/ExcludeSecurityDevices/TPM12
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices/TPM12
+```
+
+
+
+
+Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
+
+- If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
+
+- If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/PINComplexity
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity
+```
+
+
+
+
+Root node for PIN policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/Digits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Digits
+```
+
+
+
+
+Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of digits in PIN. |
+| 1 | Requires the use of at least one digits in PIN. |
+| 2 | Does not allow the use of digits in PIN. |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/Expiration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Expiration
+```
+
+
+
+
+This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-730]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/History
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/History
+```
+
+
+
+
+This policy specifies the number of past PINs that can be stored in the history that can't be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-50]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/LowercaseLetters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/LowercaseLetters
+```
+
+
+
+
+Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of lowercase letters in PIN. |
+| 1 | Requires the use of at least one lowercase letters in PIN. |
+| 2 | Does not allow the use of lowercase letters in PIN. |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/MaximumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MaximumPINLength
+```
+
+
+
+
+Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
+- If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+- If you do not configure this policy setting, the PIN length must be less than or equal to 127.
+
+> [!NOTE]
+> If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-127]` |
+| Default Value | 127 |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/MinimumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MinimumPINLength
+```
+
+
+
+
+Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+- If you configure this policy setting, the PIN length must be greater than or equal to this number.
+
+- If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
+
+> [!NOTE]
+> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-127]` |
+| Default Value | 4 |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/SpecialCharacters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/SpecialCharacters
+```
+
+
+
+
+Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ .
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of special characters in PIN. |
+| 1 | Requires the use of at least one special characters in PIN. |
+| 2 | Does not allow the use of special characters in PIN. |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/PINComplexity/UppercaseLetters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/UppercaseLetters
+```
+
+
+
+
+Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of uppercase letters in PIN. |
+| 1 | Requires the use of at least one uppercase letters in PIN. |
+| 2 | Does not allow the use of uppercase letters in PIN. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/Remote
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/Remote
+```
+
+
+
+
+Root node for phone sign-in policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{TenantId}/Policies/Remote/UseRemotePassport
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/Remote/UseRemotePassport
+```
+
+
+
+
+Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication.
+
+Default value is false.
+
+- If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor.
+- If you disable this setting, a companion device cannot be used in desktop authentication scenarios.
+
+
+
+
+> [!NOTE]
+> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/RequireSecurityDevice
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice
+```
+
+
+
+
+A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
+
+- If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
+
+- If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/UseCertificateForOnPremAuth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth
+```
+
+
+
+
+Windows Hello for Business can use certificates to authenticate to on-premise resources.
+
+- If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
+
+- If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{TenantId}/Policies/UseCloudTrustForOnPremAuth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1566] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth
+```
+
+
+
+
Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
-If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+- If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
-If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
+- If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+
+
-***TenantId*/Policies/PINComplexity**
-Node for defining PIN settings.
+
+**Description framework properties**:
-***TenantId*/Policies/PINComplexity/MinimumPINLength**
-Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
-If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 4.
+
+**Allowed values**:
-> [!NOTE]
-> If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
-
-Value type is int. Supported operations are Add, Get, Delete, and Replace.
+
+
+
-***TenantId*/Policies/PINComplexity/MaximumPINLength**
-Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
-If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127.
+
+#### Device/{TenantId}/Policies/UseHelloCertificatesAsSmartCardCertificates
-> [!NOTE]
-> If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseHelloCertificatesAsSmartCardCertificates
+```
+
-***TenantId*/Policies/PINComplexity/UppercaseLetters**
-Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN.
+
+
-Valid values:
+- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
-- 0 - Allows the use of uppercase letters in PIN.
-- 1 - Requires the use of at least one uppercase letter in PIN.
-- 2 - Doesn't allow the use of uppercase letters in PIN.
-
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/LowercaseLetters**
-Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN.
-
-Valid values:
-
-- 0 - Allows the use of lowercase letters in PIN.
-- 1 - Requires the use of at least one lowercase letter in PIN.
-- 2 - Doesn't allow the use of lowercase letters in PIN.
-
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/SpecialCharacters**
-Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ .
-
-Valid values:
-
-- 0 - Allows the use of special characters in PIN.
-- 1 - Requires the use of at least one special character in PIN.
-- 2 - Doesn't allow the use of special characters in PIN.
-
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/Digits**
-Integer value that configures the use of digits in the Windows Hello for Business PIN.
-
-Valid values:
-
-- 0 - Allows the use of digits in PIN.
-- 1 - Requires the use of at least one digit in PIN.
-- 2 - Doesn't allow the use of digits in PIN.
-
-Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/History**
-Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required. This node was added in Windows 10, version 1511.
-
-The current PIN of the user is included in the set of PINs associated with the user account. PIN history isn't preserved through a PIN reset.
-
-Default value is 0.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/PINComplexity/Expiration**
-Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511.
-
-Default is 0.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT)
-Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
-
-***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT)
-Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511.
-
-Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
-
-***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
-
-If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
+- If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
+
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**UseBiometrics**
-This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
+
+**Description framework properties**:
-**Biometrics** (only for ./Device/Vendor/MSFT)
-Node for defining biometric settings. This node was added in Windows 10, version 1511.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
-**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
-Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use if there are failures. This node was added in Windows 10, version 1511.
+
+**Allowed values**:
-Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+
+
-*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
+
-**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
-Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
+
+#### Device/{TenantId}/Policies/UsePassportForWork
-Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that don't support enhanced anti-spoofing.
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork
+```
+
-Enhanced anti-spoofing for Windows Hello face authentication isn't required on unmanaged devices.
+
+
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
-Supported operations are Add, Get, Delete, and Replace.
+- If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
-*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
+- If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
+
-**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT)
+
+
+
-If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected.
+
+**Description framework properties**:
-If you enable this policy it can have the following possible values:
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | True |
+
-**0 - Enhanced Sign-in Security Disabled** (not recommended)
+
+**Allowed values**:
-Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again.
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true (Default) | Enabled. |
+
-**1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security)
+
+
+
-Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that Enhanced Sign-in Security does not support, including that of peripheral devices, will be blocked and not available for Windows Hello.
+
-If you disable or do not configure this policy, Enhanced Sign-in Security is preferred on the device. The behavior will be the same as enabling the policy and setting the value to 1.
+
+## Device/Biometrics
-Supported operations are Add, Get, Delete, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-*Supported from Windows 11 version 22H2*
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/Biometrics
+```
+
-**DeviceUnlock** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Interior node.
+
+
+Root node for biometrics policies.
+
-**DeviceUnlock/GroupA** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the first step of authentication.
+
+
+
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+**Description framework properties**:
-**DeviceUnlock/GroupB** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the second step of authentication.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**DeviceUnlock/Plugins** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user presence.
+
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+### Device/Biometrics/EnableESSwithSupportedPeripherals
-**DynamicLock** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Interior node.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/Biometrics/EnableESSwithSupportedPeripherals
+```
+
-**DynamicLock/DynamicLock** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. Enables the dynamic lock.
+
+
+Enhanced Sign-in Security (ESS) isolates both biometric template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.
+
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-**DynamicLock/Plugins** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user absence.
+
+**Description framework properties**:
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-**SecurityKey** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1903. Interior node.
+
+**Allowed values**:
-Scope is permanent. Supported operation is Get.
+| Value | Description |
+|:--|:--|
+| 0 | Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended). |
+| 1 (Default) | Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security). |
+
+
+**Group policy mapping**:
-**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1903. Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
+| Name | Value |
+|:--|:--|
+| Name | Enable ESS with Supported Peripherals |
+| Path | Passport > AT > WindowsComponents > MSPassportForWorkCategory |
+
-Scope is dynamic. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-Value type is integer.
+
-Valid values:
-- 0 (default) - disabled.
-- 1 - enabled.
+
+### Device/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing
+```
+
+
+
+
+This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
+
+- If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
+
+- If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
+
+**Note** that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
+
+
+
+
+> [!NOTE]
+> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+### Device/Biometrics/UseBiometrics
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/Biometrics/UseBiometrics
+```
+
+
+
+
+Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+
+- If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
+
+- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
+
+> [!NOTE]
+> Disabling this policy prevents the use of biometric gestures on the device for all account types.
+
+
+
+
+> [!NOTE]
+> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+## Device/DeviceUnlock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DeviceUnlock
+```
+
+
+
+
+Device Unlock.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/DeviceUnlock/GroupA
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA
+```
+
+
+
+
+Contains a list of providers by GUID that are to be considered for the first step of authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+
+
+
+
+
+### Device/DeviceUnlock/GroupB
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB
+```
+
+
+
+
+Contains a list of providers by GUID that are to be considered for the second step of authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
+
+
+
+
+
+
+
+
+
+### Device/DeviceUnlock/Plugins
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins
+```
+
+
+
+
+List of plugins that the passive provider monitors to detect user presence.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## Device/DynamicLock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DynamicLock
+```
+
+
+
+
+Dynamic Lock.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/DynamicLock/DynamicLock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock
+```
+
+
+
+
+Enables/Disables Dyanamic Lock.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+### Device/DynamicLock/Plugins
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/DynamicLock/Plugins
+```
+
+
+
+
+List of plugins that the passive provider monitors to detect user absence.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## Device/SecurityKey
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/SecurityKey
+```
+
+
+
+
+Security Key.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/SecurityKey/UseSecurityKeyForSignin
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
+```
+
+
+
+
+Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled.
+
+
+
+
+Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft's implementation.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+
+
+
+
+
+
+## Device/UseBiometrics
+
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/UseBiometrics
+```
+
+
+
+
+THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD.
+
+Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+
+- If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
+
+- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
+
+> [!NOTE]
+> Disabling this policy prevents the use of biometric gestures on the device for all account types.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+## User/{TenantId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}
+```
+
+
+
+
+This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
+
+
+
+
+To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell. |
+
+
+
+
+
+
+
+
+
+### User/{TenantId}/Policies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies
+```
+
+
+
+
+Root node for policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+#### User/{TenantId}/Policies/EnablePinRecovery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnablePinRecovery
+```
+
+
+
+
+If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
+
+- If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
+
+- If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### User/{TenantId}/Policies/PINComplexity
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity
+```
+
+
+
+
+Root node for PIN policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/Digits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Digits
+```
+
+
+
+
+Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of digits in PIN. |
+| 1 | Requires the use of at least one digits in PIN. |
+| 2 | Does not allow the use of digits in PIN. |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/Expiration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Expiration
+```
+
+
+
+
+This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-730]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/History
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/History
+```
+
+
+
+
+This policy specifies the number of past PINs that can be stored in the history that can't be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-50]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/LowercaseLetters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/LowercaseLetters
+```
+
+
+
+
+Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of lowercase letters in PIN. |
+| 1 | Requires the use of at least one lowercase letters in PIN. |
+| 2 | Does not allow the use of lowercase letters in PIN. |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/MaximumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MaximumPINLength
+```
+
+
+
+
+Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
+- If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+- If you do not configure this policy setting, the PIN length must be less than or equal to 127.
+
+> [!NOTE]
+> If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-127]` |
+| Default Value | 127 |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/MinimumPINLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MinimumPINLength
+```
+
+
+
+
+Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+- If you configure this policy setting, the PIN length must be greater than or equal to this number.
+
+- If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
+
+> [!NOTE]
+> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-127]` |
+| Default Value | 4 |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/SpecialCharacters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/SpecialCharacters
+```
+
+
+
+
+Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ .
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of special characters in PIN. |
+| 1 | Requires the use of at least one special characters in PIN. |
+| 2 | Does not allow the use of special characters in PIN. |
+
+
+
+
+
+
+
+
+
+##### User/{TenantId}/Policies/PINComplexity/UppercaseLetters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/UppercaseLetters
+```
+
+
+
+
+Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
+
+A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
+
+- If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allows the use of uppercase letters in PIN. |
+| 1 | Requires the use of at least one uppercase letters in PIN. |
+| 2 | Does not allow the use of uppercase letters in PIN. |
+
+
+
+
+
+
+
+
+
+#### User/{TenantId}/Policies/RequireSecurityDevice
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice
+```
+
+
+
+
+A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
+
+- If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
+
+- If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### User/{TenantId}/Policies/UsePassportForWork
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork
+```
+
+
+
+
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+
+- If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
+
+- If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | True |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true (Default) | Enabled. |
+
+
+
+
+
+
+
+
+
+
## Examples
Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM.
@@ -604,3 +2669,10 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
```
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 9e511239d2..89dbc41c22 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -1,38 +1,90 @@
---
-title: PassportForWork DDF
-description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+title: PassportForWork DDF file
+description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/29/2019
+ms.topic: reference
---
-# PassportForWork DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# PassportForWork DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1903.
+The following XML file contains the device description framework (DDF) for the PassportForWork configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ PassportForWork
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.2
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+ This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
+
+
+
+
+
+
+
+
+
+ TenantId
+
+
+
+
+ A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell.
+
+
- PassportForWork
- ./User/Vendor/MSFT
+ Policies
+
+
+ Root node for policies.
@@ -40,985 +92,15 @@ The XML below is for Windows 10, version 1903.
-
+
+ Policies
- com.microsoft/1.6/MDM/PassportForWork
+
-
-
-
-
-
-
-
- This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
-
-
-
-
-
-
-
-
-
- TenantId
-
-
-
-
-
- Policies
-
-
-
-
-
-
- Root node for policies.
-
-
-
-
-
-
-
-
-
- Policies
-
-
-
-
-
- UsePassportForWork
-
-
-
-
-
-
-
- True
- Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
-
-If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
-
-If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RequireSecurityDevice
-
-
-
-
-
-
-
- False
- A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
-
-If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
-
-If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnablePinRecovery
-
-
-
-
-
-
-
- False
- If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
-
-If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
-
-If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PINComplexity
-
-
-
-
-
-
- Root node for PIN policies
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MinimumPINLength
-
-
-
-
-
-
-
- 4
- Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
-
-If you configure this policy setting, the PIN length must be greater than or equal to this number.
-
-If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
-
-NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MaximumPINLength
-
-
-
-
-
-
-
- 127
- Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
-
-If you configure this policy setting, the PIN length must be less than or equal to this number.
-
-If you do not configure this policy setting, the PIN length must be less than or equal to 127.
-
-NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UppercaseLetters
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LowercaseLetters
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SpecialCharacters
-
-
-
-
-
-
-
- 0
- ? @ [ \ ] ^ _ ` { | } ~ .
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]>
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Digits
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- History
-
-
-
-
-
-
-
- 0
- This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Expiration
-
-
-
-
-
-
-
- 0
- This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
- PassportForWork
- ./Device/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
-
-
-
-
-
-
-
-
-
- TenantId
-
-
-
-
-
- Policies
-
-
-
-
-
-
- Root node for policies.
-
-
-
-
-
-
-
-
-
- Policies
-
-
-
-
-
- UsePassportForWork
-
-
-
-
-
-
-
- True
- Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
-
-If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
-
-If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RequireSecurityDevice
-
-
-
-
-
-
-
- False
- A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
-
-If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
-
-If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExcludeSecurityDevices
-
-
-
-
-
-
- Root node for excluded security devices.
-
-
-
-
-
-
-
-
-
- ExcludeSecurityDevices
-
-
-
-
-
- TPM12
-
-
-
-
-
-
-
- False
- Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
-
-If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
-
-If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- EnablePinRecovery
-
-
-
-
-
-
-
- False
- If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
-
-If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
-
-If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UseCertificateForOnPremAuth
-
-
-
-
-
-
-
- False
- Windows Hello for Business can use certificates to authenticate to on-premise resources.
-
-If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
-
-If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PINComplexity
-
-
-
-
-
-
- Root node for PIN policies
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MinimumPINLength
-
-
-
-
-
-
-
- 4
- Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
-
-If you configure this policy setting, the PIN length must be greater than or equal to this number.
-
-If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
-
-NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MaximumPINLength
-
-
-
-
-
-
-
- 127
- Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
-
-If you configure this policy setting, the PIN length must be less than or equal to this number.
-
-If you do not configure this policy setting, the PIN length must be less than or equal to 127.
-
-NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UppercaseLetters
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LowercaseLetters
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SpecialCharacters
-
-
-
-
-
-
-
- 0
- ? @ [ \ ] ^ _ ` { | } ~ .
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]>
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Digits
-
-
-
-
-
-
-
- 0
- Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
-
-A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
-
-A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
-
-If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- History
-
-
-
-
-
-
-
- 0
- This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Expiration
-
-
-
-
-
-
-
- 0
- This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Remote
-
-
-
-
-
-
- Root node for phone sign-in policies
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- UseRemotePassport
-
-
-
-
-
-
-
- False
- Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication.
-
-Default value is false. If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. If you disable this setting, a companion device cannot be used in desktop authentication scenarios.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- UseHelloCertificatesAsSmartCardCertificates
-
-
-
-
-
-
-
- False
- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
-
-If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
-
-Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- UseBiometrics
+ UsePassportForWork
@@ -1026,16 +108,12 @@ Windows requires a user to lock and unlock their session after changing this set
- False
- THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD.
+ True
+ Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
-Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
-If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
-
-If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
-
-NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types.
+If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
@@ -1046,17 +124,111 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
- text/plain
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
- Biometrics
+ RequireSecurityDevice
+
+
+
+
+
+ False
+ A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
+
+If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
+
+If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ EnablePinRecovery
+
+
+
+
+
+
+
+ False
+ If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
+
+If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
+
+If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.3
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ PINComplexity
+
+
+
+
- Root node for biometrics policies
+ Root node for PIN policies
@@ -1064,14 +236,502 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
-
+
-
+
- UseBiometrics
+ MinimumPINLength
+
+
+
+
+
+
+
+ 4
+ Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+If you configure this policy setting, the PIN length must be greater than or equal to this number.
+
+If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
+
+NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [4-127]
+
+
+
+
+ MaximumPINLength
+
+
+
+
+
+
+
+ 127
+ Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
+If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+If you do not configure this policy setting, the PIN length must be less than or equal to 127.
+
+NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [4-127]
+
+
+
+
+ UppercaseLetters
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of uppercase letters in PIN.
+
+
+ 1
+ Requires the use of at least one uppercase letters in PIN.
+
+
+ 2
+ Does not allow the use of uppercase letters in PIN.
+
+
+
+
+
+ LowercaseLetters
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of lowercase letters in PIN.
+
+
+ 1
+ Requires the use of at least one lowercase letters in PIN.
+
+
+ 2
+ Does not allow the use of lowercase letters in PIN.
+
+
+
+
+
+ SpecialCharacters
+
+
+
+
+
+
+
+ 0
+ ? @ [ \ ] ^ _ ` { | } ~ .
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of special characters in PIN.
+
+
+ 1
+ Requires the use of at least one special characters in PIN.
+
+
+ 2
+ Does not allow the use of special characters in PIN.
+
+
+
+
+
+ Digits
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of digits in PIN.
+
+
+ 1
+ Requires the use of at least one digits in PIN.
+
+
+ 2
+ Does not allow the use of digits in PIN.
+
+
+
+
+
+ History
+
+
+
+
+
+
+
+ 0
+ This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-50]
+
+
+
+
+ Expiration
+
+
+
+
+
+
+
+ 0
+ This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-730]
+
+
+
+
+
+
+
+
+ PassportForWork
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.2
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+ This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management.
+
+
+
+
+
+
+
+
+
+ TenantId
+
+
+
+
+ A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell.
+
+
+
+ Policies
+
+
+
+
+
+
+ Root node for policies.
+
+
+
+
+
+
+
+
+
+ Policies
+
+
+
+
+
+ UsePassportForWork
+
+
+
+
+
+
+
+ True
+ Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+
+If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users.
+
+If you disable this policy setting, the device does not provision Windows Hello for Business for any user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ RequireSecurityDevice
+
+
+
+
+
+
+
+ False
+ A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices.
+
+If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
+
+If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ ExcludeSecurityDevices
+
+
+
+
+
+
+ Root node for excluded security devices.
+
+
+
+
+
+
+
+
+
+ ExcludeSecurityDevices
+
+
+
+
+ 10.0.15063
+ 1.3
+
+
+
+ TPM12
@@ -1080,272 +740,1036 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
False
- Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+ Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
+
+If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
+
+If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+ EnablePinRecovery
+
+
+
+
+
+
+
+ False
+ If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service.
+
+If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten.
+
+If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.3
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ UseCertificateForOnPremAuth
+
+
+
+
+
+
+
+ False
+ Windows Hello for Business can use certificates to authenticate to on-premise resources.
+
+If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
+
+If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ UseCloudTrustForOnPremAuth
+
+
+
+
+
+
+
+ False
+ Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
+
+If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+
+If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621, 10.0.22000.527, 10.0.19044.1566
+ 1.6
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ PINComplexity
+
+
+
+
+
+
+ Root node for PIN policies
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MinimumPINLength
+
+
+
+
+
+
+
+ 4
+ Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+If you configure this policy setting, the PIN length must be greater than or equal to this number.
+
+If you do not configure this policy setting, the PIN length must be greater than or equal to 4.
+
+NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [4-127]
+
+
+
+
+ MaximumPINLength
+
+
+
+
+
+
+
+ 127
+ Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+
+If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+If you do not configure this policy setting, the PIN length must be less than or equal to 127.
+
+NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [4-127]
+
+
+
+
+ UppercaseLetters
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of uppercase letters in PIN.
+
+
+ 1
+ Requires the use of at least one uppercase letters in PIN.
+
+
+ 2
+ Does not allow the use of uppercase letters in PIN.
+
+
+
+
+
+ LowercaseLetters
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of lowercase letters in PIN.
+
+
+ 1
+ Requires the use of at least one lowercase letters in PIN.
+
+
+ 2
+ Does not allow the use of lowercase letters in PIN.
+
+
+
+
+
+ SpecialCharacters
+
+
+
+
+
+
+
+ 0
+ ? @ [ \ ] ^ _ ` { | } ~ .
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of special characters in PIN.
+
+
+ 1
+ Requires the use of at least one special characters in PIN.
+
+
+ 2
+ Does not allow the use of special characters in PIN.
+
+
+
+
+
+ Digits
+
+
+
+
+
+
+
+ 0
+ Use this policy setting to configure the use of digits in the Windows Hello for Business PIN.
+
+A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN.
+
+A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN.
+
+If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Allows the use of digits in PIN.
+
+
+ 1
+ Requires the use of at least one digits in PIN.
+
+
+ 2
+ Does not allow the use of digits in PIN.
+
+
+
+
+
+ History
+
+
+
+
+
+
+
+ 0
+ This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-50]
+
+
+
+
+ Expiration
+
+
+
+
+
+
+
+ 0
+ This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-730]
+
+
+
+
+
+ Remote
+
+
+
+
+
+
+ Root node for phone sign-in policies
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UseRemotePassport
+
+
+
+
+
+
+
+ False
+ Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication.
+
+Default value is false. If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. If you disable this setting, a companion device cannot be used in desktop authentication scenarios.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+ UseHelloCertificatesAsSmartCardCertificates
+
+
+
+
+
+
+
+ False
+ If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
+
+If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
+
+Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.6
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+
+ UseBiometrics
+
+
+
+
+
+
+
+ False
+ THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD.
+
+Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FacialFeaturesUseEnhancedAntiSpoofing
-
-
-
-
-
-
-
- False
- This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+ Biometrics
+
+
+
+
+ Root node for biometrics policies
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UseBiometrics
+
+
+
+
+
+
+
+ False
+ Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures.
+
+If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures.
+
+If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures.
+
+NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ FacialFeaturesUseEnhancedAntiSpoofing
+
+
+
+
+
+
+
+ False
+ This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
-
- DeviceUnlock
-
-
-
-
- Device Unlock
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- GroupA
-
-
-
-
-
-
-
- Contains a list of providers by GUID that are to be considered for the first step of authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- GroupB
-
-
-
-
-
-
-
- Contains a list of providers by GUID that are to be considered for the second step of authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Plugins
-
-
-
-
-
-
-
- List of plugins that the passive provider monitors to detect user presence
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DynamicLock
-
-
-
-
- Dynamic Lock
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DynamicLock
-
-
-
-
-
-
-
- False
- Enables/Disables Dyanamic Lock
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Plugins
-
-
-
-
-
-
-
- List of plugins that the passive provider monitors to detect user absence
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- SecurityKey
-
-
-
-
- Security Key
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- UseSecurityKeyForSignin
-
-
-
-
-
-
-
- 0
- Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+ EnableESSwithSupportedPeripherals
+
+
+
+
+
+
+
+ 1
+ Enhanced Sign-in Security (ESS) isolates both biometric template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.3
+
+
+
+ 0
+ Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended)
+
+
+ 1
+ Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security)
+
+
+
+ LastWrite
+
+
+
+
+ DeviceUnlock
+
+
+
+
+ Device Unlock
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.4
+
+
+
+ GroupA
+
+
+
+
+
+
+
+ Contains a list of providers by GUID that are to be considered for the first step of authentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
+
+
+ GroupB
+
+
+
+
+
+
+
+ Contains a list of providers by GUID that are to be considered for the second step of authentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
+
+
+
+
+ Plugins
+
+
+
+
+
+
+
+ List of plugins that the passive provider monitors to detect user presence
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DynamicLock
+
+
+
+
+ Dynamic Lock
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.4
+
+
+
+ DynamicLock
+
+
+
+
+
+
+
+ False
+ Enables/Disables Dyanamic Lock
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ Plugins
+
+
+
+
+
+
+
+ List of plugins that the passive provider monitors to detect user absence
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SecurityKey
+
+
+
+
+ Security Key
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.6
+
+
+
+ UseSecurityKeyForSignin
+
+
+
+
+
+
+
+ 0
+ Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ disabled
+
+
+ 1
+ enabled
+
+
+
+
+
+
```
+
+## Related articles
+
+[PassportForWork configuration service provider reference](passportforwork-csp.md)
diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md
index c64e9f1290..b7227416df 100644
--- a/windows/client-management/mdm/personaldataencryption-csp.md
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@@ -1,46 +1,171 @@
---
-title: PersonalDataEncryption CSP
-description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices.
-ms.author: v-nsatapathy
-ms.topic: article
+title: PDE CSP
+description: Learn more about the PDE CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: nimishasatapathy
-ms.localizationpriority: medium
-ms.date: 09/12/2022
-ms.reviewer:
-manager: dansimp
+ms.topic: reference
---
-# PersonalDataEncryption CSP
+
-The PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
+
+# PDE CSP
-The following shows the PersonalDataEncryption configuration service provider in tree format:
+
+
+The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
+
+
+The following list shows the PDE configuration service provider nodes:
+
+- ./User/Vendor/MSFT/PDE
+ - [EnablePersonalDataEncryption](#enablepersonaldataencryption)
+ - [Status](#status)
+ - [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
+
+
+
+## EnablePersonalDataEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :x: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
```
-./User/Vendor/MSFT/PDE
--- EnablePersonalDataEncryption
--- Status
--------- PersonalDataEncryptionStatus
+
+
+
+Allows the Admin to enable Personal Data Encryption. Set to '1' to set this policy.
+
+
+
+
+The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption. |
+| 1 | Enable Personal Data Encryption. |
+
+
+
+
+
+
+
+
+
+## Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :x: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/Status
```
+
-**EnablePersonalDataEncryption**:
-- 0 is default (disabled)
-- 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+
+
+
-The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
+
+
+Reports the current status of Personal Data Encryption (PDE) for the user.
-**Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE aren't met, then the status will be 0. If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
+- If prerequisites of PDE aren't met, then the status will be 0.
+- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
+
-> [!Note]
-> The policy is only applicable on Enterprise and Education SKUs.
+
+**Description framework properties**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Business|No|No|
-|Enterprise|No|Yes|
-|Education|No|Yes|
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Status/PersonalDataEncryptionStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :x: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/Status/PersonalDataEncryptionStatus
+```
+
+
+
+
+This node reports the current state of Personal Data Encryption for a user. '0' means disabled. '1' means enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md
index 8584167779..9550cce774 100644
--- a/windows/client-management/mdm/personaldataencryption-ddf-file.md
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@@ -1,32 +1,29 @@
---
-title: PersonalDataEncryption DDF file
-description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider.
-ms.author: v-nsatapathy
-ms.topic: article
+title: PDE DDF file
+description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: nimishasatapathy
-ms.localizationpriority: medium
-ms.date: 09/10/2022
-ms.reviewer:
-manager: dansimp
+ms.topic: reference
---
-# PersonalDataEncryption DDF file
+
-This topic shows the OMA DM device description framework (DDF) for the **PersonalDataEncryption** configuration service provider.
+# PDE DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the PDE configuration service provider.
```xml
-]>
+]>
1.2
+
+ PDE./User/Vendor/MSFT
@@ -46,6 +43,11 @@ The XML below is the current version for this CSP.
+
+ 10.0.22621
+ 1.0
+ 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0xAB;0xAC;0xB4;0xBC;0xBF;0xCD;
+ EnablePersonalDataEncryption
@@ -124,4 +126,8 @@ The XML below is the current version for this CSP.
-```
\ No newline at end of file
+```
+
+## Related articles
+
+[PDE configuration service provider reference](personaldataencryption-csp.md)
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index ac71d90716..822238c6fa 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -1,91 +1,195 @@
---
title: Personalization CSP
-description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package.
+description: Learn more about the Personalization CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/28/2022
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Personalization CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|Yes|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
+
-This CSP was added in Windows 10, version 1703.
+
+The following list shows the Personalization configuration service provider nodes:
-> [!Note]
-> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional if SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
+- ./Vendor/MSFT/Personalization
+ - [DesktopImageStatus](#desktopimagestatus)
+ - [DesktopImageUrl](#desktopimageurl)
+ - [LockScreenImageStatus](#lockscreenimagestatus)
+ - [LockScreenImageUrl](#lockscreenimageurl)
+
-The following example shows the Personalization configuration service provider in tree format.
+
+## DesktopImageStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/DesktopImageStatus
```
-./Vendor/MSFT
-Personalization
-----DesktopImageUrl
-----DesktopImageStatus
-----LockScreenImageUrl
-----LockScreenImageStatus
+
+
+
+
+This represents the status of the DesktopImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## DesktopImageUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/DesktopImageUrl
```
-**./Vendor/MSFT/Personalization**
-
Defines the root node for the Personalization configuration service provider.
+
-**DesktopImageUrl**
-
Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+
+A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
+
-**DesktopImageStatus**
-
Represents the status of the desktop image. Valid values:
-
-
1 - Successfully downloaded or copied.
-
2 - Download or copy in progress.
-
3 - Download or copy failed.
-
4 - Unknown file type.
-
5 - Unsupported URL scheme.
-
6 - Max retry failed.
-
7 - Blocked, SKU not allowed
-
-
Supporter operation is Get.
+
+
+
-> [!Note]
-> This setting is only used to query status. To set the image, use the DesktopImageUrl setting.
+
+**Description framework properties**:
-**LockScreenImageUrl**
-
Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
-**LockScreenImageStatus**
-
Represents the status of the lock screen image. Valid values:
-
-
1 - Successfully downloaded or copied.
-
2 - Download or copy in progress.
-
3 - Download or copy failed.
-
4 - Unknown file type.
-
5 - Unsupported URL scheme.
-
6 - Max retry failed.
-
7 - Blocked, SKU not allowed
-
-
Supporter operation is Get.
+
-> [!Note]
-> This setting is only used to query status. To set the image, use the LockScreenImageUrl setting.
+
+## LockScreenImageStatus
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-## Example SyncML
+
+```Device
+./Vendor/MSFT/Personalization/LockScreenImageStatus
+```
+
+
+
+
+This represents the status of the LockScreenImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## LockScreenImageUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/LockScreenImageUrl
+```
+
+
+
+
+A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+
+## Example
```xml
@@ -124,6 +228,10 @@ Personalization
```
+
+
+## Related articles
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index c3ec340d14..b2d5a5ded4 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -1,142 +1,155 @@
---
title: Personalization DDF file
-description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP).
+description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
# Personalization DDF file
-This topic shows the OMA DM device description framework (DDF) for the **Personalization** configuration service provider.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the Personalization configuration service provider.
```xml
-]>
+]>
1.2
-
- Personalization
- ./Vendor/MSFT
-
-
-
-
- Configure a PC's personalization settings such as Desktop Image and Lock Screen Image.
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.0/MDM/Personalization
-
-
-
- DesktopImageUrl
-
-
-
-
-
-
-
- A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to used as the Desktop Image.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DesktopImageStatus
-
-
-
-
- This represents the status of the DesktopImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LockScreenImageUrl
-
-
-
-
-
-
-
- A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LockScreenImageStatus
-
-
-
-
- This represents the status of the LockScreenImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+ Personalization
+ ./Vendor/MSFT
+
+
+
+
+
+
+ Configure a PC's personalization settings such as Desktop Image and Lock Screen Image.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ DesktopImageUrl
+
+
+
+
+
+
+
+ A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DesktopImageStatus
+
+
+
+
+ This represents the status of the DesktopImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LockScreenImageUrl
+
+
+
+
+
+
+
+ A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LockScreenImageStatus
+
+
+
+
+ This represents the status of the LockScreenImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
+
+## Related articles
+
+[Personalization configuration service provider reference](personalization-csp.md)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 6ab8b5a7a4..1eba8fd662 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/17/2023
+ms.date: 02/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -49,33 +49,31 @@ The Policy configuration service provider has the following sub-categories:
-The following example shows the Policy configuration service provider in tree format.
+The following list shows the Policy configuration service provider nodes:
-```text
-./Device/Vendor/MSFT/Policy
---- Config
------- {AreaName}
---------- {PolicyName}
---- ConfigOperations
------- ADMXInstall
---------- {AppName}
------------- {SettingsType}
---------------- {AdmxFileId}
------------- Properties
---------------- {SettingsType}
------------------- {AdmxFileId}
---------------------- Version
---- Result
------- {AreaName}
---------- {PolicyName}
-./User/Vendor/MSFT/Policy
---- Config
------- {AreaName}
---------- {PolicyName}
---- Result
------- {AreaName}
---------- {PolicyName}
-```
+- ./Device/Vendor/MSFT/Policy
+ - [Config](#deviceconfig)
+ - [{AreaName}](#deviceconfigareaname)
+ - [{PolicyName}](#deviceconfigareanamepolicyname)
+ - [ConfigOperations](#deviceconfigoperations)
+ - [ADMXInstall](#deviceconfigoperationsadmxinstall)
+ - [{AppName}](#deviceconfigoperationsadmxinstallappname)
+ - [{SettingsType}](#deviceconfigoperationsadmxinstallappnamesettingstype)
+ - [{AdmxFileId}](#deviceconfigoperationsadmxinstallappnamesettingstypeadmxfileid)
+ - [Properties](#deviceconfigoperationsadmxinstallappnameproperties)
+ - [{SettingsType}](#deviceconfigoperationsadmxinstallappnamepropertiessettingstype)
+ - [{AdmxFileId}](#deviceconfigoperationsadmxinstallappnamepropertiessettingstypeadmxfileid)
+ - [Version](#deviceconfigoperationsadmxinstallappnamepropertiessettingstypeadmxfileidversion)
+ - [Result](#deviceresult)
+ - [{AreaName}](#deviceresultareaname)
+ - [{PolicyName}](#deviceresultareanamepolicyname)
+- ./User/Vendor/MSFT/Policy
+ - [Config](#userconfig)
+ - [{AreaName}](#userconfigareaname)
+ - [{PolicyName}](#userconfigareanamepolicyname)
+ - [Result](#userresult)
+ - [{AreaName}](#userresultareaname)
+ - [{PolicyName}](#userresultareanamepolicyname)
@@ -344,7 +342,7 @@ Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX f
-Setting Type of Win32 App. Policy Or Preference
+Setting Type of Win32 App. Policy Or Preference.
@@ -384,7 +382,7 @@ Setting Type of Win32 App. Policy Or Preference
-Unique ID of ADMX file
+Unique ID of ADMX file.
@@ -424,7 +422,7 @@ Unique ID of ADMX file
-Properties of Win32 App ADMX Ingestion
+Properties of Win32 App ADMX Ingestion.
@@ -463,7 +461,7 @@ Properties of Win32 App ADMX Ingestion
-Setting Type of Win32 App. Policy Or Preference
+Setting Type of Win32 App. Policy Or Preference.
@@ -503,7 +501,7 @@ Setting Type of Win32 App. Policy Or Preference
-Unique ID of ADMX file
+Unique ID of ADMX file.
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 2636c0f68e..46796cc58d 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -2774,7 +2774,7 @@ This policy setting allows you to audit events generated by attempts to access t
- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
> [!NOTE]
-> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
+> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about SACL, see [Access control lists](/windows/win32/secauthz/access-control-lists).
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 298d67d708..c5e12804f1 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 02/10/2023
+ms.date: 03/08/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -700,9 +700,9 @@ Allows or disallows Windows Defender Realtime Monitoring functionality.
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
-- If you enable this setting, network files will be scanned.
+- If you enable this setting or do not configure this setting, network files will be scanned.
-- If you disable or do not configure this setting, network files will not be scanned.
+- If you disable this setting, network files will not be scanned.
@@ -955,7 +955,7 @@ After enabling this setting, you can set each rule to the following in the Optio
- Not Configured: the rule is enabled with default values
- Warn: the rule will be applied and the end-user will have the option to bypass the block
-Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured.
+Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules with the value of not configured.
Enabled:
Specify the state for each ASR rule under the Options section for this setting.
@@ -2194,7 +2194,7 @@ This policy setting allows you to specify the scan type to use during a schedule
- If you enable this setting, the scan type will be set to the specified value.
-- If you disable or do not configure this setting, the default scan type will used.
+- If you disable or do not configure this setting, the default scan type will be used.
@@ -2692,7 +2692,7 @@ This policy setting allows you to specify an interval at which to check for secu
-This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set.
+This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set.
Possible options are:
(0x0) Always prompt
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index cb8e92e349..03c560a1d3 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -4,7 +4,7 @@ description: Learn more about the DeviceGuard Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/09/2023
+ms.date: 03/01/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -36,7 +36,7 @@ ms.topic: reference
-
+
Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch.
@@ -72,7 +72,7 @@ For more information about System Guard, see [Introducing Windows Defender Syste
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
-| Element Name | Secure Launch Configuration |
+| Element Name | Secure Launch Configuration. |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
@@ -149,7 +149,7 @@ Kernel-mode Hardware-enforced Stack Protection
This setting enables Hardware-enforced Stack Protection for kernel-mode code. When this security feature is enabled, kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered.
-This security feature has the following prerequisites
+This security feature has the following prerequisites:
1) The CPU hardware supports hardware-based shadow stacks.
2) Virtualization Based Protection of Code Integrity is enabled.
@@ -166,7 +166,7 @@ The "Enabled in enforcement mode" option enables kernel-mode Hardware-enforced S
The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
> [!WARNING]
-> All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, refer to .
+> All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, see [A driver can't load on this device](https://go.microsoft.com/fwlink/?LinkId=2162953).
@@ -228,7 +228,7 @@ The "Not Configured" option leaves the policy setting undefined. Group Policy do
-
+
Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
@@ -263,7 +263,7 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
-| Element Name | Credential Guard Configuration |
+| Element Name | Credential Guard Configuration. |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
@@ -292,7 +292,7 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config
-
+
Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
@@ -327,7 +327,7 @@ This setting lets users turn on Credential Guard with virtualization-based secur
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
-| Element Name | Select Platform Security Level |
+| Element Name | Select Platform Security Level. |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index d4bee876d5..e46c94e961 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1767,7 +1767,7 @@ _**Turn syncing off by default but don’t disable**_
-Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager. By default, this policy is disabled.
+Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Intune. By default, this policy is disabled.
- If you enable this policy, these experiences will show content booked by Administrators. Enabling this policy will have no impact on existing MDM policy settings governing delivery of content from Microsoft on Windows experiences.
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 690864628e..98481bddc4 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -1,299 +1,342 @@
---
-title: Policy CSP - MSSecurityGuide
-description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable.
+title: MSSecurityGuide Policy CSP
+description: Learn more about the MSSecurityGuide Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - MSSecurityGuide
-
-
-
-
-## MSSecurityGuide policies
-
-
-
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+## ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_SecGuide_0201_LATFP |
+| ADMX File Name | SecGuide.admx |
+
+
+
+
+
+
+
+
+
+## ConfigureSMBV1ClientDriver
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_SecGuide_0002_SMBv1_ClientDriver |
+| ADMX File Name | SecGuide.admx |
+
+
+
+
+
+
+
+
+
+## ConfigureSMBV1Server
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1Server
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_SecGuide_0001_SMBv1_Server |
+| ADMX File Name | SecGuide.admx |
+
+
+
+
+
+
+
+
+
+## EnableStructuredExceptionHandlingOverwriteProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_SecGuide_0102_SEHOP |
+| ADMX File Name | SecGuide.admx |
+
+
+
+
+
+
+
+
+
+## TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_SecGuide_0101_WDPUA |
+| ADMX File Name | SecGuide.admx |
+
-
-**MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon**
+
+
+
-
+
+
+
+## WDigestAuthentication
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/WDigestAuthentication
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+**Description framework properties**:
-> [!div class = "checklist"]
-> * Device
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Pol_SecGuide_0202_WDigestAuthn |
+| ADMX File Name | SecGuide.admx |
+
-
-ADMX Info:
-- GP name: *Pol_SecGuide_0201_LATFP*
-- GP ADMX file name: *SecGuide.admx*
+
+
+
-
-
+
-
+
+
+
-
-**MSSecurityGuide/ConfigureSMBV1ClientDriver**
+
-
+## Related articles
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-
-
-
-
-ADMX Info:
-- GP name: *Pol_SecGuide_0002_SMBv1_ClientDriver*
-- GP ADMX file name: *SecGuide.admx*
-
-
-
-
-
-
-
-**MSSecurityGuide/ConfigureSMBV1Server**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-
-
-
-
-ADMX Info:
-- GP name: *Pol_SecGuide_0001_SMBv1_Server*
-- GP ADMX file name: *SecGuide.admx*
-
-
-
-
-
-
-
-**MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-
-
-
-
-ADMX Info:
-- GP name: *Pol_SecGuide_0102_SEHOP*
-- GP ADMX file name: *SecGuide.admx*
-
-
-
-
-
-
-
-**MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-
-
-
-ADMX Info:
-- GP name: *Pol_SecGuide_0101_WDPUA*
-- GP ADMX file name: *SecGuide.admx*
-
-
-
-
-
-
-
-**MSSecurityGuide/WDigestAuthentication**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-
-
-
-ADMX Info:
-- GP name: *Pol_SecGuide_0202_WDigestAuthn*
-- GP ADMX file name: *SecGuide.admx*
-
-
-
-
-
-
-
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index 44eecc6ae9..4669b6c300 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -37,23 +37,24 @@ ms.topic: reference
-List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
+List of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
-
-When entering a list of TLS endpoints in Microsoft Intune, use the following format, even in the UI:
-
-``
-
+- When entering a list of TLS endpoints in Microsoft Intune using a configuration profile with a custom template and the OMA URI, use the following format: ``
- The HTTPS endpoint must not have any more authentication checks, such as sign-in or multi-factor authentication.
-
- The HTTPS endpoint must be an internal address not accessible from outside the organizational network.
-
- The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store.
-
- A certificate shouldn't be a public certificate.
+
+To test the URL, use a PowerShell command similar to below:
+
+```powershell
+Invoke-WebRequest -Uri https://nls.corp.contoso.com -Method get -UseBasicParsing -MaximumRedirection 0
+```
+
+`StatusCode` return by the command must be 200 (`HTTP_STATUS_OK`).
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index e9921d6795..6aac2cbd12 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3252,6 +3252,17 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po
+Enabling this policy will restrict updates to download and install outside of Active Hours. Updates will be allowed to start even if there is a signed-in user or the device is on battery power, providing there is more than 70% battery capacity. Windows will schedule the device to wake from sleep 1 hour after the [ActiveHoursEnd](#activehoursend) time with a 60-minute random delay. Devices will reboot immediately after the updates are installed. If there are still pending updates, the device will continue to retry every hour for 4 hours.
+
+The following rules are followed regarding battery power:
+- Above 70% - allowed to start work;
+- Above 40% - allowed to reboot;
+- Above 20% - allowed to continue work.
+
+This setting overrides the install deferral behaviour of [AllowAutoUpdate](#allowautoupdate).
+
+These settings are designed for education devices that remain in carts overnight that are left in sleep mode. It is not designed for 1:1 devices.
+
diff --git a/windows/client-management/mdm/printerprovisioning-csp.md b/windows/client-management/mdm/printerprovisioning-csp.md
new file mode 100644
index 0000000000..ff490d38c4
--- /dev/null
+++ b/windows/client-management/mdm/printerprovisioning-csp.md
@@ -0,0 +1,318 @@
+---
+title: PrinterProvisioning CSP
+description: Learn more about the PrinterProvisioning CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/28/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+
+# PrinterProvisioning CSP
+
+
+
+
+
+
+The following list shows the PrinterProvisioning configuration service provider nodes:
+
+- ./User/Vendor/MSFT/PrinterProvisioning
+ - [UPPrinterInstalls](#upprinterinstalls)
+ - [{PrinterSharedID}](#upprinterinstallsprintersharedid)
+ - [CloudDeviceID](#upprinterinstallsprintersharedidclouddeviceid)
+ - [ErrorCode](#upprinterinstallsprintersharediderrorcode)
+ - [Install](#upprinterinstallsprintersharedidinstall)
+ - [PrinterSharedName](#upprinterinstallsprintersharedidprintersharedname)
+ - [Status](#upprinterinstallsprintersharedidstatus)
+
+
+
+## UPPrinterInstalls
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls
+```
+
+
+
+
+This setting will take the action on the specified user account to install or uninstall the specified printer. Install action is selected by default.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### UPPrinterInstalls/{PrinterSharedID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}
+```
+
+
+
+
+Identifies the Universal Print printer, by its Share ID, you wish to install on the targeted user account. The printer's Share ID can be found in the printer's properties via the Universal Print portal. **Note** the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: PrinterSharedID from the Universal Print system, which is used to discover and install Univeral Print printer |
+
+
+
+
+
+
+
+
+
+#### UPPrinterInstalls/{PrinterSharedID}/CloudDeviceID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/CloudDeviceID
+```
+
+
+
+
+Identifies the Universal Print printer, by its Printer ID, you wish to install on the targeted user account. The printer's Printer ID can be found in the printer's properties via the Universal Print portal. **Note** the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### UPPrinterInstalls/{PrinterSharedID}/ErrorCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/ErrorCode
+```
+
+
+
+
+HRESULT of the last installation returned code.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### UPPrinterInstalls/{PrinterSharedID}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/Install
+```
+
+
+
+
+Support async execute. Install Universal Print printer.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+#### UPPrinterInstalls/{PrinterSharedID}/PrinterSharedName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/PrinterSharedName
+```
+
+
+
+
+Identifies the Universal Print printer, by its Share Name, you wish to install on the targeted user account. The printer's Share Name can be found in the printer's properties via the Universal Print portal. **Note** the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### UPPrinterInstalls/{PrinterSharedID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/Status
+```
+
+
+
+
+1 finished installation successfully, 2 installation in progress after receiving execute cmd, 4 installation failed, 8 installation initial status, 32 unknown (not used).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md
new file mode 100644
index 0000000000..811b19bdc0
--- /dev/null
+++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md
@@ -0,0 +1,224 @@
+---
+title: PrinterProvisioning DDF file
+description: View the XML file containing the device description framework (DDF) for the PrinterProvisioning configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+# PrinterProvisioning DDF file
+
+The following XML file contains the device description framework (DDF) for the PrinterProvisioning configuration service provider.
+
+```xml
+
+]>
+
+ 1.2
+
+
+
+ PrinterProvisioning
+ ./User/Vendor/MSFT
+
+
+
+
+ Printer Provisioning
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19044.1806, 10.0.19043.1806, 10.0.19042.1806
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ UPPrinterInstalls
+
+
+
+
+ This setting will take the action on the specified user account to install or uninstall the specified printer. Install action is selected by default.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Identifies the Universal Print printer, by its Share ID, you wish to install on the targeted user account. The printer's Share ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+
+
+ PrinterSharedID
+
+
+
+
+ PrinterSharedID from the Universal Print system, which is used to discover and install Univeral Print printer
+
+
+
+ CloudDeviceID
+
+
+
+
+
+
+
+ Identifies the Universal Print printer, by its Printer ID, you wish to install on the targeted user account. The printer's Printer ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Install
+
+
+
+
+
+ Support async execute. Install Universal Print printer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ 1 finished installation successfully, 2 installation in progress after receiving execute cmd, 4 installation failed, 8 installation initial status, 32 unknown (not used).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ HRESULT of the last installation returned code.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PrinterSharedName
+
+
+
+
+
+
+
+ Identifies the Universal Print printer, by its Share Name, you wish to install on the targeted user account. The printer's Share Name can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related articles
+
+[PrinterProvisioning configuration service provider reference](printerprovisioning-csp.md)
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index 1f1ced6498..c341176e4b 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -1,79 +1,198 @@
---
title: Reboot CSP
-description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings.
-ms.reviewer:
+description: Learn more about the Reboot CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
+ms.topic: reference
---
+
+
+
# Reboot CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The Reboot configuration service provider is used to configure reboot settings.
+
-The following shows the Reboot configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+
+The following list shows the Reboot configuration service provider nodes:
+- ./Device/Vendor/MSFT/Reboot
+ - [RebootNow](#rebootnow)
+ - [Schedule](#schedule)
+ - [DailyRecurrent](#scheduledailyrecurrent)
+ - [Single](#schedulesingle)
+
+
+
+## RebootNow
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Reboot/RebootNow
```
-./Device/Vendor/MSFT
-Reboot
-----RebootNow
-----Schedule
---------Single
---------DailyRecurrent
+
+
+
+
+This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. If this node is set to execute during a sync session, the device will reboot at the end of the sync session.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+## Schedule
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Reboot/Schedule
```
+
-**./Vendor/MSFT/Reboot**
-
-The root node for the Reboot configuration service provider.
-
+
+
The supported operation is Get.
+
-**RebootNow**
+
+
+
-This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.
+
+**Description framework properties**:
-> [!NOTE]
-> If this node is set to execute during a sync session, the device will reboot at the end of the sync session.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-The supported operations are Execute and Get.
+
+
+
-**Schedule**
+
-The supported operation is Get.
+
+### Schedule/DailyRecurrent
-**Schedule/Single**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
-Example to configure: 2018-10-25T18:00:00
+
+```Device
+./Device/Vendor/MSFT/Reboot/Schedule/DailyRecurrent
+```
+
-Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00.
+
+
+Value in ISO8601, time is required. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
+
-- The supported operations are Get, Add, Replace, and Delete.
-- The supported data type is "String".
+
+
+
-**Schedule/DailyRecurrent**
+
+**Description framework properties**:
-This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
-Example to configure: 2018-10-25T18:00:00
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-- The supported operations are Get, Add, Replace, and Delete.
-- The supported data type is "String".
+
+
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
+
+### Schedule/Single
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Reboot/Schedule/Single
+```
+
+
+
+
+Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index 0b5f03a5ba..a1f1988804 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -1,158 +1,157 @@
---
title: Reboot DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# Reboot DDF file
-This topic shows the OMA DM device description framework (DDF) for the **Reboot** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the Reboot configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ Reboot
+ ./Device/Vendor/MSFT
+
+
+
+
+ The root node for the Reboot configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ RebootNow
+
+
+
+
+
+ This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. If this node is set to execute during a sync session, the device will reboot at the end of the sync session.
+
+
+
+
+
+
+
+
+
+ RebootNow
+
+
+
+
+
+
+ Schedule
+
+
+
+
+ The supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
- Reboot
- ./Device/Vendor/MSFT
+ Single
+
+
+
+ Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule.
-
+
-
+
+ Single
-
+
+
+
-
- RebootNow
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- RebootNow
-
- text/plain
-
-
-
-
- Schedule
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Single
-
-
-
-
-
-
-
- Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule.
-
-
-
-
-
-
-
-
-
- Single
-
- text/plain
-
-
-
-
- DailyRecurrent
-
-
-
-
-
-
-
- Value in ISO8601, time is required. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
-
-
-
-
-
-
-
-
-
- DailyRecurrent
-
- text/plain
-
-
-
-
+
+ DailyRecurrent
+
+
+
+
+
+
+
+ Value in ISO8601, time is required. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule.
+
+
+
+
+
+
+
+
+
+ DailyRecurrent
+
+
+
+
+
+
+
+
+
-
```
-## Related topics
-
-[Reboot CSP](reboot-csp.md)
-
-
-
-
-
-
-
-
-
+## Related articles
+[Reboot configuration service provider reference](reboot-csp.md)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index f1ad46c81f..89cac77fc9 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -1,104 +1,485 @@
---
title: RemoteWipe CSP
-description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device.
-ms.reviewer:
+description: Learn more about the RemoteWipe CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 08/13/2018
+ms.topic: reference
---
+
+
+
# RemoteWipe CSP
-The table below shows the applicability of Windows:
+
+
+The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. Enterprise IT Professionals can update these settings by using the Exchange Server.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+The following list shows the RemoteWipe configuration service provider nodes:
-The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen.
+- ./Device/Vendor/MSFT/RemoteWipe
+ - [AutomaticRedeployment](#automaticredeployment)
+ - [doAutomaticRedeployment](#automaticredeploymentdoautomaticredeployment)
+ - [LastError](#automaticredeploymentlasterror)
+ - [Status](#automaticredeploymentstatus)
+ - [doWipe](#dowipe)
+ - [doWipeCloud](#dowipecloud)
+ - [doWipeCloudPersistProvisionedData](#dowipecloudpersistprovisioneddata)
+ - [doWipeCloudPersistUserData](#dowipecloudpersistuserdata)
+ - [doWipePersistProvisionedData](#dowipepersistprovisioneddata)
+ - [doWipePersistUserData](#dowipepersistuserdata)
+ - [doWipeProtected](#dowipeprotected)
+
-The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
+
+## AutomaticRedeployment
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/AutomaticRedeployment
```
-./Vendor/MSFT
-RemoteWipe
-----doWipe
-----doWipePersistProvisionedData
-----doWipeProtected
-----doWipePersistUserData
-----AutomaticRedeployment
---------doAutomaticRedeployment
---------LastError
---------Status
+
+
+
+
+Node for the Autopilot Reset operation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### AutomaticRedeployment/doAutomaticRedeployment
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/AutomaticRedeployment/doAutomaticRedeployment
```
+
-**doWipe**
-Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
+
+
+Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
+
-When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
+
+
+
-Supported operation is Exec.
+
+**Description framework properties**:
-**doWipePersistProvisionedData**
-Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
-When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
+
+
+
-Supported operation is Exec.
+
-The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
+
+### AutomaticRedeployment/LastError
-**doWipeProtected**
-Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/AutomaticRedeployment/LastError
+```
+
-Supported operation is Exec.
+
+
+Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
+
-**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
+
+
+
-**AutomaticRedeployment**
-Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
+
+**Description framework properties**:
-**AutomaticRedeployment/doAutomaticRedeployment**
-Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This node works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
-**AutomaticRedeployment/LastError**
-Added in Windows 10, version 1809. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT).
+
+
+
-**AutomaticRedeployment/Status**
-Added in Windows 10, version 1809. Status value indicating current state of an Autopilot Reset operation.
+
-Supported values:
+
+### AutomaticRedeployment/Status
-- 0: Never run (not started). The default state.
-- 1: Complete.
-- 10: Reset has been scheduled.
-- 20: Reset is scheduled and waiting for a reboot.
-- 30: Failed during CSP Execute ("Exec" in SyncML).
-- 40: Failed: power requirements not met.
-- 50: Failed: reset internals failed during reset attempt.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-## Related topics
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/AutomaticRedeployment/Status
+```
+
-[Configuration service provider reference](index.yml)
+
+
+Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt.
+
-
+
+
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+## doWipe
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/doWipe
+```
+
+
+
+
+Exec on this node will perform a remote wipe on the device. The return status code shows whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
+
+
+
+
+A remote reset is equivalent to running **Reset this PC** > **Remove everything** from the **Settings** app, with **Clean Data** set to No and **Delete Files** set to Yes. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## doWipeCloud
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/doWipeCloud
+```
+
+
+
+
+Exec on this node will perform a cloud-based remote wipe on the device. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## doWipeCloudPersistProvisionedData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/doWipeCloudPersistProvisionedData
+```
+
+
+
+
+Exec on this node will back up provisioning data to a persistent location and perform a cloud-based remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## doWipeCloudPersistUserData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/doWipeCloudPersistUserData
+```
+
+
+
+
+Exec on this node will perform a cloud-based remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## doWipePersistProvisionedData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/doWipePersistProvisionedData
+```
+
+
+
+
+Exec on this node will back up provisioning data to a persistent location and perform a remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+Provisioning packages are persisted in `%SystemDrive%\ProgramData\Microsoft\Provisioning` directory.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## doWipePersistUserData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/doWipePersistUserData
+```
+
+
+
+
+Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+ This setting is equivalent to selecting **Reset this PC** > **Keep my files** when manually starting a reset from the Settings app.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## doWipeProtected
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteWipe/doWipeProtected
+```
+
+
+
+
+Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it's done.
+
+
+
+
+> [!NOTE]
+> Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 26bd073966..1bc56998aa 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -1,225 +1,319 @@
---
title: RemoteWipe DDF file
-description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the RemoteWipe configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 08/13/2018
+ms.topic: reference
---
+
+
# RemoteWipe DDF file
-This topic shows the OMA DM device description framework (DDF) for the **RemoteWipe** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the DDF for Windows 10, version 1809.
+The following XML file contains the device description framework (DDF) for the RemoteWipe configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ RemoteWipe
+ ./Device/Vendor/MSFT
+
+
+
+
+ The root node for remote wipe function.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;
+
+
- RemoteWipe
- ./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.1/MDM/RemoteWipe
-
- The root node for remote wipe function.
-
-
- doWipe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- Exec on this node will perform a remote wipe on the device. The return status code shows whether the device accepted the Exec command.
-
-
-
- doWipePersistProvisionedData
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- Exec on this node will back up provisioning data to a persistent location and perform a remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
-
-
-
- doWipeProtected
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- Exec on this node will perform a remote wipe on the device, and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command.
-
-
-
- doWipePersistUserData
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
-
-
-
- AutomaticRedeployment
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- doAutomaticRedeployment
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastError
-
-
-
-
- 0
- Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- 0
- Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ doWipe
+
+
+
+
+ Exec on this node will perform a remote wipe on the device. The return status code shows whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;
+
+
+
+ doWipePersistProvisionedData
+
+
+
+
+ Exec on this node will back up provisioning data to a persistent location and perform a remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ doWipeProtected
+
+
+
+
+ Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+
+ doWipePersistUserData
+
+
+
+
+ Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.1
+
+
+
+
+ doWipeCloud
+
+
+
+
+ Exec on this node will perform a cloud-based remote wipe on the device. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.1
+
+
+
+
+ doWipeCloudPersistUserData
+
+
+
+
+ Exec on this node will perform a cloud-based remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.1
+
+
+
+
+ doWipeCloudPersistProvisionedData
+
+
+
+
+ Exec on this node will back up provisioning data to a persistent location and perform a cloud-based remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.1
+
+
+
+
+ AutomaticRedeployment
+
+
+
+
+ Node for the Autopilot Reset operation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.1
+
+
+
+ doAutomaticRedeployment
+
+
+
+
+ Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastError
+
+
+
+
+ 0
+ Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ 0
+ Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[RemoteWipe CSP](remotewipe-csp.md)
\ No newline at end of file
+[RemoteWipe configuration service provider reference](remotewipe-csp.md)
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 13ec3d35cc..4375aed8a9 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -1,120 +1,3573 @@
---
title: RootCATrustedCertificates CSP
-description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates.
-ms.reviewer:
+description: Learn more about the RootCATrustedCertificates CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/06/2018
+ms.topic: reference
---
+
+
+
# RootCATrustedCertificates CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates.
-> [!Note]
-> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**.
+> [!NOTE]
+> `./User` configuration is not supported for `RootCATrustedCertificates/Root`.
+
-The following example shows the RootCATrustedCertificates configuration service provider in tree format.
+
+The following list shows the RootCATrustedCertificates configuration service provider nodes:
-Detailed specification of the principal root nodes:
+- ./Device/Vendor/MSFT/RootCATrustedCertificates
+ - [CA](#deviceca)
+ - [{CertHash}](#devicecacerthash)
+ - [EncodedCertificate](#devicecacerthashencodedcertificate)
+ - [IssuedBy](#devicecacerthashissuedby)
+ - [IssuedTo](#devicecacerthashissuedto)
+ - [TemplateName](#devicecacerthashtemplatename)
+ - [ValidFrom](#devicecacerthashvalidfrom)
+ - [ValidTo](#devicecacerthashvalidto)
+ - [OemEsim](#deviceoemesim)
+ - [{CertHash}](#deviceoemesimcerthash)
+ - [EncodedCertificate](#deviceoemesimcerthashencodedcertificate)
+ - [IssuedBy](#deviceoemesimcerthashissuedby)
+ - [IssuedTo](#deviceoemesimcerthashissuedto)
+ - [TemplateName](#deviceoemesimcerthashtemplatename)
+ - [ValidFrom](#deviceoemesimcerthashvalidfrom)
+ - [ValidTo](#deviceoemesimcerthashvalidto)
+ - [Root](#deviceroot)
+ - [{CertHash}](#devicerootcerthash)
+ - [EncodedCertificate](#devicerootcerthashencodedcertificate)
+ - [IssuedBy](#devicerootcerthashissuedby)
+ - [IssuedTo](#devicerootcerthashissuedto)
+ - [TemplateName](#devicerootcerthashtemplatename)
+ - [ValidFrom](#devicerootcerthashvalidfrom)
+ - [ValidTo](#devicerootcerthashvalidto)
+ - [TrustedPeople](#devicetrustedpeople)
+ - [{CertHash}](#devicetrustedpeoplecerthash)
+ - [EncodedCertificate](#devicetrustedpeoplecerthashencodedcertificate)
+ - [IssuedBy](#devicetrustedpeoplecerthashissuedby)
+ - [IssuedTo](#devicetrustedpeoplecerthashissuedto)
+ - [TemplateName](#devicetrustedpeoplecerthashtemplatename)
+ - [ValidFrom](#devicetrustedpeoplecerthashvalidfrom)
+ - [ValidTo](#devicetrustedpeoplecerthashvalidto)
+ - [TrustedPublisher](#devicetrustedpublisher)
+ - [{CertHash}](#devicetrustedpublishercerthash)
+ - [EncodedCertificate](#devicetrustedpublishercerthashencodedcertificate)
+ - [IssuedBy](#devicetrustedpublishercerthashissuedby)
+ - [IssuedTo](#devicetrustedpublishercerthashissuedto)
+ - [TemplateName](#devicetrustedpublishercerthashtemplatename)
+ - [ValidFrom](#devicetrustedpublishercerthashvalidfrom)
+ - [ValidTo](#devicetrustedpublishercerthashvalidto)
+ - [UntrustedCertificates](#deviceuntrustedcertificates)
+ - [{CertHash}](#deviceuntrustedcertificatescerthash)
+ - [EncodedCertificate](#deviceuntrustedcertificatescerthashencodedcertificate)
+ - [IssuedBy](#deviceuntrustedcertificatescerthashissuedby)
+ - [IssuedTo](#deviceuntrustedcertificatescerthashissuedto)
+ - [TemplateName](#deviceuntrustedcertificatescerthashtemplatename)
+ - [ValidFrom](#deviceuntrustedcertificatescerthashvalidfrom)
+ - [ValidTo](#deviceuntrustedcertificatescerthashvalidto)
+- ./User/Vendor/MSFT/RootCATrustedCertificates
+ - [CA](#userca)
+ - [{CertHash}](#usercacerthash)
+ - [EncodedCertificate](#usercacerthashencodedcertificate)
+ - [IssuedBy](#usercacerthashissuedby)
+ - [IssuedTo](#usercacerthashissuedto)
+ - [TemplateName](#usercacerthashtemplatename)
+ - [ValidFrom](#usercacerthashvalidfrom)
+ - [ValidTo](#usercacerthashvalidto)
+ - [OemEsim](#useroemesim)
+ - [{CertHash}](#useroemesimcerthash)
+ - [EncodedCertificate](#useroemesimcerthashencodedcertificate)
+ - [IssuedBy](#useroemesimcerthashissuedby)
+ - [IssuedTo](#useroemesimcerthashissuedto)
+ - [TemplateName](#useroemesimcerthashtemplatename)
+ - [ValidFrom](#useroemesimcerthashvalidfrom)
+ - [ValidTo](#useroemesimcerthashvalidto)
+ - [TrustedPeople](#usertrustedpeople)
+ - [{CertHash}](#usertrustedpeoplecerthash)
+ - [EncodedCertificate](#usertrustedpeoplecerthashencodedcertificate)
+ - [IssuedBy](#usertrustedpeoplecerthashissuedby)
+ - [IssuedTo](#usertrustedpeoplecerthashissuedto)
+ - [TemplateName](#usertrustedpeoplecerthashtemplatename)
+ - [ValidFrom](#usertrustedpeoplecerthashvalidfrom)
+ - [ValidTo](#usertrustedpeoplecerthashvalidto)
+ - [TrustedPublisher](#usertrustedpublisher)
+ - [{CertHash}](#usertrustedpublishercerthash)
+ - [EncodedCertificate](#usertrustedpublishercerthashencodedcertificate)
+ - [IssuedBy](#usertrustedpublishercerthashissuedby)
+ - [IssuedTo](#usertrustedpublishercerthashissuedto)
+ - [TemplateName](#usertrustedpublishercerthashtemplatename)
+ - [ValidFrom](#usertrustedpublishercerthashvalidfrom)
+ - [ValidTo](#usertrustedpublishercerthashvalidto)
+ - [UntrustedCertificates](#useruntrustedcertificates)
+ - [{CertHash}](#useruntrustedcertificatescerthash)
+ - [EncodedCertificate](#useruntrustedcertificatescerthashencodedcertificate)
+ - [IssuedBy](#useruntrustedcertificatescerthashissuedby)
+ - [IssuedTo](#useruntrustedcertificatescerthashissuedto)
+ - [TemplateName](#useruntrustedcertificatescerthashtemplatename)
+ - [ValidFrom](#useruntrustedcertificatescerthashvalidfrom)
+ - [ValidTo](#useruntrustedcertificatescerthashvalidto)
+
+
+
+## Device/CA
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/CA
```
-./Vendor/MSFT
-RootCATrustedCertificates
-----Root
---------CertHash
-------------EncodedCertificate
-------------IssuedBy
-------------IssuedTo
-------------ValidFrom
-------------ValidTo
-------------TemplateName
-----CA
---------CertHash
-------------EncodedCertificate
-------------IssuedBy
-------------IssuedTo
-------------ValidFrom
-------------ValidTo
-------------TemplateName
-----TrustedPublisher
---------CertHash
-------------EncodedCertificate
-------------IssuedBy
-------------IssuedTo
-------------ValidFrom
-------------ValidTo
-------------TemplateName
-----TrustedPeople
---------CertHash
-------------EncodedCertificate
-------------IssuedBy
-------------IssuedTo
-------------ValidFrom
-------------ValidTo
-------------TemplateName
-```
-**Device or User**
-For device certificates, use **./Device/Vendor/MSFT** path, and for user certificates use **./User/Vendor/MSFT** path.
+
-**RootCATrustedCertificates**
-The root node for the RootCATrustedCertificates configuration service provider.
-
-**RootCATrustedCertificates/Root/**
-Defines the certificate store that contains root or self-signed certificates, in this case, the computer store.
-
-> [!Note]
-> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**.
-
-**RootCATrustedCertificates/CA**
+
+
Node for CA certificates.
+
-**RootCATrustedCertificates/TrustedPublisher**
-Node for trusted publisher certificates.
+
+
+
-**RootCATrustedCertificates/TrustedPeople**
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/CA/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### Device/CA/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/CA/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/CA/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/CA/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/CA/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/CA/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Device/OemEsim
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim
+```
+
+
+
+
+Node for OEM eSIM certificates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/OemEsim/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### Device/OemEsim/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/OemEsim/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/OemEsim/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/OemEsim/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/OemEsim/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/OemEsim/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Device/Root
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/Root
+```
+
+
+
+
+Defines the certificate store that contains root, or self-signed certificates, in this case, the computer store.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/Root/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+
+
+
+
+
+
+
+
+
+#### Device/Root/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### Device/Root/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/Root/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/Root/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/Root/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/Root/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Device/TrustedPeople
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople
+```
+
+
+
+
Node for trusted people certificates.
+
-**RootCATrustedCertificates/UntrustedCertificates**
-Added in Windows 10, version 1803. Node for certificates that aren't trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
+
+
+
-**_CertHash_**
-Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. This node is common for all the principal root nodes. The supported operations are Get and Delete.
+
+**Description framework properties**:
-The following nodes are all common to the **_CertHash_** node:
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-- **/EncodedCertificate**
-Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace.
+
+
+
-- **/IssuedBy**
-Returns the name of the certificate issuer. This name is equivalent to the **Issuer** member in the CERT\_INFO data structure. The only supported operation is Get.
+
-- **/IssuedTo**
-Returns the name of the certificate subject. This name is equivalent to the **Subject** member in the CERT\_INFO data structure. The only supported operation is Get.
+
+### Device/TrustedPeople/{CertHash}
-- **/ValidFrom**
-Returns the starting date of the certificate's validity. This date is equivalent to the **NotBefore** member in the CERT\_INFO data structure. The only supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- **/ValidTo**
-Returns the expiration date of the certificate. This date is equivalent to the **NotAfter** member in the CERT\_INFO data structure. The only supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}
+```
+
-- **/TemplateName**
-Returns the certificate template name. The only supported operation is Get.
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
-## Related topics
+
+
+
-[Configuration service provider reference](index.yml)
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPeople/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPeople/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPeople/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPeople/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPeople/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPeople/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Device/TrustedPublisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher
+```
+
+
+
+
+Node for trusted publisher certificates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/TrustedPublisher/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPublisher/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPublisher/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPublisher/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPublisher/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPublisher/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/TrustedPublisher/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Device/UntrustedCertificates
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates
+```
+
+
+
+
+Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/UntrustedCertificates/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### Device/UntrustedCertificates/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/UntrustedCertificates/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/UntrustedCertificates/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/UntrustedCertificates/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/UntrustedCertificates/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/UntrustedCertificates/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/CA
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/CA
+```
+
+
+
+
+Node for CA certificates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/CA/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### User/CA/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/CA/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/CA/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/CA/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/CA/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/CA/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/OemEsim
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim
+```
+
+
+
+
+Node for OEM eSIM certificates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/OemEsim/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### User/OemEsim/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/OemEsim/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/OemEsim/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/OemEsim/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/OemEsim/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/OemEsim/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/TrustedPeople
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople
+```
+
+
+
+
+Node for trusted people certificates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/TrustedPeople/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPeople/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPeople/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPeople/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPeople/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPeople/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPeople/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/TrustedPublisher
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher
+```
+
+
+
+
+Node for trusted publisher certificates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/TrustedPublisher/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPublisher/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPublisher/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPublisher/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPublisher/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPublisher/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/TrustedPublisher/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/UntrustedCertificates
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates
+```
+
+
+
+
+Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/UntrustedCertificates/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}
+```
+
+
+
+
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. |
+
+
+
+
+
+
+
+
+
+#### User/UntrustedCertificates/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/EncodedCertificate
+```
+
+
+
+
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/UntrustedCertificates/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/IssuedBy
+```
+
+
+
+
+Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/UntrustedCertificates/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/IssuedTo
+```
+
+
+
+
+Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/UntrustedCertificates/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/UntrustedCertificates/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/ValidFrom
+```
+
+
+
+
+Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/UntrustedCertificates/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```User
+./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/ValidTo
+```
+
+
+
+
+Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index 9f73b6023a..d12b3ffc21 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,1990 +1,2284 @@
---
title: RootCATrustedCertificates DDF file
-description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the RootCATrustedCertificates configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/07/2018
+ms.topic: reference
---
+
+
# RootCATrustedCertificates DDF file
-This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1803.
+The following XML file contains the device description framework (DDF) for the RootCATrustedCertificates configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ RootCATrustedCertificates
+ ./User/Vendor/MSFT
+
+
+
+
+ The root node for the RootCATrustedCertificates configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ CA
+
+
+
+
+ Node for CA certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- RootCATrustedCertificates
- ./User/Vendor/MSFT
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
-
+
-
+
+ CertHash
- com.microsoft/1.1/MDM/RootCATrustedCertificates
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
- Root
+ EncodedCertificate
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
+
-
+
-
-
-
-
+
+
+
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CA
+ IssuedBy
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
+
-
+
-
-
-
-
+
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedPublisher
+ IssuedTo
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
+
-
+
-
-
-
-
+
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedPeople
+ ValidFrom
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
+
-
+
-
-
-
-
+
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UntrustedCertificates
+ ValidTo
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
-
+
-
+
-
-
-
-
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+ OemEsim
+
+
+
+
+ Node for OEM eSIM certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.2
+
+
- RootCATrustedCertificates
- ./Device/Vendor/MSFT
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
-
+
-
+
+ CertHash
- com.microsoft/1.1/MDM/RootCATrustedCertificates
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
- Root
+ EncodedCertificate
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
+
-
+
+
+
+
-
-
-
+
+
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CA
+ IssuedBy
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
+
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedPublisher
+ IssuedTo
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
+
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedPeople
+ ValidFrom
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
+
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UntrustedCertificates
+ ValidTo
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
-
+
-
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
-
-
-
-
-
-
-
-
-
-
-
-
- CertHash
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IssuedBy
-
-
-
-
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
- Returns the certificate template name. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+ TrustedPublisher
+
+
+
+
+ Node for trusted publisher certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TrustedPeople
+
+
+
+
+ Node for trusted people certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UntrustedCertificates
+
+
+
+
+ Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.1
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RootCATrustedCertificates
+ ./Device/Vendor/MSFT
+
+
+
+
+ The root node for the RootCATrustedCertificates configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Root
+
+
+
+
+ Defines the certificate store that contains root, or self-signed certificates, in this case, the computer store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CA
+
+
+
+
+ Node for CA certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ OemEsim
+
+
+
+
+ Node for OEM eSIM certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.2
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TrustedPublisher
+
+
+
+
+ Node for trusted publisher certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TrustedPeople
+
+
+
+
+ Node for trusted people certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UntrustedCertificates
+
+
+
+
+ Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.1
+
+
+
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+
+
+
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name. Supported operation is Get.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[RootCATrustedCertificates CSP](rootcacertificates-csp.md)
\ No newline at end of file
+[RootCATrustedCertificates configuration service provider reference](rootcacertificates-csp.md)
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index 9ec9fb7703..b899a7c5ee 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -1,194 +1,875 @@
---
title: SharedPC CSP
-description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage.
-ms.reviewer:
+description: Learn more about the SharedPC CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/23/2022
+ms.topic: reference
---
+
+
+
# SharedPC CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The SharedPC configuration service provider is used to configure settings for Shared PC usage.
+
-The following example shows the SharedPC configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+
+The following list shows the SharedPC configuration service provider nodes:
+
+- ./Vendor/MSFT/SharedPC
+ - [AccountModel](#accountmodel)
+ - [DeletionPolicy](#deletionpolicy)
+ - [DiskLevelCaching](#disklevelcaching)
+ - [DiskLevelDeletion](#diskleveldeletion)
+ - [EnableAccountManager](#enableaccountmanager)
+ - [EnableSharedPCMode](#enablesharedpcmode)
+ - [EnableSharedPCModeWithOneDriveSync](#enablesharedpcmodewithonedrivesync)
+ - [EnableWindowsInsiderPreviewFlighting](#enablewindowsinsiderpreviewflighting)
+ - [InactiveThreshold](#inactivethreshold)
+ - [KioskModeAUMID](#kioskmodeaumid)
+ - [KioskModeUserTileDisplayText](#kioskmodeusertiledisplaytext)
+ - [MaintenanceStartTime](#maintenancestarttime)
+ - [MaxPageFileSizeMB](#maxpagefilesizemb)
+ - [RestrictLocalStorage](#restrictlocalstorage)
+ - [SetEduPolicies](#setedupolicies)
+ - [SetPowerPolicies](#setpowerpolicies)
+ - [SignInOnResume](#signinonresume)
+ - [SleepTimeout](#sleeptimeout)
+
+
+
+## AccountModel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/AccountModel
```
-./Vendor/MSFT
-SharedPC
-----EnableSharedPCMode
-----EnableSharedPCModeWithOneDriveSync
-----SetEduPolicies
-----SetPowerPolicies
-----MaintenanceStartTime
-----SignInOnResume
-----SleepTimeout
-----EnableAccountManager
-----AccountModel
-----DeletionPolicy
-----DiskLevelDeletion
-----DiskLevelCaching
-----RestrictLocalStorage
-----KioskModeAUMID
-----KioskModeUserTileDisplayText
-----InactiveThreshold
-----MaxPageFileSizeMB
+
+
+
+
+Configures which type of accounts are allowed to use the PC. Allowed values: 0 (only guest), 1 (domain-joined only), 2 (domain-joined and guest). If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Only guest accounts are allowed. |
+| 1 | Only domain-joined accounts are allowed. |
+| 2 | Domain-joined and guest accounts are allowed. |
+
+
+
+
+
+
+
+
+
+## DeletionPolicy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/DeletionPolicy
```
-**./Vendor/MSFT/SharedPC**
-The root node for the SharedPC configuration service provider.
+
-The supported operation is Get.
+
+
+Configures when accounts will be deleted. Allowed values: 0 (delete immediately), 1 (delete at disk space threshold), 2 (Delete at disk space threshold and inactive threshold). If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
-**EnableSharedPCMode**
-A boolean value that specifies whether Shared PC mode is enabled.
+
+
+
-The supported operations are Add, Get, Replace, and Delete.
+
+**Description framework properties**:
-Setting this value to True triggers the action to configure a device to Shared PC mode.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-The default value is Not Configured and SharedPC mode is not enabled.
+
+**Allowed values**:
-**EnableSharedPCModeWithOneDriveSync**
-Setting this node to true triggers the action to configure a device to Shared PC mode with OneDrive sync turned on.
+| Value | Description |
+|:--|:--|
+| 0 | Delete immediately. |
+| 1 (Default) | Delete at disk space threshold. |
+| 2 | Delete at disk space threshold and inactive threshold. |
+
-The supported operations are Add, Get, Replace, and Delete.
+
+
+
-The default value is false.
+
-**SetEduPolicies**
+
+## DiskLevelCaching
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/DiskLevelCaching
+```
+
+
+
+
+Stop deleting accounts when available disk space reaches this threshold, given as percent of total disk capacity. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-100]` |
+| Default Value | 50 |
+
+
+
+
+
+
+
+
+
+## DiskLevelDeletion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/DiskLevelDeletion
+```
+
+
+
+
+Accounts will start being deleted when available disk space falls below this threshold, given as percent of total disk capacity. Accounts that have been inactive the longest will be deleted first. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+For example, if the DiskLevelCaching is set to 50 and the DiskLevelDeletion is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under half of the deletion threshold and disk space is low, regardless of whether the PC is actively in use or not.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-100]` |
+| Default Value | 25 |
+
+
+
+
+
+
+
+
+
+## EnableAccountManager
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/EnableAccountManager
+```
+
+
+
+
+Enable the account manager for shared PC mode. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | False. |
+| true | True. |
+
+
+
+
+
+
+
+
+
+## EnableSharedPCMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/EnableSharedPCMode
+```
+
+
+
+
+Setting this node to "true" triggers the action to configure a device to Shared PC mode.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Not configured. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+## EnableSharedPCModeWithOneDriveSync
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync
+```
+
+
+
+
+Setting this node to "1" triggers the action to configure a device to Shared PC mode with OneDrive sync turned on.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Not configured. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+## EnableWindowsInsiderPreviewFlighting
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/EnableWindowsInsiderPreviewFlighting
+```
+
+
+
+
+Setting this node to "1" enables Windows Insider Preview flighting and the ability to receive insider preview builds.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Not configured. |
+| true | WIP builds are Enabled. |
+
+
+
+
+
+
+
+
+
+## InactiveThreshold
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/InactiveThreshold
+```
+
+
+
+
+Accounts will start being deleted when they have not been logged on during the specified period, given as number of days.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 30 |
+
+
+
+
+
+
+
+
+
+## KioskModeAUMID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/KioskModeAUMID
+```
+
+
+
+
+Specifies the AUMID of the app to use with assigned access. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## KioskModeUserTileDisplayText
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText
+```
+
+
+
+
+Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## MaintenanceStartTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/MaintenanceStartTime
+```
+
+
+
+
+Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1440]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## MaxPageFileSizeMB
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/MaxPageFileSizeMB
+```
+
+
+
+
+Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-32768]` |
+| Default Value | 1024 |
+
+
+
+
+
+
+
+
+
+## RestrictLocalStorage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/RestrictLocalStorage
+```
+
+
+
+
+Restricts the user from using local storage. This node is optional. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | False. |
+| true | True. |
+
+
+
+
+
+
+
+
+
+## SetEduPolicies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/SharedPC/SetEduPolicies
+```
+
+
+
+
+Set a list of EDU policies.
+
+
+
+
A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment.
+
-The supported operations are Add, Get, Replace, and Delete.
+
+**Description framework properties**:
-The default value is Not Configured.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
-**SetPowerPolicies**
-A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
+
+**Allowed values**:
-The supported operations are Add, Get, Replace, and Delete.
+| Value | Description |
+|:--|:--|
+| false (Default) | Not configured. |
+| true | Enabled. |
+
-The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True.
+
+
+
-**MaintenanceStartTime**
-An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
+
-The supported operations are Add, Get, Replace, and Delete.
+
+## SetPowerPolicies
-The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM).
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-**SignInOnResume**
-A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
+
+```Device
+./Vendor/MSFT/SharedPC/SetPowerPolicies
+```
+
-The supported operations are Add, Get, Replace, and Delete.
+
+
+Set a list of power policies. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
-The default value is Not Configured and its value in the SharedPC provisioning package is True.
+
+
+The default value is Not Configured and the effective power settings are determined by the OS's default power settings.
+
-**SleepTimeout**
-The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes.
+
+**Description framework properties**:
-The supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
-The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in SharedPC provisioning package is 300.
+
+**Allowed values**:
-**EnableAccountManager**
-A boolean that enables the account manager for shared PC mode.
+| Value | Description |
+|:--|:--|
+| false (Default) | Not configured. |
+| true | Enabled. |
+
-The supported operations are Add, Get, Replace, and Delete.
+
+
+
-The default value is Not Configured and its value in the SharedPC provisioning package is True.
+
-**AccountModel**
-Configures which type of accounts are allowed to use the PC.
+
+## SignInOnResume
-The supported operations are Add, Get, Replace, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-The following list shows the supported values:
+
+```Device
+./Vendor/MSFT/SharedPC/SignInOnResume
+```
+
-- 0 (default) - Only guest accounts are allowed.
-- 1 - Only domain-joined accounts are enabled.
-- 2 - Domain-joined and guest accounts are allowed.
+
+
+Require signing in on waking up from sleep. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
-Its value in the SharedPC provisioning package is 1 or 2.
+
+
+
-**DeletionPolicy**
-Configures when accounts are deleted.
+
+**Description framework properties**:
-The supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
-This is the list of supported values:
+
+**Allowed values**:
-- 0 - Delete immediately.
-- 1 - Delete at disk space threshold.
-- 2 - Delete at disk space threshold and inactive threshold.
+| Value | Description |
+|:--|:--|
+| false (Default) | False. |
+| true | True. |
+
-The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
+
+
+
-**DiskLevelDeletion**
-Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
+
-The default value is Not Configured. Its default value in the SharedPC provisioning package is 25.
+
+## SleepTimeout
-For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under half of the deletion threshold and disk space is low, regardless of whether the PC is actively in use or not.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-The supported operations are Add, Get, Replace, and Delete.
+
+```Device
+./Vendor/MSFT/SharedPC/SleepTimeout
+```
+
-**DiskLevelCaching**
-Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
+
+
+The amount of time before the PC sleeps, giving in seconds. 0 means the PC never sleeps. Default is 5 minutes. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
-The default value is Not Configured. The default value in the SharedPC provisioning package is 25.
+
+
+
-For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under the deletion threshold and disk space is low, regardless whether the PC is actively in use or not.
+
+**Description framework properties**:
-The supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 300 |
+
-**RestrictLocalStorage**
-Restricts the user from using local storage.
+
+
+
-The default value is Not Configured. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
+
-**KioskModeAUMID**
-Specifies the AUMID of the app to use with assigned access.
+
+
+
-- Value type is string.
-- Supported operations are Add, Get, Replace, and Delete.
+
-**KioskModeUserTileDisplayText**
-Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID.
+## Related articles
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-**InactiveThreshold**
-Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
-
-- The default value is Not Configured.
-- Value type is integer.
-- Supported operations are Add, Get, Replace, and Delete.
-
-The default in the SharedPC provisioning package is 30.
-
-**MaxPageFileSizeMB**
-Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.
-
-- Default value is Not Configured.
-- Value type is integer.
-- Supported operations are Add, Get, Replace, and Delete.
-
-The default in the SharedPC provisioning package is 1024.
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index 764d14a202..0fc3249c8c 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,473 +1,683 @@
---
title: SharedPC DDF file
-description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the SharedPC configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/21/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# SharedPC DDF file
-This topic shows the OMA DM device description framework (DDF) for the **SharedPC** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the DDF for Windows 10, version 1703.
+The following XML file contains the device description framework (DDF) for the SharedPC configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ SharedPC
+ ./Vendor/MSFT
+
+
+
+
+ The root node for the SharedPC configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- SharedPC
- ./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.1/MDM/SharedPC
-
-
-
- EnableSharedPCMode
-
-
-
-
-
- false
- Setting this node to "true" triggers the action to configure a device to Shared PC mode.
-
-
-
-
-
-
-
-
-
- Enable shared PC mode
-
- text/plain
-
-
-
-
- EnableSharedPCModeWithOneDriveSync
-
-
-
-
-
-
-
- false
- Setting this node to "1" triggers the action to configure a device to Shared PC mode with OneDrive sync turned on
-
-
-
-
-
-
-
-
-
- Enable Shared PC mode with OneDrive sync
-
-
-
-
-
-
- SetEduPolicies
-
-
-
-
-
- false
- Set a list of EDU policies.
-
-
-
-
-
-
-
-
-
- Set EDU policies
-
- text/plain
-
-
-
-
- SetPowerPolicies
-
-
-
-
-
- true
- Specify that the power policies should be set when configuring SharedPC mode. This node is optional.
-
-
-
-
-
-
-
-
-
- Set power policies
-
- text/plain
-
-
-
-
- MaintenanceStartTime
-
-
-
-
-
- 0
- Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). This node is optional.
-
-
-
-
-
-
-
-
-
- Maintenance start time
-
- text/plain
-
-
-
-
- SignInOnResume
-
-
-
-
-
- true
- Require signing in on waking up from sleep. This node is optional.
-
-
-
-
-
-
-
-
-
- Sign-in on resume
-
- text/plain
-
-
-
-
- SleepTimeout
-
-
-
-
-
- 300
- The amount of time before the PC sleeps, given in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
-
-
-
-
-
-
-
-
-
- Sleep timeout
-
- text/plain
-
-
-
-
- EnableAccountManager
-
-
-
-
-
- true
- Enable the account manager for shared PC mode.
-
-
-
-
-
-
-
-
-
- Enable account manager
-
- text/plain
-
-
-
-
- AccountModel
-
-
-
-
-
- 0
- Configures which type of accounts are allowed to use the PC. Allowed values: 0 (only guest), 1 (domain-joined only), 2 (domain-joined and guest).
-
-
-
-
-
-
-
-
-
- Account model
-
- text/plain
-
-
-
-
- DeletionPolicy
-
-
-
-
-
- 1
- Configures when accounts will be deleted. Allowed values: 0 (delete immediately), 1 (delete at disk space threshold).
-
-
-
-
-
-
-
-
-
- Account deletion policy
-
- text/plain
-
-
-
-
- DiskLevelDeletion
-
-
-
-
-
- 25
- Accounts will start being deleted when available disk space falls below this threshold, given as percent of total disk capacity. Accounts that have been inactive the longest will be deleted first.
-
-
-
-
-
-
-
-
-
- Disk space threshold for account deletion
-
- text/plain
-
-
-
-
- DiskLevelCaching
-
-
-
-
-
- 50
- Stop deleting accounts when available disk space reaches this threshold, given as percent of total disk capacity.
-
-
-
-
-
-
-
-
-
- Disk space threshold for account caching
-
- text/plain
-
-
-
-
- RestrictLocalStorage
-
-
-
-
-
- true
- Restricts the user from using local storage. This node is optional.
-
-
-
-
-
-
-
-
-
- Restrict local storage
-
- text/plain
-
-
-
-
- KioskModeAUMID
-
-
-
-
-
- Specifies the AUMID of the app to use with assigned access. This node is optional.
-
-
-
-
-
-
-
-
-
- Kiosk mode AUMID
-
- text/plain
-
-
-
-
- KioskModeUserTileDisplayText
-
-
-
-
-
- Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional.
-
-
-
-
-
-
-
-
-
- Kiosk mode user tile display text
-
- text/plain
-
-
-
-
- InactiveThreshold
-
-
-
-
-
- 30
- Accounts will start being deleted when they have not been logged on during the specified period, given as number of days.
-
-
-
-
-
-
-
-
-
- Account inactive threshold
-
- text/plain
-
-
-
-
- MaxPageFileSizeMB
-
-
-
-
-
- 1024
- Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional.
-
-
-
-
-
-
-
-
-
- Maximum PageFile size
-
- text/plain
-
-
-
+ EnableSharedPCMode
+
+
+
+
+
+
+
+ false
+ Setting this node to "true" triggers the action to configure a device to Shared PC mode.
+
+
+
+
+
+
+
+
+
+ Enable shared PC mode
+
+
+
+
+
+ false
+ Not configured
+
+
+ true
+ Enabled
+
+
+
+
+ EnableSharedPCModeWithOneDriveSync
+
+
+
+
+
+
+
+ false
+ Setting this node to “1” triggers the action to configure a device to Shared PC mode with OneDrive sync turned on
+
+
+
+
+
+
+
+
+
+ Enable Shared PC mode with OneDrive sync
+
+
+
+
+ 10.0.22621
+ 1.2
+
+
+
+ false
+ Not configured
+
+
+ true
+ Enabled
+
+
+
+
+
+ EnableWindowsInsiderPreviewFlighting
+
+
+
+
+
+
+
+ false
+ Setting this node to “1” enables Windows Insider Preview flighting and the ability to receive insider preview builds.
+
+
+
+
+
+
+
+
+
+ Enable WIP Flighting
+
+
+
+
+ 10.0.22621
+ 1.2
+
+
+
+ false
+ Not configured
+
+
+ true
+ WIP builds are Enabled
+
+
+
+
+
+ SetEduPolicies
+
+
+
+
+
+
+
+ false
+ Set a list of EDU policies.
+
+
+
+
+
+
+
+
+
+ Set EDU policies
+
+
+
+
+
+ false
+ Not configured
+
+
+ true
+ Enabled
+
+
+
+
+
+ SetPowerPolicies
+
+
+
+
+
+
+
+ false
+ Set a list of power policies. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Set power policies
+
+
+
+
+
+ false
+ Not configured
+
+
+ true
+ Enabled
+
+
+
+
+
+ MaintenanceStartTime
+
+
+
+
+
+
+
+ 0
+ Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Maintenance start time
+
+
+
+
+ [0-1440]
+
+
+
+
+ SignInOnResume
+
+
+
+
+
+
+
+ false
+ Require signing in on waking up from sleep. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Sign-in on resume
+
+
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ SleepTimeout
+
+
+
+
+
+
+
+ 300
+ The amount of time before the PC sleeps, giving in seconds. 0 means the PC never sleeps. Default is 5 minutes. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Sleep timeout
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ EnableAccountManager
+
+
+
+
+
+
+
+ false
+ Enable the account manager for shared PC mode. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Enable account manager
+
+
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ AccountModel
+
+
+
+
+
+
+
+ 0
+ Configures which type of accounts are allowed to use the PC. Allowed values: 0 (only guest), 1 (domain-joined only), 2 (domain-joined and guest). If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Account model
+
+
+
+
+
+ 0
+ Only guest accounts are allowed.
+
+
+ 1
+ Only domain-joined accounts are allowed.
+
+
+ 2
+ Domain-joined and guest accounts are allowed.
+
+
+
+
+
+ DeletionPolicy
+
+
+
+
+
+
+
+ 1
+ Configures when accounts will be deleted. Allowed values: 0 (delete immediately), 1 (delete at disk space threshold), 2 (Delete at disk space threshold and inactive threshold). If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Account deletion policy
+
+
+
+
+
+ 0
+ Delete immediately.
+
+
+ 1
+ Delete at disk space threshold
+
+
+ 2
+ Delete at disk space threshold and inactive threshold
+
+
+
+
+
+ DiskLevelDeletion
+
+
+
+
+
+
+
+ 25
+ Accounts will start being deleted when available disk space falls below this threshold, given as percent of total disk capacity. Accounts that have been inactive the longest will be deleted first. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Disk space threshold for account deletion
+
+
+
+
+ [0-100]
+
+
+
+
+ DiskLevelCaching
+
+
+
+
+
+
+
+ 50
+ Stop deleting accounts when available disk space reaches this threshold, given as percent of total disk capacity. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Disk space threshold for account caching
+
+
+
+
+ [0-100]
+
+
+
+
+ RestrictLocalStorage
+
+
+
+
+
+
+
+ false
+ Restricts the user from using local storage. This node is optional. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Restrict local storage
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ KioskModeAUMID
+
+
+
+
+
+
+
+ Specifies the AUMID of the app to use with assigned access. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Kiosk mode AUMID
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+
+
+
+ KioskModeUserTileDisplayText
+
+
+
+
+
+
+
+ Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Kiosk mode user tile display text
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+
+
+
+ InactiveThreshold
+
+
+
+
+
+
+
+ 30
+ Accounts will start being deleted when they have not been logged on during the specified period, given as number of days.
+
+
+
+
+
+
+
+
+
+ Account inactive threshold
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+ [0-4294967295]
+
+
+
+
+ MaxPageFileSizeMB
+
+
+
+
+
+
+
+ 1024
+ Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. If used, this value must be set before the action on the EnableSharedPCMode node is taken.
+
+
+
+
+
+
+
+
+
+ Maximum PageFile size
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+ [0-32768]
+
+
+
+
```
-## Related topics
-
-[SharedPC configuration service provider](sharedpc-csp.md)
-
-
-
-
-
-
-
-
-
+## Related articles
+[SharedPC configuration service provider reference](sharedpc-csp.md)
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index a14b9afd32..e77c419631 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,29 +1,22 @@
---
title: SUPL CSP
-description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client.
-ms.reviewer:
+description: Learn more about the SUPL CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/12/2019
+ms.topic: reference
---
+
+
+
# SUPL CSP
-The SUPL configuration service provider is used to configure the location client, as shown in the following:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
The SUPL configuration service provider is used to configure the location client, as shown in the following table:
- **Location Service**: Connection type
@@ -43,264 +36,1625 @@ The SUPL configuration service provider is used to configure the location client
- The positioning method used by the MPC for non-trusted mode.
The SUPL or V2 UPL connection will be reconfigured every time the device is rebooted. A new UICC is inserted, or new settings are provisioned by using OMA Client Provisioning, OMA DM, or test tools. When the device is in roaming mode, it reverts to Mobile Station Standalone mode, in which only the built–in Microsoft location components are used.
+
-The following example shows the SUPL configuration service provider management object in tree format as used by OMA DM and OMA Client Provisioning.
+
+The following list shows the SUPL configuration service provider nodes:
-> [!NOTE]
-> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
+- ./Vendor/MSFT//SUPL
+ - [SUPL1](#supl1)
+ - [Addr](#supl1addr)
+ - [AppID](#supl1appid)
+ - [Ext](#supl1ext)
+ - [Microsoft](#supl1extmicrosoft)
+ - [FullVersion](#supl1extmicrosoftfullversion)
+ - [HighAccPositioningMethod](#supl1extmicrosofthighaccpositioningmethod)
+ - [LocMasterSwitchDependencyNII](#supl1extmicrosoftlocmasterswitchdependencynii)
+ - [MCCMNCPairs](#supl1extmicrosoftmccmncpairs)
+ - [NIDefaultTimeout](#supl1extmicrosoftnidefaulttimeout)
+ - [RootCertificate](#supl1extmicrosoftrootcertificate)
+ - [Data](#supl1extmicrosoftrootcertificatedata)
+ - [Name](#supl1extmicrosoftrootcertificatename)
+ - [RootCertificate2](#supl1extmicrosoftrootcertificate2)
+ - [Data](#supl1extmicrosoftrootcertificate2data)
+ - [Name](#supl1extmicrosoftrootcertificate2name)
+ - [RootCertificate3](#supl1extmicrosoftrootcertificate3)
+ - [Data](#supl1extmicrosoftrootcertificate3data)
+ - [Name](#supl1extmicrosoftrootcertificate3name)
+ - [RootCertificate4](#supl1extmicrosoftrootcertificate4)
+ - [Data](#supl1extmicrosoftrootcertificate4data)
+ - [Name](#supl1extmicrosoftrootcertificate4name)
+ - [RootCertificate5](#supl1extmicrosoftrootcertificate5)
+ - [Data](#supl1extmicrosoftrootcertificate5data)
+ - [Name](#supl1extmicrosoftrootcertificate5name)
+ - [RootCertificate6](#supl1extmicrosoftrootcertificate6)
+ - [Data](#supl1extmicrosoftrootcertificate6data)
+ - [Name](#supl1extmicrosoftrootcertificate6name)
+ - [ServerAccessInterval](#supl1extmicrosoftserveraccessinterval)
+ - [Version](#supl1extmicrosoftversion)
+ - [V2UPL1](#v2upl1)
+ - [ApplicationTypeIndicator_MR](#v2upl1applicationtypeindicator_mr)
+ - [LocMasterSwitchDependencyNII](#v2upl1locmasterswitchdependencynii)
+ - [MPC](#v2upl1mpc)
+ - [NIDefaultTimeout](#v2upl1nidefaulttimeout)
+ - [PDE](#v2upl1pde)
+ - [PositioningMethod_MR](#v2upl1positioningmethod_mr)
+ - [ServerAccessInterval](#v2upl1serveraccessinterval)
+
-```console
-./Vendor/MSFT/
-SUPL
-----SUPL1
---------AppID
---------Addr
---------Ext
-------------Microsoft
-----------------Version
-----------------MCCMNPairs
-----------------HighAccPositioningMethod
-----------------LocMasterSwitchDependencyNII
-----------------NIDefaultTimeout
-----------------ServerAccessInterval
-----------------RootCertificate
---------------------Name
---------------------Data
-----------------RootCertificate2
---------------------Name
---------------------Data
-----------------RootCertificate3
---------------------Name
---------------------Data
-----V2UPL1
---------MPC
---------PDE
---------PositioningMethod_MR
---------LocMasterSwitchDependencyNII
---------ApplicationTypeIndicator_MR
---------NIDefaultTimeout
---------ServerAccessInterval
+
+## SUPL1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1
```
+
-**SUPL1**
+
+
Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time.
+
-**AppID**
-Required. The AppID for SUPL is automatically set to `"ap0004"`. This value is a read-only value.
+
+
+
-**Addr**
-Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format *server*: *port*.
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### SUPL1/Addr
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Addr
+```
+
+
+
+
+Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format server: port.
+
+
+
+
If this value isn't specified, the device infers the H-SLP address from the IMSI as defined in the SUPL standard. To use automatic generation of the H-SLP address based on the IMSI, the MNC length must be set correctly on the UICC. Generally, this value is 2 or 3.
For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned. But the configuration service provider will continue processing the rest of the parameters.
+
-**Version**
-Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator.
+
+**Description framework properties**:
-**FullVersion**
-Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
-**MCCMNCPairs**
-Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL.
+
+
+
+
+
+
+### SUPL1/AppID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/AppID
+```
+
+
+
+
+Required. The AppID for SUPL is automatically set to "ap0004". This is a read-only value.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### SUPL1/Ext
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### SUPL1/Ext/Microsoft
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/FullVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/FullVersion
+```
+
+
+
+
+Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Allowed Values | Regular Expression: `^(\d+\.)?(\d+\.)?(\*|\d+)$` |
+| Default Value | 1.0.0 |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/HighAccPositioningMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/HighAccPositioningMethod
+```
+
+
+
+
+Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
+
+
+
+> [!IMPORTANT]
+> The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection and ephemeris data) from the Microsoft Positioning Service. |
+| 1 | Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device. |
+| 2 | Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device. |
+| 3 | Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services. |
+| 4 | OTDOA. |
+| 5 | AFLT. |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/LocMasterSwitchDependencyNII
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/LocMasterSwitchDependencyNII
+```
+
+
+
+
+This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. **Note** that most clients do not support this behavior. This value manages the settings for both SUPL and v2 UPL. If a phone is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used.
+
+
+
+| Location toggle setting | LocMasterSwitchDependencyNII setting | NI request processing allowed |
+|-------------------------|--------------------------------------|------------------------------------|
+| On | 0 | Yes |
+| On | 1 | Yes |
+| Off | 0 | Yes |
+| Off | 1 | No (unless privacyOverride is set) |
+
+When the location toggle is set to Off and this value is set to 1, the following application requests will fail:
+
+- `noNotificationNoVerification`
+- `notificationOnly`
+- `notificationAndVerficationAllowedNA`
+- `notificationAndVerficationDeniedNA`
+
+However, if `privacyOverride` is set in the message, the location will be returned.
+
+When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working.
+
+For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | The NI behavior is independent from the current location toggle setting. |
+| true (Default) | The NI behavior follows the current location toggle setting. |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/MCCMNCPairs
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/MCCMNCPairs
+```
+
+
+
+
+Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the phone uses the default location service and does not use SUPL.
+
+
+
+
This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC.
For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
-**HighAccPositioningMethod**
-Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers:
+
+**Description framework properties**:
-|Value|Description|
-|--- |--- |
-|0|None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection and ephemeris data) from the Microsoft Positioning Service.|
-|1|Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device.|
-|2|Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device.|
-|3|Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services.|
-|4|OTDOA|
-|5|AFLT|
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
-The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services.
+
+
+
-> [!IMPORTANT]
-> The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes.
+
-For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
+##### SUPL1/Ext/Microsoft/NIDefaultTimeout
-**LocMasterSwitchDependencyNII**
-Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used.
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/NIDefaultTimeout
+```
+
-|Location toggle setting|LocMasterSwitchDependencyNII setting|NI request processing allowed|
-|--- |--- |--- |
-|On|0|Yes|
-|On|1|Yes|
-|Off|0|Yes|
-|Off|1|No (unless privacyOverride is set)|
+
+
+Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
+
-When the location toggle is set to Off and this value is set to 1, the following application requests will fail:
+
+
+
-- `noNotificationNoVerification`
+
+**Description framework properties**:
-- `notificationOnly`
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 30 |
+
-- `notificationAndVerficationAllowedNA`
+
+
+
-- `notificationAndVerficationDeniedNA`
+
-However, if `privacyOverride` is set in the message, the location will be returned.
+
+##### SUPL1/Ext/Microsoft/RootCertificate
-When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate
+```
+
-**NIDefaultTimeout**
-Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
+
+
+Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error.
+
-This value manages the settings for SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
+
+
+
-**ServerAccessInterval**
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate/Data
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate/Data
+```
+
+
+
+
+The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate/Name
+```
+
+
+
+
+Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/RootCertificate2
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate2
+```
+
+
+
+
+Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate2/Data
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate2/Data
+```
+
+
+
+
+The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate2/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate2/Name
+```
+
+
+
+
+Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/RootCertificate3
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate3
+```
+
+
+
+
+Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate3/Data
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate3/Data
+```
+
+
+
+
+The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate3/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate3/Name
+```
+
+
+
+
+Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/RootCertificate4
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate4
+```
+
+
+
+
+Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate4/Data
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate4/Data
+```
+
+
+
+
+The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate4/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate4/Name
+```
+
+
+
+
+Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/RootCertificate5
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate5
+```
+
+
+
+
+Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate5/Data
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate5/Data
+```
+
+
+
+
+The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate5/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate5/Name
+```
+
+
+
+
+Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/RootCertificate6
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate6
+```
+
+
+
+
+Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate6/Data
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate6/Data
+```
+
+
+
+
+The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+###### SUPL1/Ext/Microsoft/RootCertificate6/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate6/Name
+```
+
+
+
+
+Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+##### SUPL1/Ext/Microsoft/ServerAccessInterval
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/ServerAccessInterval
+```
+
+
+
+
Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60.
+
-**RootCertificate**
-Required. Specifies the root certificate for the H-SLP server. Windows doesn't support a non-secure mode. If this node isn't included, the configuration service provider will fail but may not return a specific error.
+
+
+
-**RootCertificate/Name**
-Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
+**Description framework properties**:
-**RootCertificate/Data**
-The base 64 encoded blob of the H-SLP root certificate.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 60 |
+
-**RootCertificate2**
-Specifies the root certificate for the H-SLP server.
+
+
+
-**RootCertificate2/Name**
-Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
-**RootCertificate2/Data**
-The base 64 encoded blob of the H-SLP root certificate.
+
+##### SUPL1/Ext/Microsoft/Version
-**RootCertificate3**
-Specifies the root certificate for the H-SLP server.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-**RootCertificate3/Name**
-Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
+```Device
+./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/Version
+```
+
-**RootCertificate3/Data**
-The base 64 encoded blob of the H-SLP root certificate.
+
+
+Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define minor verison and service indicator.
+
-**RootCertificate4**
-Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
+
+
+
-**RootCertificate4/Name**
-Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
+**Description framework properties**:
-**RootCertificate4/Data**
-Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[1-2]` |
+| Default Value | 1 |
+
-**RootCertificate5**
-Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
+
+
+
-**RootCertificate5/Name**
-Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
-**RootCertificate5/Data**
-Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
+
+## V2UPL1
-**RootCertificate6**
-Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-**RootCertificate6/Name**
-Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
+```Device
+./Vendor/MSFT//SUPL/V2UPL1
+```
+
-**RootCertificate6/Data**
-Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
-
-**V2UPL1**
+
+
Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time.
+
-**MPC**
-Optional. Specifies the address of the mobile positioning center (MPC), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty.
+
+
+
-**PDE**
-Optional. Specifies the address of the Position Determination Entity (PDE), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter must be empty.
+
+**Description framework properties**:
-**PositioningMethod\_MR**
-Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers:
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-|Value|Description|
-|--- |--- |
-|0|None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection, and ephemeris data) from the Microsoft Positioning Service.|
-|1|Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device.|
-|2|Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device.|
-|3|Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services.|
-|4|AFLT|
+
+
+
-The default is 0. The default method provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services.
+
-> [!IMPORTANT]
-> The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes.
+
+### V2UPL1/ApplicationTypeIndicator_MR
-
-For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-**LocMasterSwitchDependencyNII**
-Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA devices, this value must be set to 1. The default value is 1.
+
+```Device
+./Vendor/MSFT//SUPL/V2UPL1/ApplicationTypeIndicator_MR
+```
+
-This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
+
+
+Required. This value must always be set to 00000011.
+
-|Location toggle setting|LocMasterSwitchDependencyNII setting|NI request processing allowed|
-|--- |--- |--- |
-|On|0|Yes|
-|On|1|Yes|
-|Off|0|Yes|
-|Off|1|No (unless privacyOverride is set)|
+
+
+
-When the location toggle is set to Off and this value is set to 1, the following application requests will fail:
+
+**Description framework properties**:
-- `noNotificationNoVerification`
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-- `notificationOnly`
+
+
+
-- `notificationAndVerficationAllowedNA`
+
-- `notificationAndVerficationDeniedNA`
+
+### V2UPL1/LocMasterSwitchDependencyNII
-However, if `privacyOverride` is set in the message, the location will be returned.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working.
+
+```Device
+./Vendor/MSFT//SUPL/V2UPL1/LocMasterSwitchDependencyNII
+```
+
-For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
+
+Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA phones, this value must be set to 1. The default value is 1.
+
-**ApplicationTypeIndicator\_MR**
-Required. This value must always be set to `00000011`.
+
+
+
-**NIDefaultTimeout**
-Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
+
+**Description framework properties**:
-This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
-**ServerAccessInterval**
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | The NI behavior is independent from the current location toggle setting. |
+| true (Default) | The NI behavior follows the current location toggle setting. |
+
+
+
+
+
+
+
+
+
+### V2UPL1/MPC
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/V2UPL1/MPC
+```
+
+
+
+
+Optional. The address of the mobile positioning center (MPC), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### V2UPL1/NIDefaultTimeout
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/V2UPL1/NIDefaultTimeout
+```
+
+
+
+
+Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 30 |
+
+
+
+
+
+
+
+
+
+### V2UPL1/PDE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/V2UPL1/PDE
+```
+
+
+
+
+Optional. The address of the Position Determination Entity (PDE), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter must be empty.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### V2UPL1/PositioningMethod_MR
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/V2UPL1/PositioningMethod_MR
+```
+
+
+
+
+Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection, and ephemeris data) from the Microsoft Positioning Service. |
+| 1 | Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device. |
+| 2 | Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device. |
+| 3 | Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services. |
+| 4 | AFLT. |
+
+
+
+
+
+
+
+
+
+### V2UPL1/ServerAccessInterval
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Vendor/MSFT//SUPL/V2UPL1/ServerAccessInterval
+```
+
+
+
+
Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60.
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 60 |
+
+
+
+
+
+
+
+
+
## Unsupported Nodes
-The following optional nodes aren't supported on Windows devices.
+The following optional nodes aren't supported on Windows devices.
-- ProviderID
-
-- Name
-
-- PrefConRef
-
-- ToConRef
-
-- ToConRef/<X>
-
-- ToConRef/<X>/ConRef
-
-- AddrType
+- ProviderID
+- Name
+- PrefConRef
+- ToConRef
+- ToConRef/<X>
+- ToConRef/<X>/ConRef
+- AddrType
If the configuration application tries to set, delete or query these nodes, a response indicating this node isn't implemented will be returned over OMA DM. In OMA Client Provisioning, the request to set this node will be ignored and the configuration service provider will continue processing the rest of the nodes.
@@ -443,8 +1797,10 @@ The following table shows the Microsoft custom elements that this configuration
|--- |--- |
|parm-query|Yes|
|characteristic-query|Yes
Recursive query: No
Top level query: No|
+
-
-## Related topics
+
-[Configuration service provider reference](index.yml)
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index ce35649aaf..07296eebc3 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -1,38 +1,129 @@
---
title: SUPL DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the SUPL configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/03/2020
+ms.topic: reference
---
+
+
# SUPL DDF file
-This topic shows the OMA DM device description framework (DDF) for the **SUPL** configuration service provider (CSP).
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the DDF for the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the SUPL configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ SUPL
+ ./Vendor/MSFT/
+
+
+
+
+
+
+ Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10240
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ SUPL1
+
+
+
+
+ Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time.
+
+
+
+
+
+
+
+
+
+
+
+
+
- SUPL
- ./Vendor/MSFT/
+ AppID
+ Required. The AppID for SUPL is automatically set to "ap0004". This is a read-only value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Addr
+
+
+
+
+
+ Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format server: port.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Ext
+
+
+
+
+ Insert Description Here
@@ -43,16 +134,16 @@ The XML below is the DDF for the current version for this CSP.
- com.microsoft/1.2/MDM/SUPL
+
- SUPL1
+ Microsoft
- Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time.
+ Insert Description Here
@@ -63,18 +154,20 @@ The XML below is the DDF for the current version for this CSP.
-
+
- AppID
+ Version
+
- Required. The AppID for SUPL is automatically set to "ap0004". This is a read-only value.
+ 1
+ Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define minor verison and service indicator
-
+
@@ -83,18 +176,22 @@ The XML below is the DDF for the current version for this CSP.
-
+
+
+ [1-2]
+
- Addr
+ FullVersion
- Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format server: port.
+ 1.0.0
+ Optional. Determines the full version (X.Y.Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored
@@ -105,586 +202,25 @@ The XML below is the DDF for the current version for this CSP.
- text/plain
+
+
+ 10.0.19041
+ 1.2
+
+
+ ^(\d+\.)?(\d+\.)?(\*|\d+)$
+
- Ext
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Microsoft
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Version
-
-
-
-
-
- 1
- Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullVersion
-
-
-
-
-
- 1.0.0
- Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MCCMNCPairs
-
-
-
-
-
- Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the phone uses the default location service and does not use SUPL.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocMasterSwitchDependencyNII
-
-
-
-
-
- 1
- This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. Note that most clients do not support this behavior. This value manages the settings for both SUPL and v2 UPL. If a phone is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NIDefaultTimeout
-
-
-
-
-
- 30
- Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ServerAccessInterval
-
-
-
-
-
- 60
- Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Name
-
-
-
-
-
- Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Data
-
-
-
-
-
- The base 64 encoded blob of the H-SLP root certificate.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- RootCertificate2
-
-
-
-
- Specifies the root certificate for the H-SLP server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Name
-
-
-
-
-
- Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Data
-
-
-
-
-
- The base 64 encoded blob of the H-SLP root certificate.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- RootCertificate3
-
-
-
-
- Specifies the root certificate for the H-SLP server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Name
-
-
-
-
-
- Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Data
-
-
-
-
-
- The base 64 encoded blob of the H-SLP root certificate.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- RootCertificate4
-
-
-
-
- Specifies the root certificate for the H-SLP server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Name
-
-
-
-
-
- Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Data
-
-
-
-
-
- The base 64 encoded blob of the H-SLP root certificate.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- RootCertificate5
-
-
-
-
- Specifies the root certificate for the H-SLP server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Name
-
-
-
-
-
- Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Data
-
-
-
-
-
- The base 64 encoded blob of the H-SLP root certificate.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- RootCertificate6
-
-
-
-
- Specifies the root certificate for the H-SLP server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Name
-
-
-
-
-
- Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Data
-
-
-
-
-
- The base 64 encoded blob of the H-SLP root certificate.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- V2UPL1
-
-
-
-
- Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MPC
+ MCCMNCPairs
- Optional. The address of the mobile positioning center (MPC), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty.
+ Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the phone uses the default location service and does not use SUPL.
@@ -695,20 +231,23 @@ The XML below is the DDF for the current version for this CSP.
- text/plain
+
+
+
- PDE
+ HighAccPositioningMethod
- Optional. The address of the Position Determination Entity (PDE), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter must be empty.
+ 0
+ Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
-
+
@@ -717,19 +256,45 @@ The XML below is the DDF for the current version for this CSP.
- text/plain
+
+
+
+ 0
+ None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection and ephemeris data) from the Microsoft Positioning Service.
+
+
+ 1
+ Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device.
+
+
+ 2
+ Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device.
+
+
+ 3
+ Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services.
+
+
+ 4
+ OTDOA
+
+
+ 5
+ AFLT
+
+ LocMasterSwitchDependencyNII
- -
+
- 1
- Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA phones, this value must be set to 1. The default value is 1.
+ true
+ This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. Note that most clients do not support this behavior. This value manages the settings for both SUPL and v2 UPL. If a phone is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used.
@@ -740,29 +305,18 @@ The XML below is the DDF for the current version for this CSP.
- text/plain
-
-
-
-
- ApplicationTypeIndicator_MR
-
-
-
-
- Required. This value must always be set to 00000011.
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+ false
+ The NI behavior is independent from the current location toggle setting.
+
+
+ true
+ The NI behavior follows the current location toggle setting.
+
+
@@ -784,8 +338,10 @@ The XML below is the DDF for the current version for this CSP.
- text/plain
+
+
+
@@ -807,11 +363,663 @@ The XML below is the DDF for the current version for this CSP.
- text/plain
+
+
+
+
+
+
+
+ RootCertificate
+
+
+
+
+ Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error.
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RootCertificate2
+
+
+
+
+ Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RootCertificate3
+
+
+
+
+ Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RootCertificate4
+
+
+
+
+ Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.1
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RootCertificate5
+
+
+
+
+ Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.1
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RootCertificate6
+
+
+
+
+ Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.1
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ V2UPL1
+
+
+
+
+ Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MPC
+
+
+
+
+
+ Optional. The address of the mobile positioning center (MPC), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PDE
+
+
+
+
+
+ Optional. The address of the Position Determination Entity (PDE), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter must be empty.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PositioningMethod_MR
+
+
+
+
+
+ 0
+ Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection, and ephemeris data) from the Microsoft Positioning Service.
+
+
+ 1
+ Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device.
+
+
+ 2
+ Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device.
+
+
+ 3
+ Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services.
+
+
+ 4
+ AFLT
+
+
+
+
+
+ LocMasterSwitchDependencyNII
+
+
+
+
+
+ true
+ Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA phones, this value must be set to 1. The default value is 1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ The NI behavior is independent from the current location toggle setting.
+
+
+ true
+ The NI behavior follows the current location toggle setting.
+
+
+
+
+
+ ApplicationTypeIndicator_MR
+
+
+
+
+ Required. This value must always be set to 00000011.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NIDefaultTimeout
+
+
+
+
+
+ 30
+ Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerAccessInterval
+
+
+
+
+
+ 60
+ Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
+
+## Related articles
+
+[SUPL configuration service provider reference](supl-csp.md)
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 9ddb730b42..1925bbdccc 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -1,96 +1,294 @@
---
title: SurfaceHub CSP
-description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511.
-ms.reviewer:
+description: Learn more about the SurfaceHub CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/28/2017
+ms.topic: reference
---
+
+
+
# SurfaceHub CSP
-The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later.
+> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
-The following example shows the SurfaceHub CSP management objects in tree format.
+
+
+The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings.
+
+
+The following list shows the SurfaceHub configuration service provider nodes:
+
+- ./Vendor/MSFT/SurfaceHub
+ - [AutopilotSelfdeploy](#autopilotselfdeploy)
+ - [FriendlyName](#autopilotselfdeployfriendlyname)
+ - [Password](#autopilotselfdeploypassword)
+ - [UserPrincipalName](#autopilotselfdeployuserprincipalname)
+ - [DeviceAccount](#deviceaccount)
+ - [CalendarSyncEnabled](#deviceaccountcalendarsyncenabled)
+ - [DomainName](#deviceaccountdomainname)
+ - [Email](#deviceaccountemail)
+ - [ErrorContext](#deviceaccounterrorcontext)
+ - [ExchangeModernAuthEnabled](#deviceaccountexchangemodernauthenabled)
+ - [ExchangeServer](#deviceaccountexchangeserver)
+ - [Password](#deviceaccountpassword)
+ - [PasswordRotationPeriod](#deviceaccountpasswordrotationperiod)
+ - [SipAddress](#deviceaccountsipaddress)
+ - [UserName](#deviceaccountusername)
+ - [UserPrincipalName](#deviceaccountuserprincipalname)
+ - [ValidateAndCommit](#deviceaccountvalidateandcommit)
+ - [Dot3](#dot3)
+ - [EapUserData](#dot3eapuserdata)
+ - [LanProfile](#dot3lanprofile)
+ - [InBoxApps](#inboxapps)
+ - [Connect](#inboxappsconnect)
+ - [AutoLaunch](#inboxappsconnectautolaunch)
+ - [SkypeForBusiness](#inboxappsskypeforbusiness)
+ - [DomainName](#inboxappsskypeforbusinessdomainname)
+ - [Teams](#inboxappsteams)
+ - [Configurations](#inboxappsteamsconfigurations)
+ - [Welcome](#inboxappswelcome)
+ - [AutoWakeScreen](#inboxappswelcomeautowakescreen)
+ - [CurrentBackgroundPath](#inboxappswelcomecurrentbackgroundpath)
+ - [MeetingInfoOption](#inboxappswelcomemeetinginfooption)
+ - [Whiteboard](#inboxappswhiteboard)
+ - [SharingDisabled](#inboxappswhiteboardsharingdisabled)
+ - [SignInDisabled](#inboxappswhiteboardsignindisabled)
+ - [TelemetryDisabled](#inboxappswhiteboardtelemetrydisabled)
+ - [WirelessProjection](#inboxappswirelessprojection)
+ - [Channel](#inboxappswirelessprojectionchannel)
+ - [Enabled](#inboxappswirelessprojectionenabled)
+ - [PINRequired](#inboxappswirelessprojectionpinrequired)
+ - [MaintenanceHoursSimple](#maintenancehourssimple)
+ - [Hours](#maintenancehourssimplehours)
+ - [Duration](#maintenancehourssimplehoursduration)
+ - [StartTime](#maintenancehourssimplehoursstarttime)
+ - [Management](#management)
+ - [GroupName](#managementgroupname)
+ - [GroupSid](#managementgroupsid)
+ - [MOMAgent](#momagent)
+ - [WorkspaceID](#momagentworkspaceid)
+ - [WorkspaceKey](#momagentworkspacekey)
+ - [Properties](#properties)
+ - [AllowAutoProxyAuth](#propertiesallowautoproxyauth)
+ - [AllowSessionResume](#propertiesallowsessionresume)
+ - [DefaultVolume](#propertiesdefaultvolume)
+ - [DisableSigninSuggestions](#propertiesdisablesigninsuggestions)
+ - [DoNotShowMyMeetingsAndFiles](#propertiesdonotshowmymeetingsandfiles)
+ - [FriendlyName](#propertiesfriendlyname)
+ - [ProxyServers](#propertiesproxyservers)
+ - [ScreenTimeout](#propertiesscreentimeout)
+ - [SessionTimeout](#propertiessessiontimeout)
+ - [SleepMode](#propertiessleepmode)
+ - [SleepTimeout](#propertiessleeptimeout)
+ - [SurfaceHubMeetingMode](#propertiessurfacehubmeetingmode)
+ - [VtcAppPackageId](#propertiesvtcapppackageid)
+
+
+
+## AutopilotSelfdeploy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/AutopilotSelfdeploy
```
-./Vendor/MSFT
-SurfaceHub
-----DeviceAccount
---------DomainName
---------UserName
---------UserPrincipalName
---------Password
---------ValidateAndCommit
---------ExchangeServer
---------SipAddress
---------Email
---------CalendarSyncEnabled
---------ErrorContext
---------PasswordRotationEnabled
-----MaintenanceHoursSimple
---------Hours
-------------StartTime
-------------Duration
-----InBoxApps
---------SkypeForBusiness
-------------DomainName
---------Welcome
-------------AutoWakeScreen
-------------CurrentBackgroundPath
-------------MeetingInfoOption
---------Whiteboard
-------------SharingDisabled
-------------SigninDisabled
-------------TelemeteryDisabled
---------WirelessProjection
-------------PINRequired
-------------Enabled
-------------Channel
---------Connect
-------------AutoLaunch
-----Properties
---------FriendlyName
---------DefaultVolume
---------DefaultAutomaticFraming
---------ScreenTimeout
---------SessionTimeout
---------SleepTimeout
---------AllowSessionResume
---------AllowAutoProxyAuth
---------ProxyServers
---------DisableSigninSuggestions
---------DoNotShowMyMeetingsAndFiles
-----Management
---------GroupName
---------GroupSid
-----MOMAgent
---------WorkspaceID
---------WorkspaceKey
+
+
+
+
+Node for setting Autopilot self-deployment mode device account information. This information is stored and committed by the Autopilot client during the Enrollment Status Page phase of OOBE for Surface Hub devices that are using Autopilot self-deploying mode. These values should be set only during the first sync phase of enrollment and are ignored at any other time.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Case Sensitive | True |
+
+
+
+
+
+
+
+
+
+### AutopilotSelfdeploy/FriendlyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/AutopilotSelfdeploy/FriendlyName
```
+
-**./Vendor/MSFT/SurfaceHub**
-The root node for the Surface Hub configuration service provider.
+
+
+The device friendly name set during Autopilot self-deploying mode on Surface Hub. Get is allowed here but only returns a blank.
+
-**DeviceAccount**
-Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
+
+
+
-To use a device account from Azure Active Directory
+
+**Description framework properties**:
-1. Set the UserPrincipalName (for Azure AD).
-2. Set a valid Password.
-3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD.
-4. Get the ErrorContext in case something goes wrong during validation.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+### AutopilotSelfdeploy/Password
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/AutopilotSelfdeploy/Password
+```
+
+
+
+
+Password for the device account. Get is allowed here, but will always return a blank.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### AutopilotSelfdeploy/UserPrincipalName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/AutopilotSelfdeploy/UserPrincipalName
+```
+
+
+
+
+User principal name (UPN) of the device account. Autopilot on Surface Hub only supports Azure Active Directory, and this should specify the UPN of the device account. Get is allowed here but only returns a blank.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+## DeviceAccount
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount
+```
+
+
+
+
+Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Azure Active Directory: 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. 4. Get the ErrorContext in case something goes wrong during validation.
+
+
+
+
> [!NOTE]
> If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress.
+
+
+**Description framework properties**:
-Here's a SyncML example.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Case Sensitive | True |
+
+
+
+
+**Example**:
```xml
@@ -139,98 +337,159 @@ Here's a SyncML example.
```
+
-To use a device account from Active Directory:
+
-1. Set the DomainName.
-2. Set the UserName.
-3. Set a valid Password.
-4. Execute the ValidateAndCommit node.
+
+### DeviceAccount/CalendarSyncEnabled
-**DeviceAccount/DomainName**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/CalendarSyncEnabled
+```
+
-- The data type is string.
-- Supported operation is Get and Replace.
+
+
+Specifies whether calendar sync and other Exchange server services is enabled.
+
-**DeviceAccount/UserName**
+
+
+
-Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+**Description framework properties**:
-- The data type is string.
-- Supported operation is Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
-**DeviceAccount/UserPrincipalName**
+
+**Allowed values**:
-User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
-- The data type is string.
-- Supported operation is Get and Replace.
+
+
+
-**DeviceAccount/SipAddress**
+
-Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
+
+### DeviceAccount/DomainName
-- The data type is string.
-- Supported operation is Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**DeviceAccount/Password**
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/DomainName
+```
+
-Password for the device account.
+
+
+Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
-- The data type is string.
-- Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
+
+
+
-**DeviceAccount/ValidateAndCommit**
+
+**Description framework properties**:
-This method validates the data provided and then commits the changes.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
-- The data type is string.
-- Supported operation is Execute.
+
+
+
-**DeviceAccount/Email**
+
-Email address of the device account. The data type is string.
+
+### DeviceAccount/Email
-**DeviceAccount/
-PasswordRotationEnabled**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/Email
+```
+
-Valid values:
+
+
+Email address of the device account.
+
-- 0 - password rotation enabled
-- 1 - disabled
+
+
+
-It performs the following:
-- The data type is integer.
-- Supported operation is Get and Replace.
+
+**Description framework properties**:
-**DeviceAccount/ExchangeServer**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
-Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
+
+
+
-- The data type is string.
-- Supported operation is Get and Replace.
+
-**DeviceAccount/ExchangeModernAuthEnabled**
+
+### DeviceAccount/ErrorContext
-Added in KB4598291 for Windows 10, version 20H2. Specifies, whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/ErrorContext
+```
+
-**DeviceAccount/CalendarSyncEnabled**
+
+
+If there is an error calling ValidateAndCommit, there will be additional context for that error in this node.
+
-Specifies, whether calendar sync and other Exchange server services is enabled.
-
-- The data type is boolean.
-- Supported operation is Get and Replace.
-
-**DeviceAccount/ErrorContext**
-
-If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values:
+
+
+Possible error values:
| **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
| --- | --- | --- |
@@ -240,315 +499,2350 @@ If there's an error calling ValidateAndCommit, there's another context for that
| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
| 5 | Saving account information | Unable to save account details to the system. |
| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. |
+
-It performs the following:
-- The data type is integer.
-- Supported operation is Get.
+
+**Description framework properties**:
-**MaintenanceHoursSimple/Hours**
-Node for maintenance schedule.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-**MaintenanceHoursSimple/Hours/StartTime**
+
+
+
-Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
+
-- The data type is integer.
-- Supported operation is Get and Replace.
+
+### DeviceAccount/ExchangeModernAuthEnabled
-**MaintenanceHoursSimple/Hours/Duration**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.789] and later :heavy_check_mark: Windows Insider Preview [99.9.9999] |
+
-Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/ExchangeModernAuthEnabled
+```
+
-- The data type is integer.
-- Supported operation is Get and Replace.
+
+
+Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server.
+
-**InBoxApps**
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | True |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False | Disabled. |
+| True (Default) | Enabled. |
+
+
+
+
+
+
+
+
+
+### DeviceAccount/ExchangeServer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/ExchangeServer
+```
+
+
+
+
+Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### DeviceAccount/Password
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/Password
+```
+
+
+
+
+Password for the device account. Get is allowed here, but will always return a blank.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### DeviceAccount/PasswordRotationPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/PasswordRotationPeriod
+```
+
+
+
+
+Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Password rotation enabled. |
+| 1 | Disabled. |
+
+
+
+
+
+
+
+
+
+### DeviceAccount/SipAddress
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/SipAddress
+```
+
+
+
+
+Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### DeviceAccount/UserName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/UserName
+```
+
+
+
+
+Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### DeviceAccount/UserPrincipalName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/UserPrincipalName
+```
+
+
+
+
+User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### DeviceAccount/ValidateAndCommit
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/DeviceAccount/ValidateAndCommit
+```
+
+
+
+
+This method validates the data provided and then commits the changes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## Dot3
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.64] and later :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Dot3
+```
+
+
+
+
+Parent node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Dot3/EapUserData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.64] and later :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Dot3/EapUserData
+```
+
+
+
+
+Used to specify credentials to authenticate device to the network.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### Dot3/LanProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.64] and later :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Dot3/LanProfile
+```
+
+
+
+
+Used to specify credentials to authenticate device to the network.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+## InBoxApps
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps
+```
+
+
+
+
Node for the in-box app settings.
+
-**InBoxApps/SkypeForBusiness**
+
+
+
-Added in Windows 10, version 1703. Node for the Skype for Business settings.
+
+**Description framework properties**:
-**InBoxApps/SkypeForBusiness/DomainName**
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online.
+
+
+
-- The data type is string.
-- Supported operation is Get and Replace.
+
-**InBoxApps/Welcome**
+
+### InBoxApps/Connect
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Connect
+```
+
+
+
+
+Node for the Connect app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### InBoxApps/Connect/AutoLaunch
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Connect/AutoLaunch
+```
+
+
+
+
+Specifies whether to automatically launch the Connect app whenever a projection is initiated. If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub's settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+### InBoxApps/SkypeForBusiness
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/SkypeForBusiness
+```
+
+
+
+
+Node for the Skype for Business settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### InBoxApps/SkypeForBusiness/DomainName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/SkypeForBusiness/DomainName
+```
+
+
+
+
+Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see [Set up your domain and users](/skypeforbusiness/set-up-skype-for-business-online/set-up-skype-for-business-online#3-set-up-your-domain-and-users).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### InBoxApps/Teams
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.450] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Teams
+```
+
+
+
+
+This node controls policies specific to the Teams App on Surface Hub.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### InBoxApps/Teams/Configurations
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.450] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Teams/Configurations
+```
+
+
+
+
+String to contain Teams policy configs.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### InBoxApps/Welcome
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome
+```
+
+
+
+
Node for the welcome screen.
+
-**InBoxApps/Welcome/AutoWakeScreen**
+
+
+
-Automatically turn on the screen using motion sensors.
+
+**Description framework properties**:
-- The data type is boolean.
-- Supported operation is Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**InBoxApps/Welcome/CurrentBackgroundPath**
+
+
+
-Download location for image, to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub. Otherwise, it may not be able to load the image.
+
-- The data type is string.
-- Supported operation is Get and Replace.
+
+#### InBoxApps/Welcome/AutoWakeScreen
-**InBoxApps/Welcome/MeetingInfoOption**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/AutoWakeScreen
+```
+
+
+
+
+Setting for the screen to wake up and stay on with sensor activity.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False | Disabled. |
+| True | Enabled. |
+
+
+
+
+
+
+
+
+
+#### InBoxApps/Welcome/CurrentBackgroundPath
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/CurrentBackgroundPath
+```
+
+
+
+
+Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+#### InBoxApps/Welcome/MeetingInfoOption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/MeetingInfoOption
+```
+
+
+
+
Meeting information displayed on the welcome screen.
+
-Valid values:
+
+
+
-- 0 - Organizer and time only
-- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
+
+**Description framework properties**:
-It performs the following:
-- The data type is integer.
-- Supported operation is Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+
-**InBoxApps/Whiteboard**
+
+**Allowed values**:
-Node for the Whiteboard app settings.
+| Value | Description |
+|:--|:--|
+| 0 | Organizer and time only. |
+| 1 | Organizer, time, and subject. Subject is hidden in private meetings. |
+
-**InBoxApps/Whiteboard/SharingDisabled**
+
+
+
-Invitations to collaborate from the Whiteboard app aren't allowed.
+
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
+### InBoxApps/Whiteboard
-**InBoxApps/Whiteboard/SigninDisabled**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362.449] and later :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+
-Sign-ins from the Whiteboard app aren't allowed.
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Whiteboard
+```
+
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
+
+This node controls policies specific to the Whiteboard App on Surface Hub.
+
-**InBoxApps/Whiteboard/TelemeteryDisabled**
+
+
+
-Telemetry collection from the Whiteboard app isn't allowed.
+
+**Description framework properties**:
-- The data type is boolean.
-- Supported operation is Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**InBoxApps/WirelessProjection**
+
+
+
+
+
+
+#### InBoxApps/Whiteboard/SharingDisabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362.449] and later :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Whiteboard/SharingDisabled
+```
+
+
+
+
+When enabled, prevents a user from initiating a collaborative session on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False | Sharing enabled. |
+| True | Sharing disabled. |
+
+
+
+
+
+
+
+
+
+#### InBoxApps/Whiteboard/SignInDisabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362.449] and later :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Whiteboard/SignInDisabled
+```
+
+
+
+
+When enabled, prevents a user from Signing into Whiteboard on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False (Default) | Sign in enabled. |
+| True | Sign in disabled. |
+
+
+
+
+
+
+
+
+
+#### InBoxApps/Whiteboard/TelemetryDisabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362.449] and later :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/Whiteboard/TelemetryDisabled
+```
+
+
+
+
+When enabled, prevents Whiteboard from sending telemetry from the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| False (Default) | Telemetry enabled. |
+| True | Telemetry disabled. |
+
+
+
+
+
+
+
+
+
+### InBoxApps/WirelessProjection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection
+```
+
+
+
+
Node for the wireless projector app settings.
+
-**InBoxApps/WirelessProjection/PINRequired**
+
+
+
-Users must enter a PIN to wireless project to the device.
+
+**Description framework properties**:
-- The data type is boolean.
-- Supported operation is Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**InBoxApps/WirelessProjection/Enabled**
+
+
+
-Enables wireless projection to the device.
+
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
+#### InBoxApps/WirelessProjection/Channel
-**InBoxApps/WirelessProjection/Channel**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Channel
+```
+
+
+
+
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
+
+
+
|**Compatibility**|**Values**|
|--- |--- |
|Works with all Miracast senders in all regions|1, 3, 4, 5, 6, 7, 8, 9, 10, 11|
|Works with all 5ghz band Miracast senders in all regions|36, 40, 44, 48|
|Works with all 5ghz band Miracast senders in all regions except Japan|149, 153, 157, 161, 165|
-The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for).
+Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for).
+
-- The data type is integer.
-- Supported operation is Get and Replace.
+
+**Description framework properties**:
-**InBoxApps/Connect**
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 255 |
+
-Added in Windows 10, version 1703. Node for the Connect app.
+
+
+
-**InBoxApps/Connect/AutoLaunch**
+
-Added in Windows 10, version 1703. Specifies, whether to automatically launch the Connect app whenever a projection is initiated.
+
+#### InBoxApps/WirelessProjection/Enabled
-If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled
+```
+
-**Properties**
+
+
+Enables wireless projection to the device.
+
-Node for the device properties.
+
+
+
-**Properties/FriendlyName**
+
+**Description framework properties**:
-Friendly name of the device. Specifies the name that users see when they want wireless project to the device.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
-- The data type is string.
-- Supported operation is Get and Replace.
+
+**Allowed values**:
-**Properties/DefaultVolume**
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
-Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
+
+
+
-- The data type is integer.
-- Supported operation is Get and Replace.
+
-**Properties/DefaultAutomaticFraming**
+
+#### InBoxApps/WirelessProjection/PINRequired
-Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
+```Device
+./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/PINRequired
+```
+
-**Properties/ScreenTimeout**
+
+
+Users must enter a PIN to wirelessly project to the device.
+
-Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
+
+
+
-The following table shows the permitted values.
+
+**Description framework properties**:
-|**Value**|**Description**|
-|--- |--- |
-|0|Never time out|
-|1|1 minute|
-|2|2 minutes|
-|3|3 minutes|
-|5|5 minutes (default)|
-|10|10 minutes|
-|15|15 minutes|
-|30|30 minutes|
-|60|1 hour|
-|120|2 hours|
-|240|4 hours|
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+
-It performs the following:
-- The data type is integer.
-- Supported operation is Get and Replace.
+
+**Allowed values**:
-**Properties/SessionTimeout**
+| Value | Description |
+|:--|:--|
+| false | Pin not required. |
+| true | Pin required. |
+
-Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
+
+
+
-The following table shows the permitted values.
+
-|**Value**|**Description**|
-|--- |--- |
-|0|Never time out|
-|1|1 minute (default)|
-|2|2 minutes|
-|3|3 minutes|
-|5|5 minutes|
-|10|10 minutes|
-|15|15 minutes|
-|30|30 minutes|
-|60|1 hour|
-|120|2 hours|
-|240|4 hours|
+
+## MaintenanceHoursSimple
-It performs the following:
-- The data type is integer.
-- Supported operation is Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**Properties/SleepTimeout**
+
+```Device
+./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple
+```
+
-Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
+
+
+Node for maintenance schedule.
+
-The following table shows the permitted values.
+
+
+
-|**Value**|**Description**|
-|--- |--- |
-|0|Never time out|
-|1|1 minute|
-|2|2 minutes|
-|3|3 minutes|
-|5|5 minutes (default)|
-|10|10 minutes|
-|15|15 minutes|
-|30|30 minutes|
-|60|1 hour|
-|120|2 hours|
-|240|4 hours|
+
+**Description framework properties**:
-It performs the following:
-- The data type is integer.
-- Supported operation is Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**Properties/SleepMode**
+
+
+
-Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
+
-Valid values:
+
+### MaintenanceHoursSimple/Hours
-- 0 - Connected Standby (default)
-- 1 - Hibernate
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-It performs the following:
-- The data type is integer.
-- Supported operation is Get and Replace.
+
+```Device
+./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours
+```
+
-**Properties/AllowSessionResume**
+
+
+Node for maintenance schedule.
+
-Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
+
+
+
-If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
+
+**Description framework properties**:
-- The data type is boolean.
-- Supported operation is Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**Properties/AllowAutoProxyAuth**
+
+
+
-Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
+
-If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
+
+#### MaintenanceHoursSimple/Hours/Duration
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**Properties/ProxyServers**
+
+```Device
+./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/Duration
+```
+
-Added in KB4499162 for Windows 10, version 1703. Specifies hostnames of proxy servers to automatically provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names (FQDN), without any extra prefixes (for example, https://).
+
+
+Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
+
-- The data type is string.
-- Supported operation is Get and Replace.
+
+
+
-**Properties/DisableSigninSuggestions**
+
+**Description framework properties**:
-Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[0-1439]` |
+
-If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
+
+
+
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
-**Properties/DoNotShowMyMeetingsAndFiles**
+
+#### MaintenanceHoursSimple/Hours/StartTime
-Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
+
+```Device
+./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/StartTime
+```
+
-- The data type is boolean.
-- Supported operation is Get and Replace.
+
+
+Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
+
-**MOMAgent**
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[0-1439]` |
+
+
+
+
+
+
+
+
+
+## Management
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Management
+```
+
+
+
+
+Not a supported scenario.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Management/GroupName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Management/GroupName
+```
+
+
+
+
+The name of the domain admin group to add to the administrators group on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### Management/GroupSid
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Management/GroupSid
+```
+
+
+
+
+The sid of the domain admin group to add to the administrators group on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+## MOMAgent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/MOMAgent
+```
+
+
+
+
Node for the Microsoft Operations Management Suite.
+
-**MOMAgent/WorkspaceID**
+
+
+
-GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
+
+**Description framework properties**:
-- The data type is string.
-- Supported operation is Get and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**MOMAgent/WorkspaceKey**
+
+
+
-Primary key for authenticating with the workspace.
+
-- The data type is string.
-- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
+
+### MOMAgent/WorkspaceID
-## Related topics
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-[Configuration service provider reference](index.yml)
+
+```Device
+./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceID
+```
+
+
+
+
+GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### MOMAgent/WorkspaceKey
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceKey
+```
+
+
+
+
+Primary key for authenticating with workspace. Will always return an empty string.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+## Properties
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties
+```
+
+
+
+
+Node for the device properties.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Properties/AllowAutoProxyAuth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/AllowAutoProxyAuth
+```
+
+
+
+
+Specifies whether to use the device account for proxy authentication. If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true (Default) | Enabled. |
+
+
+
+
+
+
+
+
+
+### Properties/AllowSessionResume
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/AllowSessionResume
+```
+
+
+
+
+Specifies whether to allow the ability to resume a session when the session times out. If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the "End Session" feature was initiated.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true (Default) | Enabled. |
+
+
+
+
+
+
+
+
+
+### Properties/DefaultVolume
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/DefaultVolume
+```
+
+
+
+
+Specifies the default volume value for a new session.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Allowed Values | Range: `[0-100]` |
+| Default Value | 45 |
+
+
+
+
+
+
+
+
+
+### Properties/DisableSigninSuggestions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/DisableSigninSuggestions
+```
+
+
+
+
+Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Dialog will auto-populate. |
+| true | Sign-in dialog will not be populated. |
+
+
+
+
+
+
+
+
+
+### Properties/DoNotShowMyMeetingsAndFiles
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/DoNotShowMyMeetingsAndFiles
+```
+
+
+
+
+Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. If this setting is true, the "My meetings and files" feature will not be shown. When false, the "My meetings and files" feature will be shown.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true | "My meetings and files" feature will not be shown. |
+| false (Default) | The "My meetings and files" feature will be shown. |
+
+
+
+
+
+
+
+
+
+### Properties/FriendlyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/FriendlyName
+```
+
+
+
+
+Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+
+
+
+
+
+
+
+
+
+### Properties/ProxyServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/ProxyServers
+```
+
+
+
+
+The list of known proxy servers to provide.
+
+
+
+
+Specifies hostnames of proxy servers to automatically provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names (FQDN), without any extra prefixes (for example, `https://`).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Properties/ScreenTimeout
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/ScreenTimeout
+```
+
+
+
+
+Specifies the number of minutes until the Hub screen turns off.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 5 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Never time out. |
+| 1 | 1 minute. |
+| 2 | 2 minutes. |
+| 3 | 3 minutes. |
+| 5 (Default) | 5 minutes. |
+| 10 | 10 minutes. |
+| 15 | 15 minutes. |
+| 30 | 30 minutes. |
+| 60 | 1 hour. |
+| 120 | 2 hours. |
+| 240 | 4 hours. |
+
+
+
+
+
+
+
+
+
+### Properties/SessionTimeout
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/SessionTimeout
+```
+
+
+
+
+Specifies the number of minutes until the session times out.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Never time out. |
+| 1 (Default) | 1 minute. |
+| 2 | 2 minutes. |
+| 3 | 3 minutes. |
+| 5 | 5 minutes. |
+| 10 | 10 minutes. |
+| 15 | 15 minutes. |
+| 30 | 30 minutes. |
+| 60 | 1 hour. |
+| 120 | 2 hours. |
+| 240 | 4 hours. |
+
+
+
+
+
+
+
+
+
+### Properties/SleepMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/SleepMode
+```
+
+
+
+
+Specifies the type of sleep mode for the Surface Hub.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Connected Standby. |
+| 1 | Hibernate. |
+
+
+
+
+
+
+
+
+
+### Properties/SleepTimeout
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/SleepTimeout
+```
+
+
+
+
+Specifies the number of minutes until the Hub enters sleep mode.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 5 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Never time out. |
+| 1 | 1 minute. |
+| 2 | 2 minutes. |
+| 3 | 3 minutes. |
+| 5 (Default) | 5 minutes. |
+| 10 | 10 minutes. |
+| 15 | 15 minutes. |
+| 30 | 30 minutes. |
+| 60 | 1 hour. |
+| 120 | 2 hours. |
+| 240 | 4 hours. |
+
+
+
+
+
+
+
+
+
+### Properties/SurfaceHubMeetingMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode
+```
+
+
+
+
+Teams mode.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+### Properties/VtcAppPackageId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId
+```
+
+
+
+
+App name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index b641ecada1..0f0117489c 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -1,1016 +1,1881 @@
---
title: SurfaceHub DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# SurfaceHub DDF file
-This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the SurfaceHub configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ SurfaceHub
+ ./Vendor/MSFT
+
+
+
+
+ The root node for the Surface Hub configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- SurfaceHub
- ./Vendor/MSFT
+ AutopilotSelfdeploy
+
+
+
+
+ Node for setting Autopilot self-deployment mode device account information. This information is stored and committed by the Autopilot client during the Enrollment Status Page phase of OOBE for Surface Hub devices that are using Autopilot self-deploying mode. These values should be set only during the first sync phase of enrollment and are ignored at any other time.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserPrincipalName
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.0/MDM/SurfaceHub
-
+
+
+
+
+ User principal name (UPN) of the device account. Autopilot on Surface Hub only supports Azure Active Directory, and this should specify the UPN of the device account. Get is allowed here but only returns a blank
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Password
+
+
+
+
+
+ Password for the device account. Get is allowed here, but will always return a blank.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FriendlyName
+
+
+
+
+
+ The device friendly name set during Autopilot self-deploying mode on Surface Hub. Get is allowed here but only returns a blank
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DeviceAccount
+
+
+
+
+ Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. To use a device account from Azure Active Directory: 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. 4. Get the ErrorContext in case something goes wrong during validation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DomainName
+
+
+
+
+
+ Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserName
+
+
+
+
+
+ Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserPrincipalName
+
+
+
+
+
+ User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Password
+
+
+
+
+
+ Password for the device account. Get is allowed here, but will always return a blank.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidateAndCommit
+
+
+
+
+ This method validates the data provided and then commits the changes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExchangeServer
+
+
+
+
+
+ Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SipAddress
+
+
+
+
+
+ Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Email
+
+
+
+
+
+ Email address of the device account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CalendarSyncEnabled
+
+
+
+
+
+ Specifies whether calendar sync and other Exchange server services is enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ ErrorContext
+
+
+
+
+ If there is an error calling ValidateAndCommit, there will be additional context for that error in this node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PasswordRotationPeriod
+
+
+
+
+
+ Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Password rotation enabled
+
+
+ 1
+ Disabled
+
+
+
+
+
+ ExchangeModernAuthEnabled
+
+
+
+
+
+ True
+ Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.19041.789, 10.19042.789, 99.9.9999
+ 1.0
+
+
+
+ False
+ Disabled
+
+
+ True
+ Enabled
+
+
+
+
+
+
+ MaintenanceHoursSimple
+
+
+
+
+ Node for maintenance schedule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Hours
+
+
+
+
+ Node for maintenance schedule.
+
+
+
+
+
+
+
+
+
+
+
+
- DeviceAccount
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DomainName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UserName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UserPrincipalName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Password
-
-
-
-
-
- Get is allowed here, but will always return a blank.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidateAndCommit
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExchangeServer
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SipAddress
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Email
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CalendarSyncEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ErrorContext
-
-
-
-
- If there is an error calling ValidateAndCommit, there will be additional context for that error in this node.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PasswordRotationEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+ StartTime
+
+
+
+
+
+ Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-1439]
+
+
- MaintenanceHoursSimple
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Hours
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- StartTime
-
-
-
-
-
- Start time for maintenance hours in minutes from midnight
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Duration
-
-
-
-
-
- Duration of maintenance window
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- InBoxApps
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SkypeForBusiness
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DomainName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Welcome
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AutoWakeScreen
-
-
-
-
-
- Setting for the screen to wake up and stay on with sensor activity.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CurrentBackgroundPath
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MeetingInfoOption
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- WirelessProjection
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- PINRequired
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Enabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Channel
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Connect
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AutoLaunch
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- Properties
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- FriendlyName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefaultVolume
-
-
-
-
-
- 65
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ScreenTimeout
-
-
-
-
-
- 5
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SessionTimeout
-
-
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SleepTimeout
-
-
-
-
-
- 5
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowSessionResume
-
-
-
-
-
- true
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowAutoProxyAuth
-
-
-
-
-
- true
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableSigninSuggestions
-
-
-
-
-
- false
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DoNotShowMyMeetingsAndFiles
-
-
-
-
-
- false
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Management
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- GroupName
-
-
-
-
-
- The name of the domain admin group to add to the administrators group on the device.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- GroupSid
-
-
-
-
-
- The sid of the domain admin group to add to the administrators group on the device.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- MOMAgent
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- WorkspaceID
-
-
-
-
-
- GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WorkspaceKey
-
-
-
-
-
- Primary key for authenticating with workspace. Will always return an empty string.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+ Duration
+
+
+
+
+
+ Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-1439]
+
+
+
+
+ InBoxApps
+
+
+
+
+ Node for the in-box app settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SkypeForBusiness
+
+
+
+
+ Node for the Skype for Business settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DomainName
+
+
+
+
+
+ Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see https://docs.microsoft.com/en-us/SkypeForBusiness/set-up-skype-for-business-online/set-up-skype-for-business-online?redirectSourcePath=%252fen-us%252farticle%252fSet-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e#bkmk_users
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+
+
+
+
+ Welcome
+
+
+
+
+ Node for the welcome screen.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoWakeScreen
+
+
+
+
+
+ Setting for the screen to wake up and stay on with sensor activity.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ False
+ Disabled
+
+
+ True
+ Enabled
+
+
+
+
+
+ CurrentBackgroundPath
+
+
+
+
+
+ Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MeetingInfoOption
+
+
+
+
+
+ Meeting information displayed on the welcome screen.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Organizer and time only.
+
+
+ 1
+ Organizer, time, and subject. Subject is hidden in private meetings.
+
+
+
+
+
+
+ WirelessProjection
+
+
+
+
+ Node for the wireless projector app settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PINRequired
+
+
+
+
+
+ Users must enter a PIN to wirelessly project to the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Pin not required
+
+
+ true
+ Pin required
+
+
+
+
+
+ Enabled
+
+
+
+
+
+ Enables wireless projection to the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ Channel
+
+
+
+
+
+ 255
+ Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Connect
+
+
+
+
+ Node for the Connect app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoLaunch
+
+
+
+
+
+ Specifies whether to automatically launch the Connect app whenever a projection is initiated. If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+
+ Whiteboard
+
+
+
+
+ This node controls policies specific to the Whiteboard App on Surface Hub.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18363, 10.0.18362.449
+ 1.0
+
+
+
+ SignInDisabled
+
+
+
+
+
+ False
+ When enabled, prevents a user from Signing into Whiteboard on the device
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ False
+ Sign in enabled
+
+
+ True
+ Sign in disabled
+
+
+
+
+
+ TelemetryDisabled
+
+
+
+
+
+ False
+ When enabled, prevents Whiteboard from sending telemetry from the device
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ False
+ Telemetry enabled
+
+
+ True
+ Telemetry disabled
+
+
+
+
+
+ SharingDisabled
+
+
+
+
+
+ When enabled, prevents a user from initiating a collaborative session on the device
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ False
+ Sharing enabled
+
+
+ True
+ Sharing disabled
+
+
+
+
+
+
+ Teams
+
+
+
+
+ This node controls policies specific to the Teams App on Surface Hub
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19042, 10.0.19041.450
+ 1.0
+
+
+
+ Configurations
+
+
+
+
+
+ String to contain Teams policy configs
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Properties
+
+
+
+
+ Node for the device properties.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FriendlyName
+
+
+
+
+
+ Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DefaultVolume
+
+
+
+
+
+ 45
+ Specifies the default volume value for a new session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+ [0-100]
+
+
+
+
+ ScreenTimeout
+
+
+
+
+
+ 5
+ Specifies the number of minutes until the Hub screen turns off.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ 0
+ Never time out
+
+
+ 1
+ 1 minute
+
+
+ 2
+ 2 minutes
+
+
+ 3
+ 3 minutes
+
+
+ 5
+ 5 minutes
+
+
+ 10
+ 10 minutes
+
+
+ 15
+ 15 minutes
+
+
+ 30
+ 30 minutes
+
+
+ 60
+ 1 hour
+
+
+ 120
+ 2 hours
+
+
+ 240
+ 4 hours
+
+
+
+
+
+ SleepMode
+
+
+
+
+
+ 0
+ Specifies the type of sleep mode for the Surface Hub.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ 0
+ Connected Standby
+
+
+ 1
+ Hibernate
+
+
+
+
+
+ SessionTimeout
+
+
+
+
+
+ 1
+ Specifies the number of minutes until the session times out.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ 0
+ Never time out
+
+
+ 1
+ 1 minute
+
+
+ 2
+ 2 minutes
+
+
+ 3
+ 3 minutes
+
+
+ 5
+ 5 minutes
+
+
+ 10
+ 10 minutes
+
+
+ 15
+ 15 minutes
+
+
+ 30
+ 30 minutes
+
+
+ 60
+ 1 hour
+
+
+ 120
+ 2 hours
+
+
+ 240
+ 4 hours
+
+
+
+
+
+ SleepTimeout
+
+
+
+
+
+ 5
+ Specifies the number of minutes until the Hub enters sleep mode.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ 0
+ Never time out
+
+
+ 1
+ 1 minute
+
+
+ 2
+ 2 minutes
+
+
+ 3
+ 3 minutes
+
+
+ 5
+ 5 minutes
+
+
+ 10
+ 10 minutes
+
+
+ 15
+ 15 minutes
+
+
+ 30
+ 30 minutes
+
+
+ 60
+ 1 hour
+
+
+ 120
+ 2 hours
+
+
+ 240
+ 4 hours
+
+
+
+
+
+ AllowSessionResume
+
+
+
+
+
+ true
+ Specifies whether to allow the ability to resume a session when the session times out. If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ AllowAutoProxyAuth
+
+
+
+
+
+ true
+ Specifies whether to use the device account for proxy authentication. If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ DisableSigninSuggestions
+
+
+
+
+
+ false
+ Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ false
+ Dialog will auto-populate.
+
+
+ true
+ Sign-in dialog will not be populated.
+
+
+
+
+
+ SurfaceHubMeetingMode
+
+
+
+
+
+
+ 0
+ Teams mode
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063, 10.0.14393.969
+ 1.0
+
+
+ [0-2]
+
+
+
+
+ VtcAppPackageId
+
+
+
+
+
+
+ App name
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063, 10.0.14393.969
+ 1.0
+
+
+
+
+
+
+ DoNotShowMyMeetingsAndFiles
+
+
+
+
+
+ false
+ Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+ true
+ "My meetings and files" feature will not be shown.
+
+
+ false
+ The "My meetings and files" feature will be shown.
+
+
+
+
+
+ ProxyServers
+
+
+
+
+
+
+ The list of known proxy servers to provide.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Management
+
+
+
+
+ Not a supported scenario
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063, 10.0.14393.969
+ 1.0
+
+
+
+ GroupName
+
+
+
+
+
+ The name of the domain admin group to add to the administrators group on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ GroupSid
+
+
+
+
+
+ The sid of the domain admin group to add to the administrators group on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MOMAgent
+
+
+
+
+ Node for the Microsoft Operations Management Suite.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ WorkspaceID
+
+
+
+
+
+ GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ WorkspaceKey
+
+
+
+
+
+ Primary key for authenticating with workspace. Will always return an empty string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Dot3
+
+
+
+
+ Parent node
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134, 10.0.16299.64
+ 1.0
+
+
+
+
+
+ LanProfile
+
+
+
+
+
+ Used to specify credentials to authenticate device to the network.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EapUserData
+
+
+
+
+
+ Used to specify credentials to authenticate device to the network.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-
-
-
-
-
-
-
-
+## Related articles
+[SurfaceHub configuration service provider reference](surfacehub-csp.md)
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index d35962adb6..3a88cd3e96 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -602,8 +602,6 @@ items:
items:
- name: AppLocker DDF file
href: applocker-ddf-file.md
- - name: AppLocker XSD
- href: applocker-xsd.md
- name: AssignedAccess
href: assignedaccess-csp.md
items:
@@ -668,12 +666,17 @@ items:
- name: DeviceManageability
href: devicemanageability-csp.md
items:
- - name: DeviceManageability DDF
+ - name: DeviceManageability DDF file
href: devicemanageability-ddf.md
+ - name: DevicePreparation
+ href: devicepreparation-csp.md
+ items:
+ - name: DevicePreparation DDF file
+ href: devicepreparation-ddf-file.md
- name: DeviceStatus
href: devicestatus-csp.md
items:
- - name: DeviceStatus DDF
+ - name: DeviceStatus DDF file
href: devicestatus-ddf.md
- name: DevInfo
href: devinfo-csp.md
@@ -733,17 +736,13 @@ items:
- name: EnterpriseDesktopAppManagement
href: enterprisedesktopappmanagement-csp.md
items:
- - name: EnterpriseDesktopAppManagement DDF
+ - name: EnterpriseDesktopAppManagement DDF file
href: enterprisedesktopappmanagement-ddf-file.md
- - name: EnterpriseDesktopAppManagement XSD
- href: enterprisedesktopappmanagement2-xsd.md
- name: EnterpriseModernAppManagement
href: enterprisemodernappmanagement-csp.md
items:
- - name: EnterpriseModernAppManagement DDF
+ - name: EnterpriseModernAppManagement DDF file
href: enterprisemodernappmanagement-ddf.md
- - name: EnterpriseModernAppManagement XSD
- href: enterprisemodernappmanagement-xsd.md
- name: eUICCs
href: euiccs-csp.md
items:
@@ -757,12 +756,17 @@ items:
- name: HealthAttestation
href: healthattestation-csp.md
items:
- - name: HealthAttestation DDF
+ - name: HealthAttestation DDF file
href: healthattestation-ddf.md
- - name: Local Administrator Password Solution
+ - name: LanguagePackManagement
+ href: language-pack-management-csp.md
+ items:
+ - name: LanguagePackManagement DDF file
+ href: language-pack-management-ddf-file.md
+ - name: LAPS
href: laps-csp.md
items:
- - name: Local Administrator Password Solution DDF
+ - name: LAPS DDF file
href: laps-ddf-file.md
- name: MultiSIM
href: multisim-csp.md
@@ -791,23 +795,28 @@ items:
- name: Office
href: office-csp.md
items:
- - name: Office DDF
+ - name: Office DDF file
href: office-ddf.md
- name: PassportForWork
href: passportforwork-csp.md
items:
- name: PassportForWork DDF file
href: passportforwork-ddf.md
- - name: PersonalDataEncryption
+ - name: PDE
href: personaldataencryption-csp.md
items:
- - name: PersonalDataEncryption DDF file
+ - name: PDE DDF file
href: personaldataencryption-ddf-file.md
- name: Personalization
href: personalization-csp.md
items:
- name: Personalization DDF file
href: personalization-ddf.md
+ - name: PrinterProvisioning
+ href: printerprovisioning-csp.md
+ items:
+ - name: PrinterProvisioning DDF file
+ href: printerprovisioning-ddf-file.md
- name: Provisioning
href: provisioning-csp.md
- name: PXLOGICAL
@@ -904,8 +913,6 @@ items:
items:
- name: VPNv2 DDF file
href: vpnv2-ddf-file.md
- - name: ProfileXML XSD
- href: vpnv2-profile-xsd.md
- name: EAP configuration
href: eap-configuration.md
- name: w4 APPLICATION
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index ea73b10265..ce9204701c 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -1,899 +1,8980 @@
---
title: VPNv2 CSP
-description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
-ms.reviewer: pesmith
+description: Learn more about the VPNv2 CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/21/2021
+ms.topic: reference
---
+
+
+
# VPNv2 CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The VPNv2 configuration service provider allows the Mobile Device Management (MDM) server to configure the VPN profile of the device.
Here are the requirements for this CSP:
- VPN configuration commands must be wrapped in an Atomic block in SyncML.
- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies.
-- Instead of changing individual properties, follow these steps to make any changes:
+- In certain conditions you can change some properties directly, but we don't recommend it. Instead, follow these steps to make any changes:
- Send a Delete command for the ProfileName to delete the entire profile.
- Send the entire profile again with new values wrapped in an Atomic block.
- In certain conditions you can change some properties directly, but we don't recommend it.
-
The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- `C:\Windows\schemas\EAPHost`
- `C:\Windows\schemas\EAPMethods`
+
-The following example shows the VPNv2 configuration service provider in tree format.
+
+The following list shows the VPNv2 configuration service provider nodes:
+- ./Device/Vendor/MSFT/VPNv2
+ - [{ProfileName}](#deviceprofilename)
+ - [AlwaysOn](#deviceprofilenamealwayson)
+ - [AlwaysOnActive](#deviceprofilenamealwaysonactive)
+ - [APNBinding](#deviceprofilenameapnbinding)
+ - [AccessPointName](#deviceprofilenameapnbindingaccesspointname)
+ - [AuthenticationType](#deviceprofilenameapnbindingauthenticationtype)
+ - [IsCompressionEnabled](#deviceprofilenameapnbindingiscompressionenabled)
+ - [Password](#deviceprofilenameapnbindingpassword)
+ - [ProviderId](#deviceprofilenameapnbindingproviderid)
+ - [UserName](#deviceprofilenameapnbindingusername)
+ - [AppTriggerList](#deviceprofilenameapptriggerlist)
+ - [{appTriggerRowId}](#deviceprofilenameapptriggerlistapptriggerrowid)
+ - [App](#deviceprofilenameapptriggerlistapptriggerrowidapp)
+ - [Id](#deviceprofilenameapptriggerlistapptriggerrowidappid)
+ - [Type](#deviceprofilenameapptriggerlistapptriggerrowidapptype)
+ - [ByPassForLocal](#deviceprofilenamebypassforlocal)
+ - [DataEncryption](#deviceprofilenamedataencryption)
+ - [DeviceCompliance](#deviceprofilenamedevicecompliance)
+ - [Enabled](#deviceprofilenamedevicecomplianceenabled)
+ - [Sso](#deviceprofilenamedevicecompliancesso)
+ - [Eku](#deviceprofilenamedevicecompliancessoeku)
+ - [Enabled](#deviceprofilenamedevicecompliancessoenabled)
+ - [IssuerHash](#deviceprofilenamedevicecompliancessoissuerhash)
+ - [DeviceTunnel](#deviceprofilenamedevicetunnel)
+ - [DisableAdvancedOptionsEditButton](#deviceprofilenamedisableadvancedoptionseditbutton)
+ - [DisableDisconnectButton](#deviceprofilenamedisabledisconnectbutton)
+ - [DisableIKEv2Fragmentation](#deviceprofilenamedisableikev2fragmentation)
+ - [DnsSuffix](#deviceprofilenamednssuffix)
+ - [DomainNameInformationList](#deviceprofilenamedomainnameinformationlist)
+ - [{dniRowId}](#deviceprofilenamedomainnameinformationlistdnirowid)
+ - [AutoTrigger](#deviceprofilenamedomainnameinformationlistdnirowidautotrigger)
+ - [DnsServers](#deviceprofilenamedomainnameinformationlistdnirowiddnsservers)
+ - [DomainName](#deviceprofilenamedomainnameinformationlistdnirowiddomainname)
+ - [DomainNameType](#deviceprofilenamedomainnameinformationlistdnirowiddomainnametype)
+ - [Persistent](#deviceprofilenamedomainnameinformationlistdnirowidpersistent)
+ - [WebProxyServers](#deviceprofilenamedomainnameinformationlistdnirowidwebproxyservers)
+ - [EdpModeId](#deviceprofilenameedpmodeid)
+ - [IPv4InterfaceMetric](#deviceprofilenameipv4interfacemetric)
+ - [IPv6InterfaceMetric](#deviceprofilenameipv6interfacemetric)
+ - [NativeProfile](#deviceprofilenamenativeprofile)
+ - [Authentication](#deviceprofilenamenativeprofileauthentication)
+ - [Certificate](#deviceprofilenamenativeprofileauthenticationcertificate)
+ - [Eku](#deviceprofilenamenativeprofileauthenticationcertificateeku)
+ - [Issuer](#deviceprofilenamenativeprofileauthenticationcertificateissuer)
+ - [Eap](#deviceprofilenamenativeprofileauthenticationeap)
+ - [Configuration](#deviceprofilenamenativeprofileauthenticationeapconfiguration)
+ - [Type](#deviceprofilenamenativeprofileauthenticationeaptype)
+ - [MachineMethod](#deviceprofilenamenativeprofileauthenticationmachinemethod)
+ - [UserMethod](#deviceprofilenamenativeprofileauthenticationusermethod)
+ - [CryptographySuite](#deviceprofilenamenativeprofilecryptographysuite)
+ - [AuthenticationTransformConstants](#deviceprofilenamenativeprofilecryptographysuiteauthenticationtransformconstants)
+ - [CipherTransformConstants](#deviceprofilenamenativeprofilecryptographysuiteciphertransformconstants)
+ - [DHGroup](#deviceprofilenamenativeprofilecryptographysuitedhgroup)
+ - [EncryptionMethod](#deviceprofilenamenativeprofilecryptographysuiteencryptionmethod)
+ - [IntegrityCheckMethod](#deviceprofilenamenativeprofilecryptographysuiteintegritycheckmethod)
+ - [PfsGroup](#deviceprofilenamenativeprofilecryptographysuitepfsgroup)
+ - [DisableClassBasedDefaultRoute](#deviceprofilenamenativeprofiledisableclassbaseddefaultroute)
+ - [L2tpPsk](#deviceprofilenamenativeprofilel2tppsk)
+ - [NativeProtocolType](#deviceprofilenamenativeprofilenativeprotocoltype)
+ - [PlumbIKEv2TSAsRoutes](#deviceprofilenamenativeprofileplumbikev2tsasroutes)
+ - [ProtocolList](#deviceprofilenamenativeprofileprotocollist)
+ - [NativeProtocolList](#deviceprofilenamenativeprofileprotocollistnativeprotocollist)
+ - [{NativeProtocolRowId}](#deviceprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowid)
+ - [Type](#deviceprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowidtype)
+ - [RetryTimeInHours](#deviceprofilenamenativeprofileprotocollistretrytimeinhours)
+ - [RoutingPolicyType](#deviceprofilenamenativeprofileroutingpolicytype)
+ - [Servers](#deviceprofilenamenativeprofileservers)
+ - [NetworkOutageTime](#deviceprofilenamenetworkoutagetime)
+ - [PluginProfile](#deviceprofilenamepluginprofile)
+ - [CustomConfiguration](#deviceprofilenamepluginprofilecustomconfiguration)
+ - [PluginPackageFamilyName](#deviceprofilenamepluginprofilepluginpackagefamilyname)
+ - [ServerUrlList](#deviceprofilenamepluginprofileserverurllist)
+ - [PrivateNetwork](#deviceprofilenameprivatenetwork)
+ - [ProfileXML](#deviceprofilenameprofilexml)
+ - [Proxy](#deviceprofilenameproxy)
+ - [AutoConfigUrl](#deviceprofilenameproxyautoconfigurl)
+ - [Manual](#deviceprofilenameproxymanual)
+ - [Server](#deviceprofilenameproxymanualserver)
+ - [RegisterDNS](#deviceprofilenameregisterdns)
+ - [RememberCredentials](#deviceprofilenameremembercredentials)
+ - [RouteList](#deviceprofilenameroutelist)
+ - [{routeRowId}](#deviceprofilenameroutelistrouterowid)
+ - [Address](#deviceprofilenameroutelistrouterowidaddress)
+ - [ExclusionRoute](#deviceprofilenameroutelistrouterowidexclusionroute)
+ - [Metric](#deviceprofilenameroutelistrouterowidmetric)
+ - [PrefixSize](#deviceprofilenameroutelistrouterowidprefixsize)
+ - [TrafficFilterList](#deviceprofilenametrafficfilterlist)
+ - [{trafficFilterId}](#deviceprofilenametrafficfilterlisttrafficfilterid)
+ - [App](#deviceprofilenametrafficfilterlisttrafficfilteridapp)
+ - [Id](#deviceprofilenametrafficfilterlisttrafficfilteridappid)
+ - [Type](#deviceprofilenametrafficfilterlisttrafficfilteridapptype)
+ - [Claims](#deviceprofilenametrafficfilterlisttrafficfilteridclaims)
+ - [Direction](#deviceprofilenametrafficfilterlisttrafficfilteriddirection)
+ - [LocalAddressRanges](#deviceprofilenametrafficfilterlisttrafficfilteridlocaladdressranges)
+ - [LocalPortRanges](#deviceprofilenametrafficfilterlisttrafficfilteridlocalportranges)
+ - [Protocol](#deviceprofilenametrafficfilterlisttrafficfilteridprotocol)
+ - [RemoteAddressRanges](#deviceprofilenametrafficfilterlisttrafficfilteridremoteaddressranges)
+ - [RemotePortRanges](#deviceprofilenametrafficfilterlisttrafficfilteridremoteportranges)
+ - [RoutingPolicyType](#deviceprofilenametrafficfilterlisttrafficfilteridroutingpolicytype)
+ - [TrustedNetworkDetection](#deviceprofilenametrustednetworkdetection)
+ - [UseRasCredentials](#deviceprofilenameuserascredentials)
+- ./User/Vendor/MSFT/VPNv2
+ - [{ProfileName}](#userprofilename)
+ - [AlwaysOn](#userprofilenamealwayson)
+ - [AlwaysOnActive](#userprofilenamealwaysonactive)
+ - [APNBinding](#userprofilenameapnbinding)
+ - [AccessPointName](#userprofilenameapnbindingaccesspointname)
+ - [AuthenticationType](#userprofilenameapnbindingauthenticationtype)
+ - [IsCompressionEnabled](#userprofilenameapnbindingiscompressionenabled)
+ - [Password](#userprofilenameapnbindingpassword)
+ - [ProviderId](#userprofilenameapnbindingproviderid)
+ - [UserName](#userprofilenameapnbindingusername)
+ - [AppTriggerList](#userprofilenameapptriggerlist)
+ - [{appTriggerRowId}](#userprofilenameapptriggerlistapptriggerrowid)
+ - [App](#userprofilenameapptriggerlistapptriggerrowidapp)
+ - [Id](#userprofilenameapptriggerlistapptriggerrowidappid)
+ - [Type](#userprofilenameapptriggerlistapptriggerrowidapptype)
+ - [ByPassForLocal](#userprofilenamebypassforlocal)
+ - [DataEncryption](#userprofilenamedataencryption)
+ - [DeviceCompliance](#userprofilenamedevicecompliance)
+ - [Enabled](#userprofilenamedevicecomplianceenabled)
+ - [Sso](#userprofilenamedevicecompliancesso)
+ - [Eku](#userprofilenamedevicecompliancessoeku)
+ - [Enabled](#userprofilenamedevicecompliancessoenabled)
+ - [IssuerHash](#userprofilenamedevicecompliancessoissuerhash)
+ - [DisableAdvancedOptionsEditButton](#userprofilenamedisableadvancedoptionseditbutton)
+ - [DisableDisconnectButton](#userprofilenamedisabledisconnectbutton)
+ - [DisableIKEv2Fragmentation](#userprofilenamedisableikev2fragmentation)
+ - [DnsSuffix](#userprofilenamednssuffix)
+ - [DomainNameInformationList](#userprofilenamedomainnameinformationlist)
+ - [{dniRowId}](#userprofilenamedomainnameinformationlistdnirowid)
+ - [AutoTrigger](#userprofilenamedomainnameinformationlistdnirowidautotrigger)
+ - [DnsServers](#userprofilenamedomainnameinformationlistdnirowiddnsservers)
+ - [DomainName](#userprofilenamedomainnameinformationlistdnirowiddomainname)
+ - [DomainNameType](#userprofilenamedomainnameinformationlistdnirowiddomainnametype)
+ - [Persistent](#userprofilenamedomainnameinformationlistdnirowidpersistent)
+ - [WebProxyServers](#userprofilenamedomainnameinformationlistdnirowidwebproxyservers)
+ - [EdpModeId](#userprofilenameedpmodeid)
+ - [IPv4InterfaceMetric](#userprofilenameipv4interfacemetric)
+ - [IPv6InterfaceMetric](#userprofilenameipv6interfacemetric)
+ - [NativeProfile](#userprofilenamenativeprofile)
+ - [Authentication](#userprofilenamenativeprofileauthentication)
+ - [Certificate](#userprofilenamenativeprofileauthenticationcertificate)
+ - [Eku](#userprofilenamenativeprofileauthenticationcertificateeku)
+ - [Issuer](#userprofilenamenativeprofileauthenticationcertificateissuer)
+ - [Eap](#userprofilenamenativeprofileauthenticationeap)
+ - [Configuration](#userprofilenamenativeprofileauthenticationeapconfiguration)
+ - [Type](#userprofilenamenativeprofileauthenticationeaptype)
+ - [MachineMethod](#userprofilenamenativeprofileauthenticationmachinemethod)
+ - [UserMethod](#userprofilenamenativeprofileauthenticationusermethod)
+ - [CryptographySuite](#userprofilenamenativeprofilecryptographysuite)
+ - [AuthenticationTransformConstants](#userprofilenamenativeprofilecryptographysuiteauthenticationtransformconstants)
+ - [CipherTransformConstants](#userprofilenamenativeprofilecryptographysuiteciphertransformconstants)
+ - [DHGroup](#userprofilenamenativeprofilecryptographysuitedhgroup)
+ - [EncryptionMethod](#userprofilenamenativeprofilecryptographysuiteencryptionmethod)
+ - [IntegrityCheckMethod](#userprofilenamenativeprofilecryptographysuiteintegritycheckmethod)
+ - [PfsGroup](#userprofilenamenativeprofilecryptographysuitepfsgroup)
+ - [DisableClassBasedDefaultRoute](#userprofilenamenativeprofiledisableclassbaseddefaultroute)
+ - [L2tpPsk](#userprofilenamenativeprofilel2tppsk)
+ - [NativeProtocolType](#userprofilenamenativeprofilenativeprotocoltype)
+ - [PlumbIKEv2TSAsRoutes](#userprofilenamenativeprofileplumbikev2tsasroutes)
+ - [ProtocolList](#userprofilenamenativeprofileprotocollist)
+ - [NativeProtocolList](#userprofilenamenativeprofileprotocollistnativeprotocollist)
+ - [{NativeProtocolRowId}](#userprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowid)
+ - [Type](#userprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowidtype)
+ - [RetryTimeInHours](#userprofilenamenativeprofileprotocollistretrytimeinhours)
+ - [RoutingPolicyType](#userprofilenamenativeprofileroutingpolicytype)
+ - [Servers](#userprofilenamenativeprofileservers)
+ - [NetworkOutageTime](#userprofilenamenetworkoutagetime)
+ - [PluginProfile](#userprofilenamepluginprofile)
+ - [CustomConfiguration](#userprofilenamepluginprofilecustomconfiguration)
+ - [PluginPackageFamilyName](#userprofilenamepluginprofilepluginpackagefamilyname)
+ - [ServerUrlList](#userprofilenamepluginprofileserverurllist)
+ - [PrivateNetwork](#userprofilenameprivatenetwork)
+ - [ProfileXML](#userprofilenameprofilexml)
+ - [Proxy](#userprofilenameproxy)
+ - [AutoConfigUrl](#userprofilenameproxyautoconfigurl)
+ - [Manual](#userprofilenameproxymanual)
+ - [Server](#userprofilenameproxymanualserver)
+ - [RegisterDNS](#userprofilenameregisterdns)
+ - [RememberCredentials](#userprofilenameremembercredentials)
+ - [RequireVpnClientAppUI](#userprofilenamerequirevpnclientappui)
+ - [RouteList](#userprofilenameroutelist)
+ - [{routeRowId}](#userprofilenameroutelistrouterowid)
+ - [Address](#userprofilenameroutelistrouterowidaddress)
+ - [ExclusionRoute](#userprofilenameroutelistrouterowidexclusionroute)
+ - [Metric](#userprofilenameroutelistrouterowidmetric)
+ - [PrefixSize](#userprofilenameroutelistrouterowidprefixsize)
+ - [TrafficFilterList](#userprofilenametrafficfilterlist)
+ - [{trafficFilterId}](#userprofilenametrafficfilterlisttrafficfilterid)
+ - [App](#userprofilenametrafficfilterlisttrafficfilteridapp)
+ - [Id](#userprofilenametrafficfilterlisttrafficfilteridappid)
+ - [Type](#userprofilenametrafficfilterlisttrafficfilteridapptype)
+ - [Claims](#userprofilenametrafficfilterlisttrafficfilteridclaims)
+ - [Direction](#userprofilenametrafficfilterlisttrafficfilteriddirection)
+ - [LocalAddressRanges](#userprofilenametrafficfilterlisttrafficfilteridlocaladdressranges)
+ - [LocalPortRanges](#userprofilenametrafficfilterlisttrafficfilteridlocalportranges)
+ - [Protocol](#userprofilenametrafficfilterlisttrafficfilteridprotocol)
+ - [RemoteAddressRanges](#userprofilenametrafficfilterlisttrafficfilteridremoteaddressranges)
+ - [RemotePortRanges](#userprofilenametrafficfilterlisttrafficfilteridremoteportranges)
+ - [RoutingPolicyType](#userprofilenametrafficfilterlisttrafficfilteridroutingpolicytype)
+ - [TrustedNetworkDetection](#userprofilenametrustednetworkdetection)
+ - [UseRasCredentials](#userprofilenameuserascredentials)
+
+
+
+## Device/{ProfileName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}
```
-./Vendor/MSFT
-VPNv2
-----ProfileName
---------AppTriggerList
-------------appTriggerRowId
-----------------App
---------------------Id
---------------------Type
---------RouteList
-------------routeRowId
-----------------Address
-----------------PrefixSize
-----------------Metric
-----------------ExclusionRoute
---------DomainNameInformationList
-------------dniRowId
-----------------DomainName
-----------------DomainNameType
-----------------DnsServers
-----------------WebProxyServers
-----------------AutoTrigger
-----------------Persistent
---------TrafficFilterList
-------------trafficFilterId
-----------------App
---------------------Id
---------------------Type
-----------------Claims
-----------------Protocol
-----------------LocalPortRanges
-----------------RemotePortRanges
-----------------LocalAddressRanges
-----------------RemoteAddressRanges
-----------------RoutingPolicyType
-----------------Direction
---------EdpModeId
---------RememberCredentials
---------AlwaysOn
---------LockDown
---------DeviceTunnel
---------RegisterDNS
---------DnsSuffix
---------ByPassForLocal
---------TrustedNetworkDetection
---------ProfileXML
---------Proxy
-------------Manual
-----------------Server
-------------AutoConfigUrl
---------APNBinding
-------------ProviderId
-------------AccessPointName
-------------UserName
-------------Password
-------------IsCompressionEnabled
-------------AuthenticationType
---------DeviceCompliance
-------------Enabled
-------------Sso
-----------------Enabled
-----------------IssuerHash
-----------------Eku
---------PluginProfile
-------------ServerUrlList
-------------CustomConfiguration
-------------PluginPackageFamilyName
-------------CustomStoreUrl
-------------WebAuth
-----------------Enabled
-----------------ClientId
---------NativeProfile
-------------Servers
-------------RoutingPolicyType
-------------NativeProtocolType
-------------Authentication
-----------------UserMethod
-----------------MachineMethod
-----------------Eap
---------------------Configuration
---------------------Type
-----------------Certificate
---------------------Issuer
---------------------Eku
-------------CryptographySuite
-----------------AuthenticationTransformConstants
-----------------CipherTransformConstants
-----------------EncryptionMethod
-----------------IntegrityCheckMethod
-----------------DHGroup
-----------------PfsGroup
-------------L2tpPsk
-------------DisableClassBasedDefaultRoute
-------------PlumbIKEv2TSAsRoutes
+
+
+
+Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
-./User/Vendor/MSFT
-VPNv2
-----ProfileName
---------AppTriggerList
-------------appTriggerRowId
-----------------App
---------------------Id
---------------------Type
---------RouteList
-------------routeRowId
-----------------Address
-----------------PrefixSize
-----------------Metric
-----------------ExclusionRoute
---------DomainNameInformationList
-------------dniRowId
-----------------DomainName
-----------------DomainNameType
-----------------DnsServers
-----------------WebProxyServers
-----------------AutoTrigger
-----------------Persistent
---------TrafficFilterList
-------------trafficFilterId
-----------------App
---------------------Id
---------------------Type
-----------------Claims
-----------------Protocol
-----------------LocalPortRanges
-----------------RemotePortRanges
-----------------LocalAddressRanges
-----------------RemoteAddressRanges
-----------------RoutingPolicyType
---------EdpModeId
---------RememberCredentials
---------AlwaysOn
---------DnsSuffix
---------ByPassForLocal
---------TrustedNetworkDetection
---------ProfileXML
---------Proxy
-------------Manual
-----------------Server
-------------AutoConfigUrl
---------APNBinding
-------------ProviderId
-------------AccessPointName
-------------UserName
-------------Password
-------------IsCompressionEnabled
-------------AuthenticationType
---------DeviceCompliance
-------------Enabled
-------------Sso
-----------------Enabled
-----------------IssuerHash
-----------------Eku
---------PluginProfile
-------------ServerUrlList
-------------CustomConfiguration
-------------PluginPackageFamilyName
-------------CustomStoreUrl
-------------WebAuth
-----------------Enabled
-----------------ClientId
---------NativeProfile
-------------Servers
-------------RoutingPolicyType
-------------NativeProtocolType
-------------Authentication
-----------------UserMethod
-----------------MachineMethod
-----------------Eap
---------------------Configuration
---------------------Type
-----------------Certificate
---------------------Issuer
---------------------Eku
-------------CryptographySuite
-----------------AuthenticationTransformConstants
-----------------CipherTransformConstants
-----------------EncryptionMethod
-----------------IntegrityCheckMethod
-----------------DHGroup
-----------------PfsGroup
-------------L2tpPsk
-------------DisableClassBasedDefaultRoute
-------------PlumbIKEv2TSAsRoutes
+
+
+
+
+**Description framework properties**:
-./Vendor/MSFT
-./User/Vendor/MSFT
-VPNv2
-----ProfileName
---------AppTriggerList
-------------appTriggerRowId
-----------------App
---------------------Id
---------------------Type
---------RouteList
-------------routeRowId
-----------------Address
-----------------PrefixSize
-----------------Metric
-----------------ExclusionRoute
---------DomainNameInformationList
-------------dniRowId
-----------------DomainName
-----------------DomainNameType
-----------------DnsServers
-----------------WebProxyServers
-----------------AutoTrigger
-----------------Persistent
---------TrafficFilterList
-------------trafficFilterId
-----------------App
---------------------Id
---------------------Type
-----------------Claims
-----------------Protocol
-----------------LocalPortRanges
-----------------RemotePortRanges
-----------------LocalAddressRanges
-----------------RemoteAddressRanges
-----------------RoutingPolicyType
-----------------Direction
---------EdpModeId
---------RememberCredentials
---------AlwaysOn
---------LockDown
---------DeviceTunnel
---------RegisterDNS
---------DnsSuffix
---------ByPassForLocal
---------TrustedNetworkDetection
---------ProfileXML
---------Proxy
-------------Manual
-----------------Server
-------------AutoConfigUrl
---------APNBinding
-------------ProviderId
-------------AccessPointName
-------------UserName
-------------Password
-------------IsCompressionEnabled
-------------AuthenticationType
---------DeviceCompliance
-------------Enabled
-------------Sso
-----------------Enabled
-----------------IssuerHash
-----------------Eku
---------PluginProfile
-------------ServerUrlList
-------------CustomConfiguration
-------------PluginPackageFamilyName
-------------CustomStoreUrl
-------------WebAuth
-----------------Enabled
-----------------ClientId
---------NativeProfile
-------------Servers
-------------RoutingPolicyType
-------------NativeProtocolType
-------------Authentication
-----------------UserMethod
-----------------MachineMethod
-----------------Eap
---------------------Configuration
---------------------Type
-----------------Certificate
---------------------Issuer
---------------------Eku
-------------CryptographySuite
-----------------AuthenticationTransformConstants
-----------------CipherTransformConstants
-----------------EncryptionMethod
-----------------IntegrityCheckMethod
-----------------DHGroup
-----------------PfsGroup
-------------L2tpPsk
-------------DisableClassBasedDefaultRoute
-------------PlumbIKEv2TSAsRoutes
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `^[^/]*$` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/AlwaysOn
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn
```
-**Device or User profile**
-For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
+
-**VPNv2/**ProfileName
-Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/).
+
+
+An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+
-Supported operations include Get, Add, and Delete.
+
+
+
-> [!NOTE]
-> If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
+**Description framework properties**:
-**VPNv2/**ProfileName**/AppTriggerList**
-Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId
-A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers.
+
+**Allowed values**:
-Supported operations include Get, Add, Replace, and Delete.
+| Value | Description |
+|:--|:--|
+| false (Default) | Always On is turned off. |
+| true | Always On is turned on. |
+
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App**
-App Node under the Row ID.
+
+
+
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id**
-App identity, which is either an app’s package family name or file path. The type is inferred by the ID, and therefore can't be specified in the get only App/Type field
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type**
-Returns the type of **App/Id**. This value can be either of the following values:
+
-- PackageFamilyName - When this value is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
-- FilePath - When this value is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
+
+### Device/{ProfileName}/AlwaysOnActive
-Value type is chr. Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**VPNv2/**ProfileName**/RouteList/**
-Optional node. List of routes to be added to the routing table for the VPN interface. This information is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface.
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive
+```
+
-Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length.
+
+
+An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
+
-Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and don't need this information in the VPN Profile. Check with your VPN server administrator to determine whether you need this information in the VPN profile.
+
+
+
-**VPNv2/**ProfileName**/RouteList/**routeRowId
+
+**Description framework properties**:
-A sequential integer identifier for the RouteList. This value is required if you're adding routes. Sequencing must start at 0.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-Supported operations include Get, Add, Replace, and Delete.
+
+**Allowed values**:
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/Address**
-Subnet address in IPv4/v6 address format which, along with the prefix, will be used to determine the destination prefix to send via the VPN Interface. This subnet address is the IP address part of the destination prefix.
+| Value | Description |
+|:--|:--|
+| 0 | Always On is inactive. |
+| 1 (Default) | Always On is activated on provisioning. |
+
-Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, `192.168.0.0`
+
+
+
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/PrefixSize**
-The subnet prefix size part of the destination prefix for the route entry. This subnet prefix, along with the address, will be used to determine the destination prefix to route through the VPN Interface.
+
-Value type is int. Supported operations include Get, Add, Replace, and Delete.
+
+### Device/{ProfileName}/APNBinding
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/Metric**
-Added in Windows 10, version 1607. The route's metric.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is int. Supported operations include Get, Add, Replace, and Delete.
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding
+```
+
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/ExclusionRoute**
-Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values:
+
+
+Reserved for future use.
+
-- False (default) - This route will direct traffic over the VPN
-- True - This route will direct traffic over the physical interface.
+
+
+
-Supported operations include Get, Add, Replace, and Delete.
+
+**Description framework properties**:
-**VPNv2/**ProfileName**/DomainNameInformationList**
-Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before name resolution queries are issued, the DNS client consults the NRPT to determine if any extra flags must be set in the query. After the response is received, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/AccessPointName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/AuthenticationType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/IsCompressionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/Password
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/ProviderId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/APNBinding/UserName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/AppTriggerList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList
+```
+
+
+
+
+List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}
+```
+
+
+
+
+A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
+```
+
+
+
+
+App Node under the Row Id.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
+```
+
+
+
+
+App Identity. Specified, based on the Type Field.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
+```
+
+
+
+
+Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/ByPassForLocal
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal
+```
+
+
+
+
+False : Do not Bypass for Local traffic
+True : ByPass VPN Interface for Local Traffic
+
+Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DataEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption
+```
+
+
+
+
+Determines the level of data encryption required for the connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | Require |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | No Data Encryption required. |
+| Require (Default) | Data Encryption required. |
+| Max | Maximum-strength Data Encryption required. |
+| Optional | Perform encryption if possible. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DeviceCompliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance
+```
+
+
+
+
+Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/DeviceCompliance/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled
+```
+
+
+
+
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/DeviceCompliance/Sso
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso
+```
+
+
+
+
+Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DeviceCompliance/Sso/Eku
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku
+```
+
+
+
+
+Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DeviceCompliance/Sso/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled
+```
+
+
+
+
+If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DeviceCompliance/Sso/IssuerHash
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash
+```
+
+
+
+
+Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DeviceTunnel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceTunnel
+```
+
+
+
+
+If turned on a device tunnel profile does four things.
+First, it automatically becomes an always on profile.
+Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+Third, no other Device Tunnel profile maybe be present on the same machine.
+A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This is not a device tunnel profile. |
+| true | This is a device tunnel profile. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DisableAdvancedOptionsEditButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton
+```
+
+
+
+
+Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Advanced Options Edit Button is available. |
+| true | Advanced Options Edit Button is unavailable. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DisableDisconnectButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton
+```
+
+
+
+
+Optional. When this setting is True, the Disconnect button will not be visible for connected profiles.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disconnect Button is visible. |
+| true | Disconnect Button is not visible. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DisableIKEv2Fragmentation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation
+```
+
+
+
+
+Set to disable IKEv2 Fragmentation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true | IKEv2 Fragmentation will not be used. |
+| false (Default) | IKEv2 Fragmentation is used as normal. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DnsSuffix
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix
+```
+
+
+
+
+Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/DomainNameInformationList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList
+```
+
+
+
+
+NRPT ([Name Resolution Policy Table](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593632(v=ws.11))) Rules for the VPN Profile.
+
+
+
+
> [!NOTE]
> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
+
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/DomainNameInformationList/{dniRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}
+```
+
+
+
+
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
-
-Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainName**
-Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:
-
-- FQDN - Fully qualified domain name
-- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend .**.** to the DNS suffix.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType**
-Returns the namespace type. This value can be one of the following values:
-
-- FQDN - If the DomainName wasn't prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host.
-- Suffix - If the DomainName was prepended with a**.** and applies to the specified namespace, all records in that namespace, and all subdomains.
-
-Value type is chr. Supported operation is Get.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers**
-List of comma-separated DNS Server IP addresses to use for the namespace.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers**
-Optional. Web Proxy Server IP address if you're redirecting traffic through your intranet.
-
-> [!NOTE]
-> Currently only one web proxy server is supported.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger**
-Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN.
-
-If set to False, this DomainName rule won't trigger the VPN.
-
-If set to True, this DomainName rule will trigger the VPN
-
-By default, this value is false.
-
-Value type is bool.
-
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent**
-Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN isn't connected. Value values:
-
-- False (default) - This DomainName rule will only be applied when VPN is connected.
-- True - This DomainName rule will always be present and applied.
-
-Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList**
-An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface.
-
-> [!NOTE]
-> Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules.
-
-When multiple rules are being added, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId
-A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App**
-Per app VPN rule. This property will allow only the apps specified to be allowed over the VPN interface. Value type is chr.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Id**
-App identity for the app-based traffic filter.
-
-The value for this node can be one of the following values:
-
-- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
-- SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Type**
-Returns the type of ID of the **App/Id**.
-
-Value type is chr. Supported operation is Get.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Claims**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Protocol**
-Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.
-
-Value type is int. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges**
-A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`.
-
-> [!NOTE]
-> Ports are only valid when the protocol is set to TCP=6 or UDP=17.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges**
-A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`.
-
-> [!NOTE]
-> Ports are only valid when the protocol is set to TCP=6 or UDP=17.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges**
-A list of comma-separated values specifying local IP address ranges to allow.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges**
-A list of comma-separated values specifying remote IP address ranges to allow.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType**
-Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following values:
-
-- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
-- ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only.
-
-This property is only applicable for App ID-based Traffic Filter rules.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Direction**
-Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following values:
-
-- Outbound - The rule applies to all outbound traffic
-- Inbound - The rule applies to all inbound traffic
-
-If no inbound filter is provided, then by default all unsolicited inbound traffic will be blocked.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/EdpModeId**
-Enterprise ID, which is required for connecting this VPN profile with a Windows Information Protection policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
-
-Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the Windows Information Protection policies and App lists automatically takes effect.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/RememberCredentials**
-Boolean value (true or false) for caching credentials. Default is false, which means don't cache credentials. If set to true, credentials are cached whenever possible.
-
-Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/AlwaysOn**
-An optional flag to enable Always On mode. This flag will automatically connect the VPN at sign in and will stay connected until the user manually disconnects.
-
-> [!NOTE]
-> Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
-
-Preserving user Always On preference
-
-Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
-Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference.
-Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
-Value: AutoTriggerDisabledProfilesList
-Type: REG_MULTI_SZ
-
-
-Valid values:
-
-- False (default) - Always On is turned off.
-- True - Always On is turned on.
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile)
-Device tunnel profile.
-
-Valid values:
-
-- False (default) - this profile isn't a device tunnel profile.
-- True - this profile is a device tunnel profile.
-
-When the DeviceTunnel profile is turned on, it does the following things:
-
-- First, it automatically becomes an "always on" profile.
-- Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.
-- Third, no other device tunnel profile maybe is present on the same machine.-
-
-A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/RegisterDNS**
-Allows registration of the connection's address in DNS.
-
-Valid values:
-
-- False = Don't register the connection's address in DNS (default).
-- True = Register the connection's addresses in DNS.
-
-**VPNv2/**ProfileName**/DnsSuffix**
-Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/ByPassForLocal**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/TrustedNetworkDetection**
-Optional. Comma-separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/ProfileXML**
-Added in Windows 10, version 1607. The XML schema for provisioning all the fields of a VPN. For the XSD, see [ProfileXML XSD](vpnv2-profile-xsd.md).
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/Proxy**
-A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected.
-
-> [!NOTE]
-> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used.
-
-**VPNv2/**ProfileName**/Proxy/Manual**
-Optional node containing the manual server settings.
-
-**VPNv2/**ProfileName**/Proxy/Manual/Server**
-Optional. Proxy server address as a fully qualified hostname or an IP address. You should set this element together with Port. Example, proxy.contoso.com.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/Proxy/AutoConfigUrl**
-Optional. URL to automatically retrieve the proxy settings.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/APNBinding**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/ProviderId**
-Reserved for future use. Optional node.
-
-**VPNv2/**ProfileName**/APNBinding/AccessPointName**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/UserName**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/Password**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/IsCompressionEnabled**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/APNBinding/AuthenticationType**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/DeviceCompliance**
-Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable Azure Active Directory-based Conditional Access for VPN.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Enabled**
-Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory (AAD).
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Sso**
-Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication if there's Device Compliance.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/Enabled**
-Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication.
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/IssuerHash**
-Added in Windows 10, version 1607. Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/Eku**
-Added in Windows 10, version 1607. Comma-Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/PluginProfile**
-Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
-
-**VPNv2/**ProfileName**/PluginProfile/ServerUrlList**
-Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/PluginProfile/CustomConfiguration**
-Optional. This property is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations and defaults.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/PluginProfile/PluginPackageFamilyName**
-Required for plug-in profiles. Package family name for the SSL-VPN plug-in.
-
-Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/PluginProfile/CustomStoreUrl**
-Reserved for future use.
-
-**VPNv2/**ProfileName**/NativeProfile**
-Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP).
-
-**VPNv2/**ProfileName**/NativeProfile/Servers**
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.
-
-The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name.
-
-You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType**
-Optional for native profiles. Type of routing policy. This value can be one of the following values:
-
-- SplitTunnel - Traffic can go over any interface as determined by the networking stack.
-- ForceTunnel - All IP traffic must go over the VPN interface.
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/NativeProfile/NativeProtocolType**
-Required for native profiles. Type of tunneling protocol used. This value can be one of the following values:
-
-- PPTP
-- L2TP
-- IKEv2
-- Automatic
-
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-
-> [!NOTE]
-> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order isn't customizable.
-
-**VPNv2/**ProfileName**/NativeProfile/Authentication**
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
+```
+
+
+
+
+Boolean to determine whether this domain name rule will trigger the VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This DomainName rule will not trigger the VPN. |
+| true | This DomainName rule will trigger the VPN. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
+```
+
+
+
+
+Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
+```
+
+
+
+
+Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
+```
+
+
+
+
+Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
+```
+
+
+
+
+A boolean value that specifies if the rule being added should persist even when the VPN is not connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This DomainName rule will only be applied when VPN is connected. |
+| true | This DomainName rule will always be present and applied. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
+```
+
+
+
+
+Web Proxy Server IP address if you are redirecting traffic through your intranet.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/EdpModeId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId
+```
+
+
+
+
+Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/IPv4InterfaceMetric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric
+```
+
+
+
+
+The metric for the IPv4 interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-9999]` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/IPv6InterfaceMetric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric
+```
+
+
+
+
+The metric for the IPv6 interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-9999]` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/NativeProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile
+```
+
+
+
+
+Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/Authentication
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication
+```
+
+
+
+
Required node for native profile. It contains authentication information for the native VPN profile.
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/UserMethod**
-This value can be one of the following:
+
+
+
-- EAP
-- MSChapv2 (This method isn't supported for IKEv2)
+
+**Description framework properties**:
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/MachineMethod**
-This is only supported in IKEv2.
+
+
+
-This value can be one of the following values:
+
-- Certificate
+
+##### Device/{ProfileName}/NativeProfile/Authentication/Certificate
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap**
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/Authentication/Eap
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap
+```
+
+
+
+
Required when the native profile specifies EAP authentication. EAP configuration XML.
+
-Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Configuration**
-HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see [EAP configuration](eap-configuration.md).
+
+**Description framework properties**:
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Type**
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
+```
+
+
+
+
+HTML encoded XML of the EAP configuration. For more information,see [EAP configuration](eap-configuration.md).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/Authentication/Eap/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type
+```
+
+
+
+
+Required node for EAP profiles. This specifies the EAP Type ID
+13 = EAP-TLS
+26 = Ms-Chapv2
+27 = Peap.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/Authentication/MachineMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod
+```
+
+
+
+
+This is only supported in IKEv2.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Certificate | Certificate. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/Authentication/UserMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod
+```
+
+
+
+
+Type of user authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| EAP | EAP. |
+| MSChapv2 | MSChapv2: This is not supported for IKEv2. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/CryptographySuite
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite
+```
+
+
+
+
+Properties of IPSec tunnels.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
+```
+
+
+
+
+Type of authentication transform constant.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| MD596 | MD596. |
+| SHA196 | SHA196. |
+| SHA256128 | SHA256128. |
+| GCMAES128 | GCMAES128. |
+| GCMAES192 | GCMAES192. |
+| GCMAES256 | GCMAES256. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
+```
+
+
+
+
+Type of Cipher transform constant.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| DES | DES. |
+| DES3 | DES3. |
+| AES128 | AES128. |
+| AES192 | AES192. |
+| AES256 | AES256. |
+| GCMAES128 | GCMAES128. |
+| GCMAES192 | GCMAES192. |
+| GCMAES256 | GCMAES256. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
+```
+
+
+
+
+Group used for DH (Diffie-Hellman).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | None. |
+| Group1 | Group1. |
+| Group2 | Group2. |
+| Group14 | Group14. |
+| ECP256 | ECP256. |
+| ECP384 | ECP384. |
+| Group24 | Group24. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
+```
+
+
+
+
+Type of encryption method.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| DES | DES. |
+| DES3 | DES3. |
+| AES128 | AES128. |
+| AES192 | AES192. |
+| AES256 | AES256. |
+| AES_GCM_128 | AES_GCM_128. |
+| AES_GCM_256 | AES_GCM_256. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
+```
+
+
+
+
+Type of integrity check.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| MD5 | MD5. |
+| SHA196 | SHA196. |
+| SHA256 | SHA256. |
+| SHA384 | SHA384. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
+```
+
+
+
+
+Group used for PFS (Perfect Forward Secrecy).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | None. |
+| PFS1 | PFS1. |
+| PFS2 | PFS2. |
+| PFS2048 | PFS2048. |
+| ECP256 | ECP256. |
+| ECP384 | ECP384. |
+| PFSMM | PFSMM. |
+| PFS24 | PFS24. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
+```
+
+
+
+
+Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Enabled. |
+| true | Disabled. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/L2tpPsk
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk
+```
+
+
+
+
+The preshared key used for an L2TP connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/NativeProtocolType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType
+```
+
+
+
+
+Required for native profiles. Type of tunneling protocol used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| PPTP | PPTP. |
+| L2TP | L2TP. |
+| IKEv2 | IKEv2. |
+| Automatic | Automatic. |
+| SSTP | SSTP. |
+| ProtocolList | ProtocolList. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
+```
+
+
+
+
+True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/ProtocolList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
+```
+
+
+
+
+List of inbox VPN protocols in priority order.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
+```
+
+
+
+
+Inbox VPN protocols type.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Pptp | Pptp. |
+| L2tp | L2tp. |
+| Ikev2 | Ikev2. |
+| Sstp | Sstp. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
+```
+
+
+
+
+Default 168, max 500000.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/RoutingPolicyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType
+```
+
+
+
+
+Type of routing policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| SplitTunnel | Traffic can go over any interface as determined by the networking stack. |
+| ForceTunnel | All IP traffic must go over the VPN interface. |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/NativeProfile/Servers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers
+```
+
+
+
+
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/NetworkOutageTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime
+```
+
+
+
+
+The amount of time in seconds the network is allowed to idle. 0 means no limit.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/PluginProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile
+```
+
+
+
+
+Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/PluginProfile/CustomConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration
+```
+
+
+
+
+Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/PluginProfile/PluginPackageFamilyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName
+```
+
+
+
+
+Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/PluginProfile/ServerUrlList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList
+```
+
+
+
+
+Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/PrivateNetwork
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork
+```
+
+
+
+
+Determines whether the VPN connection is public or private.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | VPN connection is public. |
+| true (Default) | VPN connection is private. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/ProfileXML
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML
+```
+
+
+
+
+The XML schema for provisioning all the fields of a VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | See [ProfileXML XSD Schema](#profilexml-xsd-schema) |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/Proxy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy
+```
+
+
+
+
+A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/Proxy/AutoConfigUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl
+```
+
+
+
+
+Optional. Set a URL to automatically retrieve the proxy settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/Proxy/Manual
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual
+```
+
+
+
+
+Optional node containing the manual server settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/Proxy/Manual/Server
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server
+```
+
+
+
+
+Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/RegisterDNS
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS
+```
+
+
+
+
+Allows registration of the connection's address in DNS.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not register the connection's address in DNS. |
+| true | Register the connection's addresses in DNS. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/RememberCredentials
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials
+```
+
+
+
+
+Boolean value (true or false) for caching credentials.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not cache credentials. |
+| true | Credentials are cached whenever possible. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/RouteList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList
+```
+
+
+
+
+List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/RouteList/{routeRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}
+```
+
+
+
+
+A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/RouteList/{routeRowId}/Address
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address
+```
+
+
+
+
+Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
+```
+
+
+
+
+A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This route will direct traffic over the VPN. |
+| true | This route will direct traffic over the physical interface. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/RouteList/{routeRowId}/Metric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric
+```
+
+
+
+
+The route's metric.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/RouteList/{routeRowId}/PrefixSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize
+```
+
+
+
+
+The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/TrafficFilterList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList
+```
+
+
+
+
+A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+> [!NOTE]
+> Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}
+```
+
+
+
+
+A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
+```
+
+
+
+
+Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
+```
+
+
+
+
+App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
+```
+
+
+
+
+Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
+```
+
+
+
+
+Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
+```
+
+
+
+
+Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
+Inbound - The traffic filter allows traffic coming from external locations matching this rule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
+```
+
+
+
+
+A list of comma separated values specifying local IP address ranges to allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
+```
+
+
+
+
+Comma Separated list of ranges for eg. 100-120,200,300-320.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[\d]*$` |
+| Dependency [ProtocolDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol` Dependency Allowed Value: `[6,17]` Dependency Allowed Value Type: `Range` |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
+```
+
+
+
+
+0-255 number representing the ip protocol (TCP = 6, UDP = 17).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-255]` |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
+```
+
+
+
+
+A list of comma separated values specifying remote IP address ranges to allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
+```
+
+
+
+
+A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[\d]*$` |
+| Dependency [ProtocolDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol` Dependency Allowed Value: `[6,17]` Dependency Allowed Value Type: `Range` |
+
+
+
+
+
+
+
+
+
+##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
+```
+
+
+
+
+Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| SplitTunnel | For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. |
+| ForceTunnel | For this traffic rule all IP traffic must go through the VPN Interface only. |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/TrustedNetworkDetection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection
+```
+
+
+
+
+Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | `,` |
+
+
+
+
+
+
+
+
+
+### Device/{ProfileName}/UseRasCredentials
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials
+```
+
+
+
+
+Determines whether the credential manager will save ras credentials after a connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Ras Credentials are not saved. |
+| true (Default) | Ras Credentials are saved. |
+
+
+
+
+
+
+
+
+
+## User/{ProfileName}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}
+```
+
+
+
+
+Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `^[^/]*$` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/AlwaysOn
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn
+```
+
+
+
+
+An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Always On is turned off. |
+| true | Always On is turned on. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/AlwaysOnActive
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive
+```
+
+
+
+
+An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Always On is inactive. |
+| 1 (Default) | Always On is activated on provisioning. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/APNBinding
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding
+```
+
+
+
+
Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/APNBinding/AccessPointName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName
+```
+
+
+
+
Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Issuer**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/APNBinding/AuthenticationType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType
+```
+
+
+
+
Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Eku**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/APNBinding/IsCompressionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled
+```
+
+
+
+
Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite**
-Added in Windows 10, version 1607. Properties of IPSec tunnels.
+
+
+
-[!NOTE] If you specify any of the properties under CryptographySuite, you must specify all of them. It's not valid to specify just some of the properties.
+
+**Description framework properties**:
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/AuthenticationTransformConstants**
-Added in Windows 10, version 1607.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
-The following list contains the valid values:
+
+
+
-- MD596
-- SHA196
-- SHA256128
-- GCMAES128
-- GCMAES192
-- GCMAES256
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+#### User/{ProfileName}/APNBinding/Password
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/CipherTransformConstants**
-Added in Windows 10, version 1607.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-The following list contains the valid values:
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password
+```
+
-- DES
-- DES3
-- AES128
-- AES192
-- AES256
-- GCMAES128
-- GCMAES192
-- GCMAES256
+
+
+Reserved for future use.
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/EncryptionMethod**
-Added in Windows 10, version 1607.
+
+**Description framework properties**:
-The following list contains the valid values:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-- DES
-- DES3
-- AES128
-- AES192
-- AES256
-- AES\_GCM_128
-- AES\_GCM_256
+
+
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/IntegrityCheckMethod**
-Added in Windows 10, version 1607.
+
+#### User/{ProfileName}/APNBinding/ProviderId
-The following list contains the valid values:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- MD5
-- SHA196
-- SHA256
-- SHA384
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId
+```
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+
+Reserved for future use.
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/DHGroup**
-Added in Windows 10, version 1607.
+
+
+
-The following list contains the valid values:
+
+**Description framework properties**:
-- Group1
-- Group2
-- Group14
-- ECP256
-- ECP384
-- Group24
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/PfsGroup**
-Added in Windows 10, version 1607.
+
-The following list contains the valid values:
+
+#### User/{ProfileName}/APNBinding/UserName
-- PFS1
-- PFS2
-- PFS2048
-- ECP256
-- ECP384
-- PFSMM
-- PFS24
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName
+```
+
-**VPNv2/**ProfileName**/NativeProfile/L2tpPsk**
-Added in Windows 10, version 1607. The preshared key used for an L2TP connection.
+
+
+Reserved for future use.
+
-Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+
+
-**VPNv2/**ProfileName**/NativeProfile/DisableClassBasedDefaultRoute**
-Added in Windows 10, version 1607. Specifies the class-based default routes. For example, if the interface IP begins with 10, it assumes a class an IP and pushes the route to 10.0.0.0/8
+
+**Description framework properties**:
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-**VPNv2/**ProfileName**/NativeProfile/PlumbIKEv2TSAsRoutes**
-Determines whether plumbing IPSec traffic selectors as routes onto VPN interface is enabled.
+
+
+
-If set to False, plumbing traffic selectors as routes is disabled.
+
-If set to True, plumbing traffic selectors as routes is enabled.
+
+### User/{ProfileName}/AppTriggerList
-By default, this value is set to False.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList
+```
+
+
+
+
+List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/AppTriggerList/{appTriggerRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}
+```
+
+
+
+
+A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App
+```
+
+
+
+
+App Node under the Row Id.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id
+```
+
+
+
+
+App Identity. Specified, based on the Type Field.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type
+```
+
+
+
+
+Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/ByPassForLocal
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal
+```
+
+
+
+
+False : Do not Bypass for Local traffic
+True : ByPass VPN Interface for Local Traffic
+
+Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DataEncryption
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption
+```
+
+
+
+
+Determines the level of data encryption required for the connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | Require |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | No Data Encryption required. |
+| Require (Default) | Data Encryption required. |
+| Max | Maximum-strength Data Encryption required. |
+| Optional | Perform encryption if possible. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DeviceCompliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance
+```
+
+
+
+
+Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/DeviceCompliance/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled
+```
+
+
+
+
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/DeviceCompliance/Sso
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso
+```
+
+
+
+
+Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DeviceCompliance/Sso/Eku
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku
+```
+
+
+
+
+Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DeviceCompliance/Sso/Enabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled
+```
+
+
+
+
+If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DeviceCompliance/Sso/IssuerHash
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash
+```
+
+
+
+
+Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DisableAdvancedOptionsEditButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton
+```
+
+
+
+
+Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Advanced Options Edit Button is available. |
+| true | Advanced Options Edit Button is unavailable. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DisableDisconnectButton
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton
+```
+
+
+
+
+Optional. When this setting is True, the Disconnect button will not be visible for connected profiles.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disconnect Button is visible. |
+| true | Disconnect Button is not visible. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DisableIKEv2Fragmentation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation
+```
+
+
+
+
+Set to disable IKEv2 Fragmentation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true | IKEv2 Fragmentation will not be used. |
+| false (Default) | IKEv2 Fragmentation is used as normal. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DnsSuffix
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix
+```
+
+
+
+
+Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/DomainNameInformationList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList
+```
+
+
+
+
+NRPT ([Name Resolution Policy Table](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593632(v=ws.11))) Rules for the VPN Profile.
+
+
+
+
+> [!NOTE]
+> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/DomainNameInformationList/{dniRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}
+```
+
+
+
+
+A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger
+```
+
+
+
+
+Boolean to determine whether this domain name rule will trigger the VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This DomainName rule will not trigger the VPN. |
+| true | This DomainName rule will trigger the VPN. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers
+```
+
+
+
+
+Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName
+```
+
+
+
+
+Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType
+```
+
+
+
+
+Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent
+```
+
+
+
+
+A boolean value that specifies if the rule being added should persist even when the VPN is not connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This DomainName rule will only be applied when VPN is connected. |
+| true | This DomainName rule will always be present and applied. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers
+```
+
+
+
+
+Web Proxy Server IP address if you are redirecting traffic through your intranet.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/EdpModeId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId
+```
+
+
+
+
+Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/IPv4InterfaceMetric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric
+```
+
+
+
+
+The metric for the IPv4 interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-9999]` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/IPv6InterfaceMetric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric
+```
+
+
+
+
+The metric for the IPv6 interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-9999]` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/NativeProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile
+```
+
+
+
+
+InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/Authentication
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication
+```
+
+
+
+
+Required node for native profile. It contains authentication information for the native VPN profile.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/Authentication/Certificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer
+```
+
+
+
+
+Reserved for future use.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/Authentication/Eap
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap
+```
+
+
+
+
+Required when the native profile specifies EAP authentication. EAP configuration XML.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration
+```
+
+
+
+
+HTML encoded XML of the EAP configuration. For more information,see [EAP configuration](eap-configuration.md).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/Authentication/Eap/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type
+```
+
+
+
+
+Required node for EAP profiles. This specifies the EAP Type ID
+13 = EAP-TLS
+26 = Ms-Chapv2
+27 = Peap.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/Authentication/MachineMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod
+```
+
+
+
+
+This is only supported in IKEv2.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Certificate | Certificate. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/Authentication/UserMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod
+```
+
+
+
+
+This value can be one of the following: EAP or MSChapv2 (This is not supported for IKEv2).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| EAP | EAP. |
+| MSChapv2 | MSChapv2: This is not supported for IKEv2. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/CryptographySuite
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite
+```
+
+
+
+
+Properties of IPSec tunnels.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants
+```
+
+
+
+
+Type of authentication transform constant.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| MD596 | MD596. |
+| SHA196 | SHA196. |
+| SHA256128 | SHA256128. |
+| GCMAES128 | GCMAES128. |
+| GCMAES192 | GCMAES192. |
+| GCMAES256 | GCMAES256. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants
+```
+
+
+
+
+Type of Cipher transform constant.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| DES | DES. |
+| DES3 | DES3. |
+| AES128 | AES128. |
+| AES192 | AES192. |
+| AES256 | AES256. |
+| GCMAES128 | GCMAES128. |
+| GCMAES192 | GCMAES192. |
+| GCMAES256 | GCMAES256. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup
+```
+
+
+
+
+Group used for DH (Diffie-Hellman).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | None. |
+| Group1 | Group1. |
+| Group2 | Group2. |
+| Group14 | Group14. |
+| ECP256 | ECP256. |
+| ECP384 | ECP384. |
+| Group24 | Group24. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod
+```
+
+
+
+
+Type of encryption method.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| DES | DES. |
+| DES3 | DES3. |
+| AES128 | AES128. |
+| AES192 | AES192. |
+| AES256 | AES256. |
+| AES_GCM_128 | AES_GCM_128. |
+| AES_GCM_256 | AES_GCM_256. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod
+```
+
+
+
+
+Type of integrity check.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| MD5 | MD5. |
+| SHA196 | SHA196. |
+| SHA256 | SHA256. |
+| SHA384 | SHA384. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup
+```
+
+
+
+
+Group used for PFS (Perfect Forward Secrecy).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| None | None. |
+| PFS1 | PFS1. |
+| PFS2 | PFS2. |
+| PFS2048 | PFS2048. |
+| ECP256 | ECP256. |
+| ECP384 | ECP384. |
+| PFSMM | PFSMM. |
+| PFS24 | PFS24. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute
+```
+
+
+
+
+Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Enabled. |
+| true | Disabled. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/L2tpPsk
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk
+```
+
+
+
+
+The preshared key used for an L2TP connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/NativeProtocolType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType
+```
+
+
+
+
+Required for native profiles. Type of tunneling protocol used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| PPTP | PPTP. |
+| L2TP | L2TP. |
+| IKEv2 | IKEv2. |
+| Automatic | Automatic. |
+| SSTP | SSTP. |
+| ProtocolList | ProtocolList. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes
+```
+
+
+
+
+True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/ProtocolList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList
+```
+
+
+
+
+List of inbox VPN protocols in priority order.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type
+```
+
+
+
+
+Inbox VPN protocols type.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Pptp | Pptp. |
+| L2tp | L2tp. |
+| Ikev2 | Ikev2. |
+| Sstp | Sstp. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours
+```
+
+
+
+
+Default 168, max 500000.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/RoutingPolicyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType
+```
+
+
+
+
+Type of routing policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| SplitTunnel | Traffic can go over any interface as determined by the networking stack. |
+| ForceTunnel | All IP traffic must go over the VPN interface. |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/NativeProfile/Servers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers
+```
+
+
+
+
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/NetworkOutageTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime
+```
+
+
+
+
+The amount of time in seconds the network is allowed to idle. 0 means no limit.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/PluginProfile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile
+```
+
+
+
+
+Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/PluginProfile/CustomConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration
+```
+
+
+
+
+Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/PluginProfile/PluginPackageFamilyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName
+```
+
+
+
+
+Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/PluginProfile/ServerUrlList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList
+```
+
+
+
+
+Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/PrivateNetwork
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork
+```
+
+
+
+
+Determines whether the VPN connection is public or private.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | VPN connection is public. |
+| true (Default) | VPN connection is private. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/ProfileXML
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML
+```
+
+
+
+
+The XML schema for provisioning all the fields of a VPN.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | See [ProfileXML XSD Schema](#profilexml-xsd-schema) |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/Proxy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy
+```
+
+
+
+
+A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/Proxy/AutoConfigUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl
+```
+
+
+
+
+Optional. Set a URL to automatically retrieve the proxy settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/Proxy/Manual
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual
+```
+
+
+
+
+Optional node containing the manual server settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/Proxy/Manual/Server
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server
+```
+
+
+
+
+Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/RegisterDNS
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS
+```
+
+
+
+
+Allows registration of the connection's address in DNS.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not register the connection's address in DNS. |
+| true | Register the connection's addresses in DNS. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/RememberCredentials
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials
+```
+
+
+
+
+Boolean value (true or false) for caching credentials.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Do not cache credentials. |
+| true | Credentials are cached whenever possible. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/RequireVpnClientAppUI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.19628] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RequireVpnClientAppUI
+```
+
+
+
+
+Applicable only to AppContainer profiles.
+
+False : Do not show profile in Settings UI.
+True : Show profile in Settings UI.
+
+Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/RouteList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList
+```
+
+
+
+
+List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/RouteList/{routeRowId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}
+```
+
+
+
+
+A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/RouteList/{routeRowId}/Address
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address
+```
+
+
+
+
+Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute
+```
+
+
+
+
+A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | This route will direct traffic over the VPN. |
+| true | This route will direct traffic over the physical interface. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/RouteList/{routeRowId}/Metric
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric
+```
+
+
+
+
+The route's metric.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/RouteList/{routeRowId}/PrefixSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize
+```
+
+
+
+
+The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/TrafficFilterList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList
+```
+
+
+
+
+A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+> [!NOTE]
+> Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/{ProfileName}/TrafficFilterList/{trafficFilterId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}
+```
+
+
+
+
+A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App
+```
+
+
+
+
+Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id
+```
+
+
+
+
+App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type
+```
+
+
+
+
+Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims
+```
+
+
+
+
+Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction
+```
+
+
+
+
+Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
+Inbound - The traffic filter allows traffic coming from external locations matching this rule.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges
+```
+
+
+
+
+A list of comma separated values specifying local IP address ranges to allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges
+```
+
+
+
+
+Comma Separated list of ranges for eg. 100-120,200,300-320.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[\d]*$` |
+| Dependency [ProtocolDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol` Dependency Allowed Value: `[6,17]` Dependency Allowed Value Type: `Range` |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol
+```
+
+
+
+
+0-255 number representing the ip protocol (TCP = 6, UDP = 17).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-255]` |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges
+```
+
+
+
+
+A list of comma separated values specifying remote IP address ranges to allow.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges
+```
+
+
+
+
+A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^[\d]*$` |
+| Dependency [ProtocolDependency] | Dependency Type: `DependsOn` Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol` Dependency Allowed Value: `[6,17]` Dependency Allowed Value Type: `Range` |
+
+
+
+
+
+
+
+
+
+##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType
+```
+
+
+
+
+Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| SplitTunnel | For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. |
+| ForceTunnel | For this traffic rule all IP traffic must go through the VPN Interface only. |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/TrustedNetworkDetection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection
+```
+
+
+
+
+Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | `,` |
+
+
+
+
+
+
+
+
+
+### User/{ProfileName}/UseRasCredentials
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials
+```
+
+
+
+
+Determines whether the credential manager will save ras credentials after a connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Ras Credentials are not saved. |
+| true (Default) | Ras Credentials are saved. |
+
+
+
+
+
+
+
+
+
+
+## ProfileXML XSD Schema
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
## Examples
-
Profile example
```xml
@@ -1190,7 +9271,7 @@ Persistent
TrafficFilterLIst App
```xml
- Desktop App
+
10013
@@ -1200,7 +9281,7 @@ TrafficFilterLIst App
%ProgramFiles%\Internet Explorer\iexplore.exe
- Store App
+
10014
@@ -1210,7 +9291,7 @@ TrafficFilterLIst App
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
- SYSTEM
+
10015
@@ -1225,7 +9306,7 @@ TrafficFilterLIst App
Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection
```xml
-Protocol
+
$CmdID$
@@ -1238,7 +9319,7 @@ Protocol
6
- LocalPortRanges
+
$CmdID$
@@ -1248,8 +9329,7 @@ Protocol
10,20-50,100-200
-
- RemotePortRanges
+
$CmdID$
@@ -1259,8 +9339,7 @@ Protocol
20-50,100-200,300
-
- LocalAddressRanges
+
$CmdID$
@@ -1270,8 +9349,7 @@ Protocol
3.3.3.3/32,1.1.1.1-2.2.2.2
-
- RemoteAddressRanges
+
$CmdID$
@@ -1281,9 +9359,8 @@ Protocol
30.30.0.0/16,10.10.10.10-20.20.20.20
-
- RoutingPolicyType
-
+
+ $CmdID$
@@ -1292,20 +9369,18 @@ Protocol
ForceTunnel
-
- EDPModeId
-
- $CmdID$
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID
-
- corp.contoso.com
-
-
-
- RememberCredentials
-
+
+
+ $CmdID$
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID
+
+ corp.contoso.com
+
+
+
+ $CmdID$
@@ -1317,8 +9392,7 @@ Protocol
true
-
- AlwaysOn
+
$CmdID$
@@ -1331,9 +9405,8 @@ Protocol
true
-
- Lockdown
-
+
+ $CmdID$
@@ -1345,8 +9418,7 @@ Protocol
true
-
- DnsSuffix
+
$CmdID$
@@ -1356,8 +9428,7 @@ Protocol
Adatum.com
-
- TrustedNetworkDetection
+
$CmdID$
@@ -1373,7 +9444,7 @@ Protocol
Proxy - Manual or AutoConfigUrl
```xml
-Manual
+
$CmdID$
@@ -1383,8 +9454,7 @@ Manual
192.168.0.100:8888
-
- AutoConfigUrl
+
$CmdID$
@@ -1399,47 +9469,47 @@ Manual
Device Compliance - Sso
```xml
- Enabled
-
- 10011
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled
-
-
- bool
-
- true
-
-
+
+
+ 10011
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled
+
+
+ bool
+
+ true
+
+
- IssuerHash
-
- 10011
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash
-
- ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee
-
-
+
+
+ 10011
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash
+
+ ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee
+
+
- Eku
-
- 10011
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU
-
- 1.3.6.1.5.5.7.3.2
-
-
+
+
+ 10011
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU
+
+ 1.3.6.1.5.5.7.3.2
+
+
```
PluginProfile
```xml
-PluginPackageFamilyName
+
10001
@@ -1477,8 +9547,8 @@ PluginPackageFamilyName
NativeProfile
```xml
-Servers
-
+
+ 10001
@@ -1488,7 +9558,7 @@ Servers
- RoutingPolicyType
+
10007
@@ -1499,7 +9569,7 @@ Servers
- NativeProtocolType
+
10002
@@ -1511,8 +9581,8 @@ Servers
- Authentication
- UserMethod
+
+
10003
@@ -1524,7 +9594,7 @@ Servers
- MachineMethod
+
10004
@@ -1536,7 +9606,7 @@ Servers
- CryptographySuite
+
10004
@@ -1592,7 +9662,7 @@ Servers
- DisableClassBasedDefaultRoute
+
10011
@@ -1605,12 +9675,10 @@ Servers
```
+
-## See also
-
-[Configuration service provider reference](index.yml)
-
-
-
+
+## Related articles
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 66de42bf56..294b7c1f32 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -1,4465 +1,2259 @@
---
title: VPNv2 DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider.
-ms.reviewer: pesmith
+description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/27/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 10/30/2020
+ms.topic: reference
---
+
+
# VPNv2 DDF file
-
-This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 2004.
+The following XML file contains the device description framework (DDF) for the VPNv2 configuration service provider.
```xml
-
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ VPNv2
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- VPNv2
- ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+ Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
+
+
+
+
+
+
+
+
+ ProfileName
+
+
+
+
+
+
+
+ ^[^/]*$
+
+
+
+
+ AppTriggerList
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.3/MDM/VPNv2
-
+
+
+
+ List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+ A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+
+
+
+
+
+
+ appTriggerRowId
+
+
+
+
+ A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+ App
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProfileName
-
-
-
+
+
+
+ App Node under the Row Id.
+
+
+
+
+
+
+
+
+
+
+
+
- AppTriggerList
-
-
-
-
- List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- appTriggerRowId
-
-
-
-
-
- App
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Id
-
-
-
-
-
-
-
- App Identity. Specified, based on the Type Field..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
- PackageFamilyName
- FQBN
- FilePath
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+ Id
+
+
+
+
+
+
+
+ App Identity. Specified, based on the Type Field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- RouteList
-
-
-
-
- List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- routeRowId
-
-
-
-
-
- Address
-
-
-
-
-
-
-
- Subnet address
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PrefixSize
-
-
-
-
-
-
-
- Subnet Prefix
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Metric
-
-
-
-
-
-
-
- The route's metric.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExclusionRoute
-
-
-
-
-
-
-
-
- False = This Route will direct traffic over the VPN
- True = This Route will direct traffic over the physical interface
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ Type
+
+
+
+
+ Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RouteList
+
+
+
+
+ List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ routeRowId
+
+
+
+
+ A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+ Address
+
+
+
+
+
+
+
+ Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PrefixSize
+
+
+
+
+
+
+
+ The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ Metric
+
+
+
+
+
+
+
+ The route's metric.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ ExclusionRoute
+
+
+
+
+
+
+
+ false
+ A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This route will direct traffic over the VPN.
+
+
+ true
+ This route will direct traffic over the physical interface.
+
+
+
+
+
+
+
+ DomainNameInformationList
+
+
+
+
+ NRPT (Name Resolution Policy Table) Rules for the VPN Profile.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ dniRowId
+
+
+
+
+ A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+ DomainName
+
+
+
+
+
+
+
+ Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DomainNameType
+
+
+
+
+ Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DnsServers
+
+
+
+
+
+
+
+ Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ WebProxyServers
+
+
+
+
+
+
+
+ Web Proxy Server IP address if you are redirecting traffic through your intranet.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoTrigger
+
+
+
+
+
+
+
+ false
+ Boolean to determine whether this domain name rule will trigger the VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This DomainName rule will not trigger the VPN.
+
+
+ true
+ This DomainName rule will trigger the VPN.
+
+
+
+
+
+ Persistent
+
+
+
+
+
+
+
+ false
+ A boolean value that specifies if the rule being added should persist even when the VPN is not connected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This DomainName rule will only be applied when VPN is connected.
+
+
+ true
+ This DomainName rule will always be present and applied.
+
+
+
+
+
+
+
+ TrafficFilterList
+
+
+
+
+ A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ trafficFilterId
+
+
+
+
+ A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+ App
+
+
+
+
+ Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Id
+
+
+
+
+
+
+
+ App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- DomainNameInformationList
-
-
-
-
- NRPT (Name Resolution Policy Table) Rules for the VPN Profile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- dniRowId
-
-
-
-
-
- DomainName
-
-
-
-
-
-
-
- Value based on the DomainNameType field
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DomainNameType
-
-
-
-
-
- a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain.
-
- b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains.
-
- c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here.
-
- d. Any: Use this if the policy applies to all.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DnsServers
-
-
-
-
-
-
-
- Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WebProxyServers
-
-
-
-
-
-
-
- [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AutoTrigger
-
-
-
-
-
-
-
-
- False = This DomainName Rule will not trigger the VPN
- True = This DomainName Rule will trigger the VPN
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Persistent
-
-
-
-
-
-
-
-
- False = This DomainName Rule will only be plumbed when the VPN is connected
- True = This DomainName Rule will always be plumbed.
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ Type
+
+
+
+
+ Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- TrafficFilterList
-
-
-
-
-
- A list of rules allowing traffic over the VPN Interface.
-
- Each Rule ID is ORed.
- Within each rule ID each Filter type is AND'ed
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- trafficFilterId
-
-
-
-
-
- App
-
-
-
-
- Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Id
-
-
-
-
-
-
-
- App Identity. Specified, based on the Type Field..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
- PackageFamilyName
- FQBN
- FilePath
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Claims
-
-
-
-
-
-
-
- Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Protocol
-
-
-
-
-
-
-
-
- 0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalPortRanges
-
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg.
- 100-120,200,300-320
-
-
-
-
-
-
-
-
-
-
- LocalPortRanges
-
- text/plain
-
-
-
-
- RemotePortRanges
-
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg.
- 100-120,200,300-320
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalAddressRanges
-
-
-
-
-
-
-
- Comma Separated list of IP ranges
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RemoteAddressRanges
-
-
-
-
-
-
-
- Comma Separated list of IP ranges
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoutingPolicyType
-
-
-
-
-
-
-
-
- SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface.
- ForceTunnel - All Traffic matching this rule must go over only the VPN Interface.
-
- Only Applicable for App and Claims type.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Direction
-
-
-
-
-
-
-
-
+
+
+ Claims
+
+
+
+
+
+
+
+ Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Protocol
+
+
+
+
+
+
+
+ 0-255 number representing the ip protocol (TCP = 6, UDP = 17).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-255]
+
+
+
+
+ LocalPortRanges
+
+
+
+
+
+
+
+ Comma Separated list of ranges for eg. 100-120,200,300-320.
+
+
+
+
+
+
+
+
+
+ LocalPortRanges
+
+
+
+
+ ^[\d]*$
+
+
+
+
+ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
+
+ [6,17]
+
+
+
+
+
+
+
+ RemotePortRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^[\d]*$
+
+
+
+
+ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
+
+ [6,17]
+
+
+
+
+
+
+
+ LocalAddressRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying local IP address ranges to allow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteAddressRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying remote IP address ranges to allow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RoutingPolicyType
+
+
+
+
+
+
+
+ Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
+
+
+ ForceTunnel
+ For this traffic rule all IP traffic must go through the VPN Interface only.
+
+
+
+
+
+ Direction
+
+
+
+
+
+
+
+
Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
Inbound - The traffic filter allows traffic coming from external locations matching this rule.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- EdpModeId
-
-
-
-
-
-
-
-
- Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RememberCredentials
-
-
-
-
-
-
-
-
- False = Remember credentials is turned off
- True = Remember credentials is turned on
- If True, Credentials will be cached wherever applicable.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AlwaysOn
-
-
-
-
-
-
-
-
- False = Always on in not turned On
- True = Always is on is turned on
-
- Note: Always On will work only for the active profile.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LockDown
-
-
-
-
-
-
-
-
- False = This is not a LockDown profile.
- True = This is a LockDown profile.
-
- If turned on a lockdown profile does four things.
- First, it automatically becomes an always on profile.
- Second, it can never be disconnected.
- Third, if the profile is not connected, then the user
- has no network connectivity.
- Fourth, no other profiles may be connected or modified.
-
- A lockdown profile must be deleted before any other
- profiles can be added, removed, or connected.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DeviceTunnel
-
-
-
-
-
-
-
-
- False = This is not a Device Tunnel profile and it is the default value.
- True = This is a Device Tunnel profile.
-
- If turned on a device tunnel profile does four things.
- First, it automatically becomes an always on profile.
- Second, it does not require the presence or logging in
- of any user to the machine in order for it to connect.
- Third, no other Device Tunnel profile maybe be present on the
- Same machine.
-
- A device tunnel profile must be deleted before another device tunnel
- profile can be added, removed, or connected.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RegisterDNS
-
-
-
-
-
-
-
-
- False = Do not register the connection's address in DNS (default).
- True = Register the connection's addresses in DNS.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DnsSuffix
-
-
-
-
-
-
-
- Connection Specific DNS Suffix. for eg. corp.contoso.com
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ByPassForLocal
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+
+
+
+ EdpModeId
+
+
+
+
+
+
+
+ Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RememberCredentials
+
+
+
+
+
+
+
+ false
+ Boolean value (true or false) for caching credentials.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Do not cache credentials.
+
+
+ true
+ Credentials are cached whenever possible.
+
+
+
+
+
+ AlwaysOn
+
+
+
+
+
+
+
+ false
+ An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Always On is turned off.
+
+
+ true
+ Always On is turned on.
+
+
+
+
+
+ AlwaysOnActive
+
+
+
+
+
+
+
+ 1
+ An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Always On is inactive.
+
+
+ 1
+ Always On is activated on provisioning.
+
+
+
+
+
+ RegisterDNS
+
+
+
+
+
+
+
+ false
+ Allows registration of the connection's address in DNS.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ false
+ Do not register the connection's address in DNS.
+
+
+ true
+ Register the connection's addresses in DNS.
+
+
+
+
+
+ DnsSuffix
+
+
+
+
+
+
+
+ Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ByPassForLocal
+
+
+
+
+
+
+
+
False : Do not Bypass for Local traffic
True : ByPass VPN Interface for Local Traffic
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedNetworkDetection
-
-
-
-
-
-
-
-
- String
- Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ProfileXML
-
-
-
-
-
-
-
-
- Xml schema for provisioning all the fields of a VPN
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Proxy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Manual
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Server
-
-
-
-
-
-
-
- Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- AutoConfigUrl
-
-
-
-
-
-
-
- Optional. Set a URL to automatically retrieve the proxy settings.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- APNBinding
-
-
-
-
- Reserved for Future Use
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProviderId
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AccessPointName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UserName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Password
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsCompressionEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AuthenticationType
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DeviceCompliance
-
-
-
-
-
- Nodes under DeviceCompliance can be used to enable Azure Active Directory based Conditional Access for VPN
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Sso
-
-
-
-
-
- Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- Enabled
-
-
-
-
-
-
-
- If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuerHash
-
-
-
-
-
-
-
- Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eku
-
-
-
-
-
-
-
- Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- PluginProfile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ServerUrlList
-
-
-
-
-
-
-
- Required. URL for VPN Server
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomConfiguration
-
-
-
-
-
-
-
- Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PluginPackageFamilyName
-
-
-
-
-
-
-
- Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomStoreUrl
-
-
-
-
-
-
-
- TO be Deleted
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WebAuth
-
-
-
-
-
- Nodes under WebAuth can be used to enable WebToken based authentication for 3rd Party Plugin VPN Profiles.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- Enables the WebToken based authentication flow.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ClientId
-
-
-
-
-
-
-
- The client ID to specify when communicating with the Web Account provider in retrieving the token.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- NativeProfile
-
-
-
-
-
- Inbox VPN Profile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Servers
-
-
-
-
-
-
-
-
- Server
-
-
- Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm
- Some examples are 208.23.45.130 or vpn.contoso.com.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoutingPolicyType
-
-
-
-
-
-
-
-
- SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack.
-
- ForceTunnel - All IP Traffic must go over only the VPN Interface.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NativeProtocolType
-
-
-
-
-
-
-
-
- Supported Values :
-
- Pptp
- L2tp
- Ikev2
- Automatic
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Authentication
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- UserMethod
-
-
-
-
-
-
-
-
- Supported Values
-
- Mschapv2
- Eap
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MachineMethod
-
-
-
-
-
-
-
-
- Supported Values
-
- Eap
- Certificate
- PresharedKey
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eap
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Configuration
-
-
-
-
-
-
-
- XML Configuration for EAP Method
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
-
-
-
- Required node for EAP profiles. This specifies the EAP Type ID
- 13 = EAP-TLS
- 26 = Ms-Chapv2
- 27 = Peap
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Certificate
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Issuer
-
-
-
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eku
-
-
-
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- CryptographySuite
-
-
-
-
- Properties of IPSec tunnels.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AuthenticationTransformConstants
-
-
-
-
-
-
-
-
- Choices are:
- -- MD596
- -- SHA196
- -- SHA256128
- -- GCMAES128
- -- GCMAES192
- -- GCMAES256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CipherTransformConstants
-
-
-
-
-
-
-
-
- Choices Are:
- -- DES
- -- DES3
- -- AES128
- -- AES192
- -- AES256
- -- GCMAES128
- -- GCMAES192
- -- GCMAES256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EncryptionMethod
-
-
-
-
-
-
-
-
- Choices are:
- -- DES
- -- DES3
- -- AES128
- -- AES192
- -- AES256
- -- AES_GCM_128
- -- AES_GCM_256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IntegrityCheckMethod
-
-
-
-
-
-
-
-
- Choices are:
- -- MD5
- -- SHA196
- -- SHA256
- -- SHA384
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DHGroup
-
-
-
-
-
-
-
-
- Choices are:
- -- Group1
- -- Group2
- -- Group14
- -- ECP256
- -- ECP384
- -- Group24
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PfsGroup
-
-
-
-
-
-
-
-
- Choices are:
- -- PFS1
- -- PFS2
- -- PFS2048
- -- ECP256
- -- ECP384
- -- PFSMM
- -- PFS24
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- L2tpPsk
-
-
-
-
-
-
-
- The preshared key used for an L2TP connection
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableClassBasedDefaultRoute
-
-
-
-
-
-
-
-
- When false this VPN connection will plumb class based default routes.
- i.e.
- If the interface IP begins with 10, it assumes a class a IP
- and pushes the route 10.0.0.0/8
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PlumbIKEv2TSAsRoutes
-
-
-
-
-
-
-
-
- True: Plumb traffic selectors as routes onto VPN interface
- False: Do not plumb traffic selectors as routes
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- VPNv2
- ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TrustedNetworkDetection
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.3/MDM/VPNv2
-
+
+
+
+
+
+
+ Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ,
+
+
+
+
+ DisableAdvancedOptionsEditButton
+
+
+
+
+
+
+
+ Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ false
+ Advanced Options Edit Button is available.
+
+
+ true
+ Advanced Options Edit Button is unavailable.
+
+
+
+
+
+ DisableDisconnectButton
+
+
+
+
+
+
+
+ Optional. When this setting is True, the Disconnect button will not be visible for connected profiles.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ false
+ Disconnect Button is visible.
+
+
+ true
+ Disconnect Button is not visible.
+
+
+
+
+
+ RequireVpnClientAppUI
+
+
+
+
+
+
+
+
+ Applicable only to AppContainer profiles.
+
+ False : Do not show profile in Settings UI.
+ True : Show profile in Settings UI.
+
+ Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19628
+ 1.4
+
+
+
+
+ ProfileXML
+
+
+
+
+
+
+
+ The XML schema for provisioning all the fields of a VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+]]>
+
+
+
+
+ Proxy
+
+
+
+
+ A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+
+
+
+
+
+
+
+
+
+
+
+
-
+ Manual
+
+
+
+
+ Optional node containing the manual server settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Server
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProfileName
-
-
-
+
+
+
+
+
+
+ Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoConfigUrl
+
+
+
+
+
+
+
+ Optional. Set a URL to automatically retrieve the proxy settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ APNBinding
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProviderId
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessPointName
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserName
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Password
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsCompressionEnabled
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AuthenticationType
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DeviceCompliance
+
+
+
+
+
+ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ Sso
+
+
+
+
+
+ Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ IssuerHash
+
+
+
+
+
+
+
+ Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Eku
+
+
+
+
+
+
+
+ Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PluginProfile
+
+
+
+
+
+ Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerUrlList
+
+
+
+
+
+
+
+ Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CustomConfiguration
+
+
+
+
+
+
+
+ Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PluginPackageFamilyName
+
+
+
+
+
+
+
+ Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NativeProfile
+
+
+
+
+
+ InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Servers
+
+
+
+
+
+
+
+ Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RoutingPolicyType
+
+
+
+
+
+
+
+ Type of routing policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ Traffic can go over any interface as determined by the networking stack.
+
+
+ ForceTunnel
+ All IP traffic must go over the VPN interface.
+
+
+
+
+
+ NativeProtocolType
+
+
+
+
+
+
+
+ Required for native profiles. Type of tunneling protocol used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PPTP
+ PPTP
+
+
+ L2TP
+ L2TP
+
+
+ IKEv2
+ IKEv2
+
+
+ Automatic
+ Automatic
+
+
+ SSTP
+ SSTP
+
+
+ ProtocolList
+ ProtocolList
+
+
+
+
+
+ ProtocolList
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.20207
+ 1.4
+
+
+
+ NativeProtocolList
+
+
+
+
+ List of inbox VPN protocols in priority order.
+
+
+
+
+
+
+
+
+
+
+
+
- AppTriggerList
-
-
-
-
- List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- appTriggerRowId
-
-
-
-
-
- App
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Id
-
-
-
-
-
-
-
- App Identity. Specified, based on the Type Field..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
- PackageFamilyName
- FQBN
- FilePath
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- RouteList
-
-
-
-
- List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- routeRowId
-
-
-
-
-
- Address
-
-
-
-
-
-
-
- Subnet address
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PrefixSize
-
-
-
-
-
-
-
- Subnet Prefix
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Metric
-
-
-
-
-
-
-
- The route's metric.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExclusionRoute
-
-
-
-
-
-
-
- Is this a route to never go over the VPN
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- DomainNameInformationList
-
-
-
-
- NRPT (Name Resolution Policy Table) Rules for the VPN Profile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- dniRowId
-
-
-
-
-
- DomainName
-
-
-
-
-
-
-
- Value based on the DomainNameType field
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DomainNameType
-
-
-
-
-
- a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain.
-
- b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains.
-
- c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here.
-
- d. Any: Use this if the policy applies to all.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DnsServers
-
-
-
-
-
-
-
- Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WebProxyServers
-
-
-
-
-
-
-
- [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular)
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AutoTrigger
-
-
-
-
-
-
-
-
- False = This DomainName Rule will not trigger the VPN
- True = This DomainName Rule will trigger the VPN
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Persistent
-
-
-
-
-
-
-
-
- False = This DomainName Rule will only be plumbed when the VPN is connected
- True = This DomainName Rule will always be plumbed.
- By default, this value is false.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- TrafficFilterList
-
-
-
-
-
- A list of rules allowing traffic over the VPN Interface.
-
- Each Rule ID is ORed.
- Within each rule ID each Filter type is AND'ed
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- trafficFilterId
-
-
-
-
-
- App
-
-
-
-
- Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Id
-
-
-
-
-
-
-
- App Identity. Specified, based on the Type Field..
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
- PackageFamilyName
- FQBN
- FilePath
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Claims
-
-
-
-
-
-
-
- Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Protocol
-
-
-
-
-
-
-
-
- 0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalPortRanges
-
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg.
- 100-120,200,300-320
-
-
-
-
-
-
-
-
-
-
- LocalPortRanges
-
- text/plain
-
-
-
-
- RemotePortRanges
-
-
-
-
-
-
-
-
- Comma Separated list of ranges for eg.
- 100-120,200,300-320
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LocalAddressRanges
-
-
-
-
-
-
-
- Comma Separated list of IP ranges
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RemoteAddressRanges
-
-
-
-
-
-
-
- Comma Separated list of IP ranges
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoutingPolicyType
-
-
-
-
-
-
-
-
- SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface.
- ForceTunnel - All Traffic matching this rule must go over only the VPN Interface.
-
- Only Applicable for App and Claims type.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- EdpModeId
-
-
-
-
-
-
-
-
- Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RememberCredentials
-
-
-
-
-
-
-
-
- False = Remember credentials is turned off
- True = Remember credentials is turned on
- If True, Credentials will be cached wherever applicable.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AlwaysOn
-
-
-
-
-
-
-
-
- False = Always on in not turned On
- True = Always is on is turned on
-
- Note: Always On will work only for the active profile.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DnsSuffix
-
-
-
-
-
-
-
- Connection Specific DNS Suffix. for eg. corp.contoso.com
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ByPassForLocal
-
-
-
-
-
-
-
-
- False : Do not Bypass for Local traffic
- True : ByPass VPN Interface for Local Traffic
-
- Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedNetworkDetection
-
-
-
-
-
-
-
-
- String
- Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ProfileXML
+
+
-
-
- Xml schema for provisioning all the fields of a VPN
-
-
+
-
+
+ NativeProtocolRowId
- text/plain
+
-
-
- Proxy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Manual
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Server
-
-
-
-
-
-
-
- Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- AutoConfigUrl
-
-
-
-
-
-
-
- Optional. Set a URL to automatically retrieve the proxy settings.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- APNBinding
-
-
-
-
- Reserved for Future Use
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ProviderId
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AccessPointName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UserName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Password
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsCompressionEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AuthenticationType
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DeviceCompliance
-
-
-
-
-
- Nodes under DeviceCompliance can be used to enable Azure Active Directory based Conditional Access for VPN
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Sso
-
-
-
-
-
- Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- Enabled
-
-
-
-
-
-
-
- If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuerHash
-
-
-
-
-
-
-
- Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eku
-
-
-
-
-
-
-
- Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- PluginProfile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ServerUrlList
-
-
-
-
-
-
-
- Required. URL for VPN Server
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomConfiguration
-
-
-
-
-
-
-
- Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PluginPackageFamilyName
-
-
-
-
-
-
-
- Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomStoreUrl
-
-
-
-
-
-
-
- TO be Deleted
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- WebAuth
-
-
-
-
-
- Nodes under WebAuth can be used to enable WebToken based authentication for 3rd Party Plugin VPN Profiles.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Enabled
-
-
-
-
-
-
-
- Enables the WebToken based authentication flow.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ClientId
-
-
-
-
-
-
-
- The client ID to specify when communicating with the Web Account provider in retrieving the token.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- NativeProfile
-
-
-
-
-
- Inbox VPN Profile
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Servers
-
-
-
-
-
-
-
-
- Server
-
-
- Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm
- Some examples are 208.23.45.130 or vpn.contoso.com.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoutingPolicyType
-
-
-
-
-
-
-
-
- SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack.
-
- ForceTunnel - All IP Traffic must go over only the VPN Interface.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NativeProtocolType
-
-
-
-
-
-
-
-
- Supported Values :
-
- Pptp
- L2tp
- Ikev2
- Automatic
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Authentication
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- UserMethod
-
-
-
-
-
-
-
-
- Supported Values
-
- Mschapv2
- Eap
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- MachineMethod
-
-
-
-
-
-
-
-
- Supported Values
-
- Eap
- Certificate
- PresharedKey
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eap
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Configuration
-
-
-
-
-
-
-
- XML Configuration for EAP Method
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
-
-
-
- Required node for EAP profiles. This specifies the EAP Type ID
- 13 = EAP-TLS
- 26 = Ms-Chapv2
- 27 = Peap
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Certificate
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Issuer
-
-
-
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Eku
-
-
-
-
-
-
-
- Reserved for future Use
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CryptographySuite
-
-
-
-
- Properties of IPSec tunnels.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AuthenticationTransformConstants
-
-
-
-
-
-
-
-
- Choices are:
- -- MD596
- -- SHA196
- -- SHA256128
- -- GCMAES128
- -- GCMAES192
- -- GCMAES256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CipherTransformConstants
-
-
-
-
-
-
-
-
- Choices Are:
- -- DES
- -- DES3
- -- AES128
- -- AES192
- -- AES256
- -- GCMAES128
- -- GCMAES192
- -- GCMAES256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EncryptionMethod
-
-
-
-
-
-
-
-
- Choices are:
- -- DES
- -- DES3
- -- AES128
- -- AES192
- -- AES256
- -- AES_GCM_128
- -- AES_GCM_256
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IntegrityCheckMethod
-
-
-
-
-
-
-
-
- Choices are:
- -- MD5
- -- SHA196
- -- SHA256
- -- SHA384
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DHGroup
-
-
-
-
-
-
-
-
- Choices are:
- -- Group1
- -- Group2
- -- Group14
- -- ECP256
- -- ECP384
- -- Group24
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PfsGroup
-
-
-
-
-
-
-
-
- Choices are:
- -- PFS1
- -- PFS2
- -- PFS2048
- -- ECP256
- -- ECP384
- -- PFSMM
- -- PFS24
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- L2tpPsk
+ Type
@@ -4467,7 +2261,7 @@ The XML below is for Windows 10, version 2004.
- The preshared key used for an L2TP connection
+ Inbox VPN protocols type.
@@ -4478,12 +2272,3224 @@ The XML below is for Windows 10, version 2004.
- text/plain
+
+
+
+ Pptp
+ Pptp
+
+
+ L2tp
+ L2tp
+
+
+ Ikev2
+ Ikev2
+
+
+ Sstp
+ Sstp
+
+
+
+
+
+ RetryTimeInHours
+
+
+
+
+
+
+
+ Default 168, max 500000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Authentication
+
+
+
+
+ Required node for native profile. It contains authentication information for the native VPN profile.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserMethod
+
+
+
+
+
+
+
+ This value can be one of the following: EAP or MSChapv2 (This is not supported for IKEv2).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EAP
+ EAP
+
+
+ MSChapv2
+ MSChapv2: This is not supported for IKEv2
+
+
+
+
+
+ MachineMethod
+
+
+
+
+
+
+
+ This is only supported in IKEv2.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Certificate
+ Certificate
+
+
+
+
+
+ Eap
+
+
+
+
+ Required when the native profile specifies EAP authentication. EAP configuration XML.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Configuration
+
+
+
+
+
+
+
+ HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+
+
+
+
+ Required node for EAP profiles. This specifies the EAP Type ID
+ 13 = EAP-TLS
+ 26 = Ms-Chapv2
+ 27 = Peap
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Certificate
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Issuer
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Eku
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CryptographySuite
+
+
+
+
+ Properties of IPSec tunnels.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ AuthenticationTransformConstants
+
+
+
+
+
+
+
+ Type of authentication transform constant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MD596
+ MD596
+
+
+ SHA196
+ SHA196
+
+
+ SHA256128
+ SHA256128
+
+
+ GCMAES128
+ GCMAES128
+
+
+ GCMAES192
+ GCMAES192
+
+
+ GCMAES256
+ GCMAES256
+
+
+
+
+
+ CipherTransformConstants
+
+
+
+
+
+
+
+ Type of Cipher transform constant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DES
+ DES
+
+
+ DES3
+ DES3
+
+
+ AES128
+ AES128
+
+
+ AES192
+ AES192
+
+
+ AES256
+ AES256
+
+
+ GCMAES128
+ GCMAES128
+
+
+ GCMAES192
+ GCMAES192
+
+
+ GCMAES256
+ GCMAES256
+
+
+
+
+
+ EncryptionMethod
+
+
+
+
+
+
+
+ Type of encryption method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DES
+ DES
+
+
+ DES3
+ DES3
+
+
+ AES128
+ AES128
+
+
+ AES192
+ AES192
+
+
+ AES256
+ AES256
+
+
+ AES_GCM_128
+ AES_GCM_128
+
+
+ AES_GCM_256
+ AES_GCM_256
+
+
+
+
+
+ IntegrityCheckMethod
+
+
+
+
+
+
+
+ Type of integrity check.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MD5
+ MD5
+
+
+ SHA196
+ SHA196
+
+
+ SHA256
+ SHA256
+
+
+ SHA384
+ SHA384
+
+
+
+
+
+ DHGroup
+
+
+
+
+
+
+
+ Group used for DH (Diffie-Hellman).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ None
+ None
+
+
+ Group1
+ Group1
+
+
+ Group2
+ Group2
+
+
+ Group14
+ Group14
+
+
+ ECP256
+ ECP256
+
+
+ ECP384
+ ECP384
+
+
+ Group24
+ Group24
+
+
+
+
+
+ PfsGroup
+
+
+
+
+
+
+
+ Group used for PFS (Perfect Forward Secrecy).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ None
+ None
+
+
+ PFS1
+ PFS1
+
+
+ PFS2
+ PFS2
+
+
+ PFS2048
+ PFS2048
+
+
+ ECP256
+ ECP256
+
+
+ ECP384
+ ECP384
+
+
+ PFSMM
+ PFSMM
+
+
+ PFS24
+ PFS24
+
+
+
+
+
+
+ L2tpPsk
+
+
+
+
+
+
+
+ The preshared key used for an L2TP connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ DisableClassBasedDefaultRoute
+
+
+
+
+
+
+
+ Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ Enabled
+
+
+ true
+ Disabled
+
+
+
+
+
+ PlumbIKEv2TSAsRoutes
+
+
+
+
+
+
+
+ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+
+
+ NetworkOutageTime
+
+
+
+
+
+
+
+ The amount of time in seconds the network is allowed to idle. 0 means no limit.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [0-4294967295]
+
+
+
+
+ IPv4InterfaceMetric
+
+
+
+
+
+
+
+ The metric for the IPv4 interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [1-9999]
+
+
+
+
+ IPv6InterfaceMetric
+
+
+
+
+
+
+
+ The metric for the IPv6 interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [1-9999]
+
+
+
+
+ UseRasCredentials
+
+
+
+
+
+
+
+ true
+ Determines whether the credential manager will save ras credentials after a connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ false
+ Ras Credentials are not saved.
+
+
+ true
+ Ras Credentials are saved.
+
+
+
+
+
+ DataEncryption
+
+
+
+
+
+
+
+ Require
+ Determines the level of data encryption required for the connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ None
+ No Data Encryption required.
+
+
+ Require
+ Data Encryption required.
+
+
+ Max
+ Maximum-strength Data Encryption required.
+
+
+ Optional
+ Perform encryption if possible.
+
+
+
+
+
+ PrivateNetwork
+
+
+
+
+
+
+
+ true
+ Determines whether the VPN connection is public or private.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ false
+ VPN connection is public.
+
+
+ true
+ VPN connection is private.
+
+
+
+
+
+ DisableIKEv2Fragmentation
+
+
+
+
+
+
+
+ false
+ Set to disable IKEv2 Fragmentation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ true
+ IKEv2 Fragmentation will not be used.
+
+
+ false
+ IKEv2 Fragmentation is used as normal.
+
+
+
+
+
+
+
+ VPNv2
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+
+
+
+
+
+
+
+
+
+ Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+
+
+
+
+
+
+
+
+
+ ProfileName
+
+
+
+
+
+
+
+ ^[^/]*$
+
+
+
+
+ AppTriggerList
+
+
+
+
+ List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+
+
+
+
+
+
+ appTriggerRowId
+
+
+
+
+ A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+
+
+
+ App
+
+
+
+
+ App Node under the Row Id.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Id
+
+
+
+
+
+
+
+ App Identity. Specified, based on the Type Field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+ Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RouteList
+
+
+
+
+ List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ routeRowId
+
+
+
+
+ A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+
+
+
+ Address
+
+
+
+
+
+
+
+ Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PrefixSize
+
+
+
+
+
+
+
+ The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ Metric
+
+
+
+
+
+
+
+ The route's metric.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ ExclusionRoute
+
+
+
+
+
+
+
+ false
+ A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This route will direct traffic over the VPN.
+
+
+ true
+ This route will direct traffic over the physical interface.
+
+
+
+
+
+
+
+ DomainNameInformationList
+
+
+
+
+ NRPT (Name Resolution Policy Table) Rules for the VPN Profile.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ dniRowId
+
+
+
+
+ A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
+
+
+
+ DomainName
+
+
+
+
+
+
+
+ Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DomainNameType
+
+
+
+
+ Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DnsServers
+
+
+
+
+
+
+
+ Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ WebProxyServers
+
+
+
+
+
+
+
+ Web Proxy Server IP address if you are redirecting traffic through your intranet.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoTrigger
+
+
+
+
+
+
+
+ false
+ Boolean to determine whether this domain name rule will trigger the VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This DomainName rule will not trigger the VPN.
+
+
+ true
+ This DomainName rule will trigger the VPN.
+
+
+
+
+
+ Persistent
+
+
+
+
+
+
+
+ false
+ A boolean value that specifies if the rule being added should persist even when the VPN is not connected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ This DomainName rule will only be applied when VPN is connected.
+
+
+ true
+ This DomainName rule will always be present and applied.
+
+
+
+
+
+
+
+ TrafficFilterList
+
+
+
+
+ A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+
+
+
+
+
+
+ trafficFilterId
+
+
+
+
+ A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
+
+
+
+ App
+
+
+
+
+ Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Id
+
+
+
+
+
+
+
+ App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+ Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Claims
+
+
+
+
+
+
+
+ Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Protocol
+
+
+
+
+
+
+
+ 0-255 number representing the ip protocol (TCP = 6, UDP = 17).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-255]
+
+
+
+
+ LocalPortRanges
+
+
+
+
+
+
+
+ Comma Separated list of ranges for eg. 100-120,200,300-320.
+
+
+
+
+
+
+
+
+
+ LocalPortRanges
+
+
+
+
+ ^[\d]*$
+
+
+
+
+ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
+
+ [6,17]
+
+
+
+
+
+
+
+ RemotePortRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^[\d]*$
+
+
+
+
+ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol
+
+ [6,17]
+
+
+
+
+
+
+
+ LocalAddressRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying local IP address ranges to allow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteAddressRanges
+
+
+
+
+
+
+
+ A list of comma separated values specifying remote IP address ranges to allow.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RoutingPolicyType
+
+
+
+
+
+
+
+ Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
+
+
+ ForceTunnel
+ For this traffic rule all IP traffic must go through the VPN Interface only.
+
+
+
+
+
+ Direction
+
+
+
+
+
+
+
+
+ Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default.
+ Inbound - The traffic filter allows traffic coming from external locations matching this rule.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+
+
+
+ EdpModeId
+
+
+
+
+
+
+
+ Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RememberCredentials
+
+
+
+
+
+
+
+ false
+ Boolean value (true or false) for caching credentials.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Do not cache credentials.
+
+
+ true
+ Credentials are cached whenever possible.
+
+
+
+
+
+ AlwaysOn
+
+
+
+
+
+
+
+ false
+ An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Always On is turned off.
+
+
+ true
+ Always On is turned on.
+
+
+
+
+
+ AlwaysOnActive
+
+
+
+
+
+
+
+ 1
+ An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Always On is inactive.
+
+
+ 1
+ Always On is activated on provisioning.
+
+
+
+
+
+ DeviceTunnel
+
+
+
+
+
+
+
+ false
+ If turned on a device tunnel profile does four things.
+ First, it automatically becomes an always on profile.
+ Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+ Third, no other Device Tunnel profile maybe be present on the same machine.
+A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ false
+ This is not a device tunnel profile.
+
+
+ true
+ This is a device tunnel profile.
+
+
+
+
+
+ RegisterDNS
+
+
+
+
+
+
+
+ false
+ Allows registration of the connection's address in DNS.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ false
+ Do not register the connection's address in DNS.
+
+
+ true
+ Register the connection's addresses in DNS.
+
+
+
+
+
+ DnsSuffix
+
+
+
+
+
+
+
+ Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ByPassForLocal
+
+
+
+
+
+
+
+
+ False : Do not Bypass for Local traffic
+ True : ByPass VPN Interface for Local Traffic
+
+ Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TrustedNetworkDetection
+
+
+
+
+
+
+
+ Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ,
+
+
+
+
+ DisableAdvancedOptionsEditButton
+
+
+
+
+
+
+
+
+ Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ false
+ Advanced Options Edit Button is available.
+
+
+ true
+ Advanced Options Edit Button is unavailable.
+
+
+
+
+
+ DisableDisconnectButton
+
+
+
+
+
+
+
+
+ Optional. When this setting is True, the Disconnect button will not be visible for connected profiles.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ false
+ Disconnect Button is visible.
+
+
+ true
+ Disconnect Button is not visible.
+
+
+
+
+
+ ProfileXML
+
+
+
+
+
+
+
+ The XML schema for provisioning all the fields of a VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+]]>
+
+
+
+
+ Proxy
+
+
+
+
+ A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Manual
+
+
+
+
+ Optional node containing the manual server settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Server
+
+
+
+
+
+
+
+ Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AutoConfigUrl
+
+
+
+
+
+
+
+ Optional. Set a URL to automatically retrieve the proxy settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ APNBinding
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProviderId
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessPointName
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserName
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Password
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsCompressionEnabled
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AuthenticationType
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DeviceCompliance
+
+
+
+
+
+ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ Sso
+
+
+
+
+
+ Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
+
+ IssuerHash
+
+
+
+
+
+
+
+ Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Eku
+
+
+
+
+
+
+
+ Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PluginProfile
+
+
+
+
+
+ Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerUrlList
+
+
+
+
+
+
+
+ Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CustomConfiguration
+
+
+
+
+
+
+
+ Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PluginPackageFamilyName
+
+
+
+
+
+
+
+ Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NativeProfile
+
+
+
+
+
+ Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Servers
+
+
+
+
+
+
+
+ Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RoutingPolicyType
+
+
+
+
+
+
+
+ Type of routing policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ Traffic can go over any interface as determined by the networking stack.
+
+
+ ForceTunnel
+ All IP traffic must go over the VPN interface.
+
+
+
+
+
+ NativeProtocolType
+
+
+
+
+
+
+
+ Required for native profiles. Type of tunneling protocol used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PPTP
+ PPTP
+
+
+ L2TP
+ L2TP
+
+
+ IKEv2
+ IKEv2
+
+
+ Automatic
+ Automatic
+
+
+ SSTP
+ SSTP
+
+
+ ProtocolList
+ ProtocolList
+
+
+
+
+
+ ProtocolList
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.20207
+ 1.4
+
+
+
+ NativeProtocolList
+
+
+
+
+ List of inbox VPN protocols in priority order.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NativeProtocolRowId
+
+
+
+
- DisableClassBasedDefaultRoute
+ Type
@@ -4491,55 +5497,998 @@ The XML below is for Windows 10, version 2004.
-
- When false this VPN connection will plumb class based default routes.
- i.e.
- If the interface IP begins with 10, it assumes a class a IP
- and pushes the route 10.0.0.0/8
-
+ Inbox VPN protocols type.
-
+
-
+
- text/plain
+
+
+
+ Pptp
+ Pptp
+
+
+ L2tp
+ L2tp
+
+
+ Ikev2
+ Ikev2
+
+
+ Sstp
+ Sstp
+
+
-
- PlumbIKEv2TSAsRoutes
-
-
-
-
-
-
-
-
- True: Plumb traffic selectors as routes onto VPN interface
- False: Do not plumb traffic selectors as routes
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+ RetryTimeInHours
+
+
+
+
+
+
+
+ Default 168, max 500000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Authentication
+
+
+
+
+ Required node for native profile. It contains authentication information for the native VPN profile.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UserMethod
+
+
+
+
+
+
+
+ Type of user authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EAP
+ EAP
+
+
+ MSChapv2
+ MSChapv2: This is not supported for IKEv2
+
+
+
+
+
+ MachineMethod
+
+
+
+
+
+
+
+ This is only supported in IKEv2.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Certificate
+ Certificate
+
+
+
+
+
+ Eap
+
+
+
+
+ Required when the native profile specifies EAP authentication. EAP configuration XML.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Configuration
+
+
+
+
+
+
+
+ HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+
+
+
+
+ Required node for EAP profiles. This specifies the EAP Type ID
+ 13 = EAP-TLS
+ 26 = Ms-Chapv2
+ 27 = Peap
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Certificate
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Issuer
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Eku
+
+
+
+
+
+
+
+ Reserved for future use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CryptographySuite
+
+
+
+
+ Properties of IPSec tunnels.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ AuthenticationTransformConstants
+
+
+
+
+
+
+
+ Type of authentication transform constant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MD596
+ MD596
+
+
+ SHA196
+ SHA196
+
+
+ SHA256128
+ SHA256128
+
+
+ GCMAES128
+ GCMAES128
+
+
+ GCMAES192
+ GCMAES192
+
+
+ GCMAES256
+ GCMAES256
+
+
+
+
+
+ CipherTransformConstants
+
+
+
+
+
+
+
+ Type of Cipher transform constant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DES
+ DES
+
+
+ DES3
+ DES3
+
+
+ AES128
+ AES128
+
+
+ AES192
+ AES192
+
+
+ AES256
+ AES256
+
+
+ GCMAES128
+ GCMAES128
+
+
+ GCMAES192
+ GCMAES192
+
+
+ GCMAES256
+ GCMAES256
+
+
+
+
+
+ EncryptionMethod
+
+
+
+
+
+
+
+ Type of encryption method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DES
+ DES
+
+
+ DES3
+ DES3
+
+
+ AES128
+ AES128
+
+
+ AES192
+ AES192
+
+
+ AES256
+ AES256
+
+
+ AES_GCM_128
+ AES_GCM_128
+
+
+ AES_GCM_256
+ AES_GCM_256
+
+
+
+
+
+ IntegrityCheckMethod
+
+
+
+
+
+
+
+ Type of integrity check.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MD5
+ MD5
+
+
+ SHA196
+ SHA196
+
+
+ SHA256
+ SHA256
+
+
+ SHA384
+ SHA384
+
+
+
+
+
+ DHGroup
+
+
+
+
+
+
+
+ Group used for DH (Diffie-Hellman).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ None
+ None
+
+
+ Group1
+ Group1
+
+
+ Group2
+ Group2
+
+
+ Group14
+ Group14
+
+
+ ECP256
+ ECP256
+
+
+ ECP384
+ ECP384
+
+
+ Group24
+ Group24
+
+
+
+
+
+ PfsGroup
+
+
+
+
+
+
+
+ Group used for PFS (Perfect Forward Secrecy).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ None
+ None
+
+
+ PFS1
+ PFS1
+
+
+ PFS2
+ PFS2
+
+
+ PFS2048
+ PFS2048
+
+
+ ECP256
+ ECP256
+
+
+ ECP384
+ ECP384
+
+
+ PFSMM
+ PFSMM
+
+
+ PFS24
+ PFS24
+
+
+
+
+
+
+ L2tpPsk
+
+
+
+
+
+
+
+ The preshared key used for an L2TP connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+
+
+
+ DisableClassBasedDefaultRoute
+
+
+
+
+
+
+
+ Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.2
+
+
+
+ false
+ Enabled
+
+
+ true
+ Disabled
+
+
+
+
+
+ PlumbIKEv2TSAsRoutes
+
+
+
+
+
+
+
+ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+
+
+ NetworkOutageTime
+
+
+
+
+
+
+
+ The amount of time in seconds the network is allowed to idle. 0 means no limit.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [0-4294967295]
+
+
+
+
+ IPv4InterfaceMetric
+
+
+
+
+
+
+
+ The metric for the IPv4 interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [1-9999]
+
+
+
+
+ IPv6InterfaceMetric
+
+
+
+
+
+
+
+ The metric for the IPv6 interface.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+ [1-9999]
+
+
+
+
+ UseRasCredentials
+
+
+
+
+
+
+
+ true
+ Determines whether the credential manager will save ras credentials after a connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ false
+ Ras Credentials are not saved.
+
+
+ true
+ Ras Credentials are saved.
+
+
+
+
+
+ DataEncryption
+
+
+
+
+
+
+
+ Require
+ Determines the level of data encryption required for the connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ None
+ No Data Encryption required.
+
+
+ Require
+ Data Encryption required.
+
+
+ Max
+ Maximum-strength Data Encryption required.
+
+
+ Optional
+ Perform encryption if possible.
+
+
+
+
+
+ PrivateNetwork
+
+
+
+
+
+
+
+ true
+ Determines whether the VPN connection is public or private.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ false
+ VPN connection is public.
+
+
+ true
+ VPN connection is private.
+
+
+
+
+
+ DisableIKEv2Fragmentation
+
+
+
+
+
+
+
+ false
+ Set to disable IKEv2 Fragmentation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.6
+
+
+
+ true
+ IKEv2 Fragmentation will not be used.
+
+
+ false
+ IKEv2 Fragmentation is used as normal.
+
+
+
+
+
```
+
+## Related articles
+
+[VPNv2 configuration service provider reference](vpnv2-csp.md)
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
deleted file mode 100644
index bfca5ab7aa..0000000000
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ /dev/null
@@ -1,447 +0,0 @@
----
-title: ProfileXML XSD
-description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/14/2020
----
-
-# ProfileXML XSD
-
-Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent::AddProfileFromXmlAsync for Windows 10 and some profile examples.
-
-## XSD for the VPN profile
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Native profile example
-
-```xml
-
- corp.contoso.com
- true
- false
- corp.contoso.com
- contoso.com
-
-
- Helloworld.Com
-
- HelloServer
-
-
-
-
- true
-
- true
- This is my Eku
- This is my issuer hash
-
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
-
-
- C:\windows\system32\ping.exe
-
-
-
-
- hrsite.corporate.contoso.com
- 1.2.3.4,5.6.7.8
- 5.5.5.5
- true
-
-
- .corp.contoso.com
- 10.10.10.10,20.20.20.20
- 100.100.100.100
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
- 6
- 10,20-50,100-200
- 20-50,100-200,300
- 30.30.0.0/16,10.10.10.10-20.20.20.20
- ForceTunnel
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- 3.3.3.3/32,1.1.1.1-2.2.2.2
-
-
-
- testServer.VPN.com
- SplitTunnel
- IKEv2
- true
-
- Eap
-
-
-
-
- 25
- 0
- 0
- 0
-
-
-
- 25
-
-
- true
-
- d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2
- d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74
-
- true
- false
-
- 13
-
-
-
- true
-
-
-
- true
-
- d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2
- d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74
-
- false
- true
- false
-
-
-
-
- AAD Conditional Access
- 1.3.6.1.4.1.311.87
-
-
-
-
- AAD Conditional Access
-
-
-
-
-
-
- false
- true
-
- true
- false
-
-
-
-
-
-
-
-
-
-
-
- 192.168.0.0
- 24
-
-
- 10.10.0.0
- 16
-
-
-```
-
-## Plug-in profile example
-
-```xml
-
-
- true
- false
- corp.contoso.com
- contoso.com,test.corp.contoso.com
- false
- false
-
-
- Helloworld.Com
-
- HelloServer
-
-
-
-
-
-
-
-
-
- true
-
-
-
-
- testserver1.contoso.com;testserver2.contoso..com
- true
- JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
-
-
-
- corp.contoso.com
- 1.2.3.4,5.6.7.8
- 5.5.5.5
- false
-
-
- corp.contoso.com
- 10.10.10.10,20.20.20.20
- 100.100.100.100
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
- 6
- 10,20-50,100-200
- 20-50,100-200,300
- 30.30.0.0/16,10.10.10.10-20.20.20.20
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- 3.3.3.3/32,1.1.1.1-2.2.2.2
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- O:SYG:SYD:(A;;CC;;;AU)
-
-
-
-
- 192.168.0.0
- 24
-
-
- 10.10.0.0
- 16
-
-
-```
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
\ No newline at end of file
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 0df64e0109..7bc7eec664 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,159 +1,783 @@
---
title: WiFi CSP
-description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device.
-ms.reviewer:
+description: Learn more about the WiFi CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/18/2019
+ms.topic: reference
---
+
+
+
# WiFi CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-> [!WARNING]
-> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
+
+
The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it's in range.
Programming considerations:
-- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS.
-- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device.
-- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping aren't supported.
-- The \*name\_goes\_here*\\ must match \\ *name\_goes\_here*\\.
-- For the WiFi CSP, you can't use the Replace command unless the node already exists.
-- Using Proxyis in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure.
+- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS.
+- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device.
+- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping aren't supported.
+- The `name_goes_here\` must match `name_goes_here`.
+- For the WiFi CSP, you can't use the Replace command unless the node already exists.
+- Using ProxyPacUrl or ProxyWPAD in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure.
+
-The following example shows the WiFi configuration service provider in tree format.
+
+The following list shows the WiFi configuration service provider nodes:
-```console
-./Device/Vendor/MSFT
-or
-./User/Vendor/MSFT
-WiFi
----Profile
-------SSID
----------WlanXML
----------WiFiCost
+- ./Device/Vendor/MSFT/WiFi
+ - [Profile](#deviceprofile)
+ - [{SSID}](#deviceprofilessid)
+ - [ProfileSource](#deviceprofilessidprofilesource)
+ - [Proxy](#deviceprofilessidproxy)
+ - [ProxyPacUrl](#deviceprofilessidproxypacurl)
+ - [ProxyWPAD](#deviceprofilessidproxywpad)
+ - [WiFiCost](#deviceprofilessidwificost)
+ - [WlanXml](#deviceprofilessidwlanxml)
+- ./User/Vendor/MSFT/WiFi
+ - [Profile](#userprofile)
+ - [{SSID}](#userprofilessid)
+ - [ProfileSource](#userprofilessidprofilesource)
+ - [Proxy](#userprofilessidproxy)
+ - [ProxyPacUrl](#userprofilessidproxypacurl)
+ - [ProxyWPAD](#userprofilessidproxywpad)
+ - [WiFiCost](#userprofilessidwificost)
+ - [WlanXml](#userprofilessidwlanxml)
+
+
+
+## Device/Profile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiFi/Profile
```
+
-The following list shows the characteristics and parameters.
+
+
+Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network - for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks.
+
-**Device or User profile**
-For user profile, use `./User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path.
+
+
+
-**Profile**
-Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase if there's WEP or WPA2 networks.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**\**
-Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted.
+
+
+
-SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, \./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml\.
+
-The supported operations are Add, Get, Delete, and Replace.
+
+### Device/Profile/{SSID}
-**WlanXML**
-The XML that describes the network configuration and follows the [WLAN\_profile Schema](/windows/win32/nativewifi/wlan-profileschema-schema) on MSDN.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/WiFi/Profile/{SSID}
+```
+
-Value type is chr.
+
+
+The Profile name of the Wi-Fi network. This is added when WlanXml node is added and deleted when WlanXml is deleted.
+
+
+
+Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII.
+
+SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, `./Vendor/MSFT/WiFi/Profile//WlanXml`.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### Device/Profile/{SSID}/ProfileSource
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiFi/Profile/{SSID}/ProfileSource
+```
+
+
+
+
+Allows for defining which administrative entity is setting this Wi-Fi profile. This can currently be set to either 0=Enterprise or 1=Mobile Operator.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enterprise. |
+| 1 | Mobile Operator. |
+
+
+
+
+
+
+
+
+
+#### Device/Profile/{SSID}/Proxy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiFi/Profile/{SSID}/Proxy
+```
+
+
+
+
+Optional node. The format is url:port. Configuration of the network proxy (if any).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Profile/{SSID}/ProxyPacUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiFi/Profile/{SSID}/ProxyPacUrl
+```
+
+
+
+
+Optional node. URL to the PAC file location.
+
+
+
+
+> [!NOTE]
+> Don't use. Using this configuration in Windows 10 client editions will result in failure.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/Profile/{SSID}/ProxyWPAD
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiFi/Profile/{SSID}/ProxyWPAD
+```
+
+
+
+
+Optional node. The presence of the field enables WPAD for proxy lookup.
+
+
+
+
+> [!NOTE]
+> Don't use. Using this configuration in Windows 10 client editions will result in failure.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disable WPAD for proxy lookup. |
+| true | Enable WPAD for proxy lookup. |
+
+
+
+
+
+
+
+
+
+#### Device/Profile/{SSID}/WiFiCost
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiFi/Profile/{SSID}/WiFiCost
+```
+
+
+
+
+Optional node. If the policy is active selecting one of the values from the following list will set the cost of WLAN connection for the Wi-Fi profile. (1:Unrestricted - unlimited connection, 2: Fixed - capacity constraints up to a certain data limit, 3: Variable - costed on per byte basic) Default behavior: Unrestricted.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Unrestricted - unlimited connection. |
+| 2 | Fixed - capacity constraints up to a certain data limit. |
+| 3 | Variable - paid on per byte basic. |
+
+
+
+
+
+
+
+
+
+#### Device/Profile/{SSID}/WlanXml
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiFi/Profile/{SSID}/WlanXml
+```
+
+
+
+
+XML describing the network configuration and follows Windows WLAN_profile schema.
+Link to schema:
+
+
+
+
The profile XML must be escaped, as shown in the examples below.
If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample).
> [!NOTE]
> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md).
+
-The supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-**Proxy**
-Don't use. Using this configuration in Windows 10 client editions will result in failure.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+
-Optional. Specifies the configuration of the network proxy. A proxy server host and port can be specified per connection for Windows 10 Mobile. This proxy configuration is only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions will result in failure.
+
-The format is *host:port*, where host can be one of the following:
+
+## User/Profile
-- A registered host name, such as server name, FQDN, or Single Label Name, such as myweb instead of myweb.contoso.com.
-- IPV4 address
-- IPv6/IPvFuture address.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-If it's an IPvFuture address, then it must be specified as an IP literal as "\[" (IP v6 address / IPvFuture ) "\]", such as "\[2441:4880:28:3:204:76ff:f43f:6eb\]:8080".
+
+```User
+./User/Vendor/MSFT/WiFi/Profile
+```
+
-Supported operations are Get, Add, Delete, and Replace.
--->
+
+
+Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network - for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks.
+
-**DisableInternetConnectivityChecks**
+
+
+
-> [!Note]
-> This node has been deprecated since Windows 10, version 1607.
+
+**Description framework properties**:
-Added in Windows 10, version 1511. Optional. Disable the internet connectivity check for the profile.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Value type is chr.
+
+
+
-- True - internet connectivity check is disabled.
-- False - internet connectivity check is enabled.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+### User/Profile/{SSID}
-**ProxyPacUrl**
-Don't use. Using this configuration in Windows 10 client editions will result in failure.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-
+```User
+./User/Vendor/MSFT/WiFi/Profile/{SSID}
+```
+
-Added in Windows 10, version 1607. Optional. Specifies the value of the URL to the Proxy auto-config (PAC) file location. This proxy configuration is only supported in Windows 10 Mobile.
+
+
+The Profile name of the Wi-Fi network. This is added when WlanXml node is added and deleted when WlanXml is deleted.
+
-Value type is chr, e.g. http://www.contoso.com/wpad.dat.
--->
+
+
+Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII.
-**ProxyWPAD**
-Don't use. Using this configuration in Windows 10 client editions will result in failure.
+SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, `./Vendor/MSFT/WiFi/Profile//WlanXml`.
+
-
+**Description framework properties**:
-Added in Windows 10, version 1607. Optional. When set to true it enables Web Proxy Auto-Discovery Protocol (WPAD) for proxy lookup.This proxy configuration is only supported in Windows 10 Mobile.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
-Value type is bool.
--->
+
+
+
-**WiFiCost**
-Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behavior: Unrestricted.
+
-Supported values:
+
+#### User/Profile/{SSID}/ProfileSource
-- 1 - Unrestricted - unlimited connection
-- 2 - Fixed - capacity constraints up to a certain data limit
-- 3 - Variable - paid on per byte basic
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-Supported operations are Add, Get, Replace and Delete. Value type is integer.
+
+```User
+./User/Vendor/MSFT/WiFi/Profile/{SSID}/ProfileSource
+```
+
+
+
+Allows for defining which administrative entity is setting this Wi-Fi profile. This can currently be set to either 0=Enterprise or 1=Mobile Operator.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enterprise. |
+| 1 | Mobile Operator. |
+
+
+
+
+
+
+
+
+
+#### User/Profile/{SSID}/Proxy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/WiFi/Profile/{SSID}/Proxy
+```
+
+
+
+
+Optional node. The format is url:port. Configuration of the network proxy (if any).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/Profile/{SSID}/ProxyPacUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/WiFi/Profile/{SSID}/ProxyPacUrl
+```
+
+
+
+
+Optional node. URL to the PAC file location.
+
+
+
+
+> [!NOTE]
+> Don't use. Using this configuration in Windows 10 client editions will result in failure.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/Profile/{SSID}/ProxyWPAD
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/WiFi/Profile/{SSID}/ProxyWPAD
+```
+
+
+
+
+Optional node. The presence of the field enables WPAD for proxy lookup.
+
+
+
+
+> [!NOTE]
+> Don't use. Using this configuration in Windows 10 client editions will result in failure.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Disable WPAD for proxy lookup. |
+| true | Enable WPAD for proxy lookup. |
+
+
+
+
+
+
+
+
+
+#### User/Profile/{SSID}/WiFiCost
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```User
+./User/Vendor/MSFT/WiFi/Profile/{SSID}/WiFiCost
+```
+
+
+
+
+Optional node. If the policy is active selecting one of the values from the following list will set the cost of WLAN connection for the Wi-Fi profile. (1:Unrestricted - unlimited connection, 2: Fixed - capacity constraints up to a certain data limit, 3: Variable - costed on per byte basic) Default behavior: Unrestricted.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Unrestricted - unlimited connection. |
+| 2 | Fixed - capacity constraints up to a certain data limit. |
+| 3 | Variable - paid on per byte basic. |
+
+
+
+
+
+
+
+
+
+#### User/Profile/{SSID}/WlanXml
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/WiFi/Profile/{SSID}/WlanXml
+```
+
+
+
+
+XML describing the network configuration and follows Windows WLAN_profile schema.
+Link to schema:
+
+
+
+
+The profile XML must be escaped, as shown in the examples below.
+
+If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample).
+
+> [!NOTE]
+> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+
## Examples
These XML examples show how to perform various tasks using OMA DM.
### Add a network
-The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork,'.
+The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork'.
```xml
@@ -210,7 +834,7 @@ The following example shows the response.
### Remove a network
-The following example shows how to remove a network with SSID ‘MyNetwork’ and no proxy. Removing all network authentication types is done in this same manner.
+The following example shows how to remove a network with SSID 'MyNetwork' and no proxy. Removing all network authentication types is done in this same manner.
```xml
@@ -228,7 +852,7 @@ The following example shows how to remove a network with SSID ‘MyNetwork’ an
### Add a network and certification authority for a server certificate
-The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetwork’ and root CA validation for server certificate.
+The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork' and root CA validation for server certificate.
```xml
@@ -247,7 +871,10 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw
```
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index a6b9b70daf..c955abb2f5 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,37 +1,32 @@
---
title: WiFi DDF file
-description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/28/2018
+ms.topic: reference
---
+
+
# WiFi DDF file
-> [!WARNING]
-> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-The XML below is for Windows 10, version 1809 and later.
+The following XML file contains the device description framework (DDF) for the WiFi configuration service provider.
```xml
-
-]>
+]>
1.2
+
+ WiFi
- ./Vendor/MSFT
+ ./User/Vendor/MSFT
@@ -46,8 +41,13 @@ The XML below is for Windows 10, version 1809 and later.
- com.microsoft/1.1/MDM/WiFi
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+ Profile
@@ -55,6 +55,7 @@ The XML below is for Windows 10, version 1809 and later.
+ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks.
@@ -65,11 +66,12 @@ The XML below is for Windows 10, version 1809 and later.
-
+
-
+
+
@@ -77,7 +79,7 @@ The XML below is for Windows 10, version 1809 and later.
- The Profile name of the Wi-Fi network. This is added when WlanXML node is added and deleted when Wlanxml is deleted.
+ The Profile name of the Wi-Fi network. This is added when WlanXml node is added and deleted when WlanXml is deleted.
@@ -89,8 +91,12 @@ The XML below is for Windows 10, version 1809 and later.
SSID
-
+
+
+
+
+ WlanXml
@@ -103,7 +109,7 @@ The XML below is for Windows 10, version 1809 and later.
XML describing the network configuration and follows Windows WLAN_profile schema.
- Link to schema: https://msdn.microsoft.com/library/windows/desktop/ms707341(v=vs.85).aspx
+ Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx
@@ -115,16 +121,480 @@ The XML below is for Windows 10, version 1809 and later.
- text/plain
+
+
+ Proxy
+
+
+
+
+
+
+
+ Optional node. The format is url:port. Configuration of the network proxy (if any).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProxyPacUrl
+
+
+
+
+
+
+
+ Optional node. URL to the PAC file location.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+
+
+
+ ProxyWPAD
+
+
+
+
+
+
+
+ Optional node. The presence of the field enables WPAD for proxy lookup.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+ false
+ Disable WPAD for proxy lookup.
+
+
+ true
+ Enable WPAD for proxy lookop.
+
+
+
+
+
+ WiFiCost
+
+
+
+
+
+
+
+ 1
+ Optional node. If the policy is active selecting one of the values from the following list will set the cost of WLAN connection for the Wi-Fi profile. (1:Unrestricted - unlimited connection, 2: Fixed - capacity constraints up to a certain data limit, 3: Variable - costed on per byte basic) Default behaviour: Unrestricted
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.1
+
+
+
+ 1
+ Unrestricted - unlimited connection.
+
+
+ 2
+ Fixed - capacity constraints up to a certain data limit.
+
+
+ 3
+ Variable - paid on per byte basic.
+
+
+
+
+
+ ProfileSource
+
+
+
+
+
+ 0
+ Allows for defining which administrative entity is setting this Wi-Fi profile. This can currently be set to either 0=Enterprise or 1=Mobile Operator.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.1
+
+
+
+ 0
+ Enterprise
+
+
+ 1
+ Mobile Operator
+
+
+
+
+
+
+
+
+ WiFi
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Profile
+
+
+
+
+ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The Profile name of the Wi-Fi network. This is added when WlanXml node is added and deleted when WlanXml is deleted.
+
+
+
+
+
+
+
+
+
+ SSID
+
+
+
+
+
+
+
+
+
+ WlanXml
+
+
+
+
+
+
+
+
+ XML describing the network configuration and follows Windows WLAN_profile schema.
+ Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Proxy
+
+
+
+
+
+
+
+ Optional node. The format is url:port. Configuration of the network proxy (if any).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProxyPacUrl
+
+
+
+
+
+
+
+ Optional node. URL to the PAC file location.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+
+
+
+ ProxyWPAD
+
+
+
+
+
+
+
+ Optional node. The presence of the field enables WPAD for proxy lookup.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
+
+ false
+ Disable WPAD for proxy lookup.
+
+
+ true
+ Enable WPAD for proxy lookop.
+
+
+
+
+
+ WiFiCost
+
+
+
+
+
+
+
+ 1
+ Optional node. If the policy is active selecting one of the values from the following list will set the cost of WLAN connection for the Wi-Fi profile. (1:Unrestricted - unlimited connection, 2: Fixed - capacity constraints up to a certain data limit, 3: Variable - costed on per byte basic) Default behaviour: Unrestricted
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.1
+
+
+
+ 1
+ Unrestricted - unlimited connection.
+
+
+ 2
+ Fixed - capacity constraints up to a certain data limit.
+
+
+ 3
+ Variable - paid on per byte basic.
+
+
+
+
+
+ ProfileSource
+
+
+
+
+
+ 0
+ Allows for defining which administrative entity is setting this Wi-Fi profile. This can currently be set to either 0=Enterprise or 1=Mobile Operator.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.1
+
+
+
+ 0
+ Enterprise
+
+
+ 1
+ Mobile Operator
+
+
+
+
```
-## Related topics
+## Related articles
-[WiFi configuration service provider](wifi-csp.md)
+[WiFi configuration service provider reference](wifi-csp.md)
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 8e0ff9f02d..a92d9f018f 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -1,382 +1,964 @@
---
title: WindowsDefenderApplicationGuard CSP
-description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
+description: Learn more about the WindowsDefenderApplicationGuard CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 11/02/2021
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# WindowsDefenderApplicationGuard CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
+
-The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
+
+The following list shows the WindowsDefenderApplicationGuard configuration service provider nodes:
-```console
-./Device/Vendor/MSFT
-WindowsDefenderApplicationGuard
-----Settings
---------AllowWindowsDefenderApplicationGuard
---------ClipboardFileType
---------ClipboardSettings
---------PrintingSettings
---------BlockNonEnterpriseContent
---------AllowPersistence
---------AllowVirtualGPU
---------SaveFilesToHost
---------CertificateThumbprints
---------AllowCameraMicrophoneRedirection
-----Status
-----PlatformStatus
-----InstallWindowsDefenderApplicationGuard
-----Audit
---------AuditApplicationGuard
+- ./Device/Vendor/MSFT/WindowsDefenderApplicationGuard
+ - [Audit](#audit)
+ - [AuditApplicationGuard](#auditauditapplicationguard)
+ - [InstallWindowsDefenderApplicationGuard](#installwindowsdefenderapplicationguard)
+ - [PlatformStatus](#platformstatus)
+ - [Settings](#settings)
+ - [AllowCameraMicrophoneRedirection](#settingsallowcameramicrophoneredirection)
+ - [AllowPersistence](#settingsallowpersistence)
+ - [AllowVirtualGPU](#settingsallowvirtualgpu)
+ - [AllowWindowsDefenderApplicationGuard](#settingsallowwindowsdefenderapplicationguard)
+ - [BlockNonEnterpriseContent](#settingsblocknonenterprisecontent)
+ - [CertificateThumbprints](#settingscertificatethumbprints)
+ - [ClipboardFileType](#settingsclipboardfiletype)
+ - [ClipboardSettings](#settingsclipboardsettings)
+ - [PrintingSettings](#settingsprintingsettings)
+ - [SaveFilesToHost](#settingssavefilestohost)
+ - [Status](#status)
+
+
+
+## Audit
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit
```
+
-**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
-Root node. Supported operation is Get.
+
+
+Interior node for Audit.
+
-**Settings**
-Interior node. Supported operation is Get.
+
+
+
-**Settings/AllowWindowsDefenderApplicationGuard**
-Turn on Microsoft Defender Application Guard in Enterprise Mode.
+
+**Description framework properties**:
-Value type is integer.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported operations are Add, Get, Replace, and Delete.
+
+
+
-The following list shows the supported values:
+
-- 0 - Disable Microsoft Defender Application Guard.
-- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY.
-- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004).
-- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004).
+
+### Audit/AuditApplicationGuard
-**Settings/ClipboardFileType**
-Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-Value type is integer.
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard
+```
+
-Supported operations are Add, Get, Replace, and Delete.
+
+
+This policy setting allows you to decide whether auditing events can be collected from Application Guard.
+
-This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+
+
-The following list shows the supported values:
+
+**Description framework properties**:
-- 1 - Allow text copying.
-- 2 - Allow image copying.
-- 3 - Allow text and image copying.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-ADMX Info:
+
+**Allowed values**:
-- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
-- GP name: *AppHVSIClipboardFileType*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Audit event logs aren't collected for Application Guard. |
+| 1 | Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container. |
+
-**Settings/ClipboardSettings**
-This policy setting allows you to decide how the clipboard behaves while in Application Guard.
+
+**Group policy mapping**:
-Value type is integer.
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_AuditApplicationGuardConfig |
+| Friendly Name | Allow auditing events in Microsoft Defender Application Guard |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| Registry Value Name | AuditApplicationGuard |
+| ADMX File Name | AppHVSI.admx |
+
-Supported operations are Add, Get, Replace, and Delete.
+
+
+
-This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
-The following list shows the supported values:
+
+## InstallWindowsDefenderApplicationGuard
-- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
-- 1 - Turns On clipboard operation from an isolated session to the host.
-- 2 - Turns On clipboard operation from the host to an isolated session.
-- 3 - Turns On clipboard operation in both the directions.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-> [!IMPORTANT]
-> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/InstallWindowsDefenderApplicationGuard
+```
+
-
-ADMX Info:
+
+
+Initiates remote installation of Application Guard feature.
+
-- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
-- GP name: *AppHVSIClipboardSettings*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+
+
+
-**Settings/PrintingSettings**
-This policy setting allows you to decide how the print functionality behaves while in Application Guard.
+
+**Description framework properties**:
-Value type is integer.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+
-Supported operations are Add, Get, Replace, and Delete.
+
+**Allowed values**:
-This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+| Value | Description |
+|:--|:--|
+| Install | Will initiate feature install. |
+| Uninstall | Will initiate feature uninstall. |
+
-The following list shows the supported values:
+
+
+
-- 0 (default) - Disables all print functionality.
-- 1 - Enables only XPS printing.
-- 2 - Enables only PDF printing.
-- 3 - Enables both PDF and XPS printing.
-- 4 - Enables only local printing.
-- 5 - Enables both local and XPS printing.
-- 6 - Enables both local and PDF printing.
-- 7 - Enables local, PDF, and XPS printing.
-- 8 - Enables only network printing.
-- 9 - Enables both network and XPS printing.
-- 10 - Enables both network and PDF printing.
-- 11 - Enables network, PDF, and XPS printing.
-- 12 - Enables both network and local printing.
-- 13 - Enables network, local, and XPS printing.
-- 14 - Enables network, local, and PDF printing.
-- 15 - Enables all printing.
+
-
-ADMX Info:
+
+## PlatformStatus
-- GP Friendly name: *Configure Microsoft Defender Application Guard print settings*
-- GP name: *AppHVSIPrintingSettings*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
-**Settings/BlockNonEnterpriseContent**
-This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/PlatformStatus
+```
+
-Value type is integer.
+
+
+Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Reserved for Microsoft. Bit 3 - Set to 1 when Application Guard is installed on the client machine. Bit 4 - Reserved for Microsoft. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
+
-Supported operations are Add, Get, Replace, and Delete.
+
+
+
-This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+**Description framework properties**:
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
-- 1 - Non-enterprise content embedded on enterprise sites is stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
+
+
+
-> [!NOTE]
-> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.
+
-
-ADMX Info:
+
+## Settings
-- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
-- GP name: *BlockNonEnterpriseContent*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-**Settings/AllowPersistence**
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings
+```
+
+
+
+
+Interior Node for Settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Settings/AllowCameraMicrophoneRedirection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowCameraMicrophoneRedirection
+```
+
+
+
+
+This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device's camera and microphone when these settings are enabled on the user's device.
+
+- If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user's device.
+- If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user's device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0). |
+| 1 | Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_AllowCameraMicrophoneRedirectionConfig |
+| Friendly Name | Allow camera and microphone access in Microsoft Defender Application Guard |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| Registry Value Name | AllowCameraMicrophoneRedirection |
+| ADMX File Name | AppHVSI.admx |
+
+
+
+
+
+
+
+
+
+### Settings/AllowPersistence
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowPersistence
+```
+
+
+
+
This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
+
-Value type is integer.
+
+
+
-Supported operations are Add, Get, Replace, and Delete.
+
+**Description framework properties**:
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
-- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user sign out.
-- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
+
+**Allowed values**:
-
-ADMX Info:
+| Value | Description |
+|:--|:--|
+| 0 | Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. |
+| 1 | Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. |
+
-- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard*
-- GP name: *AllowPersistence*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+
+**Group policy mapping**:
-**Settings/AllowVirtualGPU**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_AllowPersistence |
+| Friendly Name | Allow data persistence for Microsoft Defender Application Guard |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| Registry Value Name | AllowPersistence |
+| ADMX File Name | AppHVSI.admx |
+
-Value type is integer.
+
+
+
-Supported operations are Add, Get, Replace, and Delete.
+
-This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+### Settings/AllowVirtualGPU
-If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-The following list shows the supported values:
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowVirtualGPU
+```
+
-- 0 (default) - Can't access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0).
-- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This functionality can create a faster experience when working with graphics intense websites or watching video within the container.
+
+
+This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
+
+
+
> [!WARNING]
> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
+
-
-ADMX Info:
+
+**Description framework properties**:
-- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
-- GP name: *AllowVirtualGPU*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-**Settings/SaveFilesToHost**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container.
+
+**Allowed values**:
-Value type is integer.
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0). |
+| 1 | Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. |
+
-Supported operations are Add, Get, Replace, and Delete.
+
+**Group policy mapping**:
-The following list shows the supported values:
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_AllowVirtualGPU |
+| Friendly Name | Allow hardware-accelerated rendering for Microsoft Defender Application Guard |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| Registry Value Name | AllowVirtualGPU |
+| ADMX File Name | AppHVSI.admx |
+
-- 0 (default) - The user can't download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy isn't configured, it's the same as disabled (0).
-- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
+
+
+
-
-ADMX Info:
+
-- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
-- GP name: *SaveFilesToHost*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+
+### Settings/AllowWindowsDefenderApplicationGuard
-**Settings/CertificateThumbprints**
-Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-Value type is string.
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowWindowsDefenderApplicationGuard
+```
+
-Supported operations are Add, Get, Replace, and Delete.
+
+
+Turn on Microsoft Defender Application Guard in Enterprise Mode.
+
-This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+
+
-If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.
+
+**Description framework properties**:
-Here's an example:
-b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
-If you disable or don’t configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container.
+
+**Allowed values**:
-
-ADMX Info:
+| Value | Description |
+|:--|:--|
+| 0 | Disable Microsoft Defender Application Guard. |
+| 1 | Enable Microsoft Defender Application Guard for Microsoft Edge ONLY. |
+| 2 | Enable Microsoft Defender Application Guard for isolated Windows environments ONLY. |
+| 3 | Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments. |
+
-- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
-- GP name: *CertificateThumbprints*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowAppHVSI |
+| Path | Windows Components > Microsoft Defender Application Guard |
+
+
+
+
+
+
+
+
+
+### Settings/BlockNonEnterpriseContent
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/BlockNonEnterpriseContent
+```
+
+
+
+
+This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
+
+
+
+
+> [!NOTE]
+> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. |
+| 1 | Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_BlockNonEnterpriseContentConfig |
+| Friendly Name | Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| Registry Value Name | BlockNonEnterpriseContent |
+| ADMX File Name | AppHVSI.admx |
+
+
+
+
+
+
+
+
+
+### Settings/CertificateThumbprints
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/CertificateThumbprints
+```
+
+
+
+
+This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
+
+- If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. Here's an example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924.
+- If you disable or don't configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.
+
+
+
+
> [!NOTE]
> To enforce this policy, device restart or user logon/logoff is required.
+
-**Settings/AllowCameraMicrophoneRedirection**
-Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
+
+**Description framework properties**:
-Value type is integer.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
-Supported operations are Add, Get, Replace, and Delete.
+
+**Group policy mapping**:
-This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_CertificateThumbprints |
+| Friendly Name | Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user’s device |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| ADMX File Name | AppHVSI.admx |
+
-If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device.
+
+
+
-If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.
+
-The following list shows the supported values:
+
+### Settings/ClipboardFileType
-- 0 (default) - Microsoft Defender Application Guard can't access the device’s camera and microphone. When the policy isn't configured, it's the same as disabled (0).
-- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-> [!IMPORTANT]
-> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardFileType
+```
+
-
-ADMX Info:
+
+
+Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
+
-- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard*
-- GP name: *AllowCameraMicrophoneRedirection*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+
+
+
-**Status**
-Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device.
+
+**Description framework properties**:
-Value type is integer.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
-Supported operation is Get.
+
+**Allowed values**:
-- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
-- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
-- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
-- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
-- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
-- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
-- Bit 6 - Set to 1 when system reboot is required.
+| Value | Description |
+|:--|:--|
+| 1 | Allow text copying. |
+| 2 | Allow image copying. |
+| 3 | Allow text and image copying. |
+
-**PlatformStatus**
-Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
+
+**Group policy mapping**:
-Value type is integer.
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_ClipboardConfig |
+| Friendly Name | Configure Microsoft Defender Application Guard clipboard settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| ADMX File Name | AppHVSI.admx |
+
-Supported operation is Get.
+
+
+
-- Bit 0 - Set to 1 when Application Guard is enabled into Windows Isolated environment mode.
-- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
-- Bit 2 - Reserved for Microsoft.
-- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
-- Bit 4 - Reserved for Microsoft.
-- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
+
-**InstallWindowsDefenderApplicationGuard**
-Initiates remote installation of Application Guard feature.
+
+### Settings/ClipboardSettings
-Supported operations are Get and Execute.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-The following list shows the supported values:
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardSettings
+```
+
-- Install - Will initiate feature install.
-- Uninstall - Will initiate feature uninstall.
+
+
+This policy setting allows you to decide how the clipboard behaves while in Application Guard.
+
-**Audit**
-Interior node. Supported operation is Get.
+
+
+
-**Audit/AuditApplicationGuard**
-This policy setting allows you to decide whether auditing events can be collected from Application Guard.
+
+**Description framework properties**:
-Value type in integer.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-Supported operations are Add, Get, Replace, and Delete.
+
+**Allowed values**:
-This policy setting is supported on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Completely turns Off the clipboard functionality for the Application Guard. |
+| 1 | Turns On clipboard operation from an isolated session to the host. |
+| 2 | Turns On clipboard operation from the host to an isolated session. |
+| 3 | Turns On clipboard operation in both the directions. |
+
-The following list shows the supported values:
+
+**Group policy mapping**:
-- 0 (default) - Audit event logs aren't collected for Application Guard.
-- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_ClipboardConfig |
+| Friendly Name | Configure Microsoft Defender Application Guard clipboard settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| ADMX File Name | AppHVSI.admx |
+
-
-ADMX Info:
+
+
+
-- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard*
-- GP name: *AuditApplicationGuard*
-- GP path: *Windows Components/Microsoft Defender Application Guard*
-- GP ADMX file name: *AppHVSI.admx*
-
+
-## Related topics
+
+### Settings/PrintingSettings
-[Configuration service provider reference](index.yml)
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/PrintingSettings
+```
+
+
+
+
+This policy setting allows you to decide how the print functionality behaves while in Application Guard.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disables all print functionality. |
+| 1 | Enables only XPS printing. |
+| 2 | Enables only PDF printing. |
+| 3 | Enables both PDF and XPS printing. |
+| 4 | Enables only local printing. |
+| 5 | Enables both local and XPS printing. |
+| 6 | Enables both local and PDF printing. |
+| 7 | Enables local, PDF, and XPS printing. |
+| 8 | Enables only network printing. |
+| 9 | Enables both network and XPS printing. |
+| 10 | Enables both network and PDF printing. |
+| 11 | Enables network, PDF, and XPS printing. |
+| 12 | Enables both network and local printing. |
+| 13 | Enables network, local, and XPS printing. |
+| 14 | Enables network, local, and PDF printing. |
+| 15 | Enables all printing. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_PrintingConfig |
+| Friendly Name | Configure Microsoft Defender Application Guard print settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| ADMX File Name | AppHVSI.admx |
+
+
+
+
+
+
+
+
+
+### Settings/SaveFilesToHost
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/SaveFilesToHost
+```
+
+
+
+
+This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0). |
+| 1 | Turns on the functionality to allow users to download files from Edge in the container to the host file system. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AppHVSI_SaveFilesToHost |
+| Friendly Name | Allow files to download and save to the host operating system from Microsoft Defender Application Guard |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Application Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
+| Registry Value Name | SaveFilesToHost |
+| ADMX File Name | AppHVSI.admx |
+
+
+
+
+
+
+
+
+
+## Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Status
+```
+
+
+
+
+Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. Bit 3 - Set to 1 when Application Guard installed on the client machine. Bit 4 - Set to 1 when required Network Isolation Policies are configured. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. Bit 6 - Set to 1 when system reboot is required.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index 1c659fd2d1..67e900aa01 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,487 +1,660 @@
---
title: WindowsDefenderApplicationGuard DDF file
-description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
+description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/10/2018
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
# WindowsDefenderApplicationGuard DDF file
-> [!WARNING]
-> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-This XML is for Windows 10, version 1809 and later.
+The following XML file contains the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ WindowsDefenderApplicationGuard
+ ./Device/Vendor/MSFT
+
+
+
+
+ Root Node
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.1
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Settings
+
+
+
+
+ Interior Node for Settings
+
+
+
+
+
+
+
+
+
+
+
+
+
- WindowsDefenderApplicationGuard
- ./Device/Vendor/MSFT
+ AllowWindowsDefenderApplicationGuard
+
+
+
+ Turn on Microsoft Defender Application Guard in Enterprise Mode.
-
+
-
+
- com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard
+
+
+
+ 0
+ Disable Microsoft Defender Application Guard
+
+
+ 1
+ Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
+
+
+ 2
+ Enable Microsoft Defender Application Guard for isolated Windows environments ONLY
+
+
+ 3
+ Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments
+
+
+
-
- Settings
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AllowWindowsDefenderApplicationGuard
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ClipboardFileType
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ClipboardSettings
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PrintingSettings
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- BlockNonEnterpriseContent
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowPersistence
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowVirtualGPU
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SaveFilesToHost
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FileTrustCriteria
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FileTrustOriginRemovableMedia
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FileTrustOriginNetworkShare
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FileTrustOriginMarkOfTheWeb
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CertificateThumbprints
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AllowCameraMicrophoneRedirection
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InstallWindowsDefenderApplicationGuard
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Audit
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AuditApplicationGuard
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+ ClipboardFileType
+
+
+
+
+
+
+
+ Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Allow text copying.
+
+
+ 2
+ Allow image copying.
+
+
+ 3
+ Allow text and image copying.
+
+
+
+
+
+
+ ClipboardSettings
+
+
+
+
+
+
+
+ 0
+ This policy setting allows you to decide how the clipboard behaves while in Application Guard.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Completely turns Off the clipboard functionality for the Application Guard.
+
+
+ 1
+ Turns On clipboard operation from an isolated session to the host.
+
+
+ 2
+ Turns On clipboard operation from the host to an isolated session.
+
+
+ 3
+ Turns On clipboard operation in both the directions.
+
+
+
+
+
+
+ PrintingSettings
+
+
+
+
+
+
+
+ 0
+ This policy setting allows you to decide how the print functionality behaves while in Application Guard.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disables all print functionality.
+
+
+ 1
+ Enables only XPS printing.
+
+
+ 2
+ Enables only PDF printing.
+
+
+ 3
+ Enables both PDF and XPS printing.
+
+
+ 4
+ Enables only local printing.
+
+
+ 5
+ Enables both local and XPS printing.
+
+
+ 6
+ Enables both local and PDF printing.
+
+
+ 7
+ Enables local, PDF, and XPS printing.
+
+
+ 8
+ Enables only network printing.
+
+
+ 9
+ Enables both network and XPS printing.
+
+
+ 10
+ Enables both network and PDF printing.
+
+
+ 11
+ Enables network, PDF, and XPS printing.
+
+
+ 12
+ Enables both network and local printing.
+
+
+ 13
+ Enables network, local, and XPS printing.
+
+
+ 14
+ Enables network, local, and PDF printing.
+
+
+ 15
+ Enables all printing.
+
+
+
+
+
+
+ BlockNonEnterpriseContent
+
+
+
+
+
+
+
+ 0
+ This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
+
+
+ 1
+ Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
+
+
+
+
+
+
+
+ AllowPersistence
+
+
+
+
+
+
+
+ This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
+
+
+ 1
+ Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
+
+
+
+
+
+
+ AllowVirtualGPU
+
+
+
+
+
+
+
+ 0
+ This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.2
+
+
+
+ 0
+ Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
+
+
+ 1
+ Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.
+
+
+
+
+
+
+ SaveFilesToHost
+
+
+
+
+
+
+
+ 0
+ This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.2
+
+
+
+ 0
+ The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
+
+
+ 1
+ Turns on the functionality to allow users to download files from Edge in the container to the host file system.
+
+
+
+
+
+
+ CertificateThumbprints
+
+
+
+
+
+
+
+ This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. Here's an example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924. If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+
+
+
+
+
+ AllowCameraMicrophoneRedirection
+
+
+
+
+
+
+
+ 0
+ This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device. If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device. If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+ 0
+ Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0).
+
+
+ 1
+ Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. Bit 3 - Set to 1 when Application Guard installed on the client machine. Bit 4 - Set to 1 when required Network Isolation Policies are configured. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. Bit 6 - Set to 1 when system reboot is required.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PlatformStatus
+
+
+
+
+ Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Reserved for Microsoft. Bit 3 - Set to 1 when Application Guard is installed on the client machine. Bit 4 - Reserved for Microsoft. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.4
+
+
+
+
+ InstallWindowsDefenderApplicationGuard
+
+
+
+
+
+ Initiates remote installation of Application Guard feature.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Install
+ Will initiate feature install.
+
+
+ Uninstall
+ Will initiate feature uninstall.
+
+
+
+
+
+ Audit
+
+
+
+
+ Interior node for Audit
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AuditApplicationGuard
+
+
+
+
+
+
+
+ 0
+ This policy setting allows you to decide whether auditing events can be collected from Application Guard.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Audit event logs aren't collected for Application Guard.
+
+
+ 1
+ Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[WindowsDefenderApplicationGuard configuration service provider](windowsdefenderapplicationguard-csp.md)
\ No newline at end of file
+[WindowsDefenderApplicationGuard configuration service provider reference](windowsdefenderapplicationguard-csp.md)
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 1b912a214a..da4d51d70b 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,226 +1,129 @@
---
title: WindowsLicensing CSP
-description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios.
-ms.reviewer:
+description: Learn more about the WindowsLicensing CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 08/15/2018
+ms.topic: reference
---
+
+
+
# WindowsLicensing CSP
-The table below shows the applicability of Windows:
+
+
+The WindowsLicensing configuration service provider is designed for licensing related management scenarios.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+The following list shows the WindowsLicensing configuration service provider nodes:
-> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- ./Vendor/MSFT/WindowsLicensing
+ - [ChangeProductKey](#changeproductkey)
+ - [CheckApplicability](#checkapplicability)
+ - [DeviceLicensingService](#devicelicensingservice)
+ - [AcquireDeviceLicense](#devicelicensingserviceacquiredevicelicense)
+ - [DeviceLicensingLastError](#devicelicensingservicedevicelicensinglasterror)
+ - [DeviceLicensingLastErrorDescription](#devicelicensingservicedevicelicensinglasterrordescription)
+ - [DeviceLicensingStatus](#devicelicensingservicedevicelicensingstatus)
+ - [LicenseType](#devicelicensingservicelicensetype)
+ - [RemoveDeviceLicense](#devicelicensingserviceremovedevicelicense)
+ - [Edition](#edition)
+ - [LicenseKeyType](#licensekeytype)
+ - [SMode](#smode)
+ - [Status](#smodestatus)
+ - [SwitchFromSMode](#smodeswitchfromsmode)
+ - [SwitchingPolicy](#smodeswitchingpolicy)
+ - [Status](#status)
+ - [Subscriptions](#subscriptions)
+ - [{SubscriptionId}](#subscriptionssubscriptionid)
+ - [Name](#subscriptionssubscriptionidname)
+ - [Status](#subscriptionssubscriptionidstatus)
+ - [UpgradeEditionWithLicense](#upgradeeditionwithlicense)
+ - [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey)
+
-The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 client devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 client devices.
+
+## ChangeProductKey
-The following example shows the WindowsLicensing configuration service provider in tree format.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-```console
-./Vendor/MSFT
-WindowsLicensing
-----UpgradeEditionWithProductKey
-----ChangeProductKey
-----Edition
-----Status
-----LicenseKeyType
-----CheckApplicability
-----ChangeProductKey (Added in Windows 10, version 1703)
-----Subscriptions (Added in Windows 10, version 1607)
---------SubscriptionId (Added in Windows 10, version 1607)
-------------Status (Added in Windows 10, version 1607)
-------------Name (Added in Windows 10, version 1607)
-----SMode (Added in Windows 10, version 1809)
---------SwitchingPolicy (Added in Windows 10, version 1809)
---------SwitchFromSMode (Added in Windows 10, version 1809)
---------Status (Added in Windows 10, version 1809)
+
+```Device
+./Vendor/MSFT/WindowsLicensing/ChangeProductKey
```
-
-**./Device/Vendor/MSFT/WindowsLicensing**
-This node is the root node for the WindowsLicensing configuration service provider.
-
-The supported operation is Get.
-
-**UpgradeEditionWithProductKey**
-Enters a product key for an edition upgrade of Windows 10 desktop devices.
-
-> [!NOTE]
-> This upgrade process requires a system restart.
-
-The date type is a chr.
-
-The supported operation is Exec.
-
-When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart.
-
-After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
-
-> [!IMPORTANT]
-> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail.
-
-If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart.
-
-After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
-
-This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key doesn't require a reboot and is a silent process for the user.
-
-> [!IMPORTANT]
-> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
-
-The following are valid edition upgrade paths when using this node through an MDM:
-
-- Windows 10/Windows 11 Enterprise to Windows 10/ Windows 11 Education
-- Windows 10/Windows 11 Home to Windows 10/Windows 11 Education
-- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Education
-- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Enterprise
-
-Activation or changing a product key can be carried out on the following editions:
-
-- Windows 10/Windows 11 Education
-- Windows 10/Windows 11 Enterprise
-- Windows 10/Windows 11 Home
-- Windows 10/Windows 11 Pro
-
-**Edition**
-Returns a value that maps to the Windows 10 or Windows 11 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
-
-The data type is an Int.
-
-The supported operation is Get.
-
-**Status**
-Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values:
-
-- 0 = Failed
-- 1 = Pending
-- 2 = In progress
-- 3 = Completed
-- 4 = Unknown
-
-The data type is an Int.
-
-The supported operation is Get.
-
-
-
-**LicenseKeyType**
-Returns the parameter type used by Windows 10 or Windows 11 devices for an edition upgrade, activation, or product key change.
-
-- Windows 10 or Windows 11 client devices require a product key.
-
-The data type is a chr.
-
-The supported operation is Get.
-
-**CheckApplicability**
-Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 or Windows 11 for desktop devices.
-
-The data type is a chr.
-
-The supported operation is Exec.
-
-**ChangeProductKey**
-Added in Windows 10, version 1703. Installs a product key for Windows desktop devices. Doesn't reboot.
-
-The data type is a chr.
-
-The supported operation is Execute.
-
-**Subscriptions**
-Added in Windows 10, version 1607. Node for subscriptions.
-
-**Subscriptions/SubscriptionId**
-Added in Windows 10, version 1607. Node for subscription IDs.
-
-**Subscriptions/SubscriptionId/Status**
-Added in Windows 10, version 1607. Returns the status of the subscription.
-
-The data type is an Int.
-
-The supported operation is Get.
-
-**Subscriptions/SubscriptionId/Name**
-Added in Windows 10, version 1607. Returns the name of the subscription.
-
-The data type is a chr.
-
-The supported operation is Get.
-
-**SMode**
-Interior node for managing S mode.
-
-**SMode/SwitchingPolicy**
-Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete)
-
-Value type is integer.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-Supported values:
-
-- 0 - No Restriction: The user is allowed to switch the device out of S mode.
-- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
-
-**SMode/SwitchFromSMode**
-Added in Windows 10, version 1809. Switches a device out of S mode if possible. Doesn't reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
-
-Supported operation is Execute.
-
-**SMode/Status**
-Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example)
-
-Value type is integer.
-
-Supported operation is Get.
-
-Values:
-
-- Request fails with error code 404 - no SwitchFromSMode request has been made.
-- 0 - The device successfully switched out of S mode.
-- 1 - The device is processing the request to switch out of S mode.
-- 3 - The device was already switched out of S mode.
-- 4 - The device failed to switch out of S mode.
-
-## SyncML examples
-
-**CheckApplicability**
+
+
+
+
+Installs a product key for Windows 10 desktop devices. Does not reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## CheckApplicability
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/CheckApplicability
+```
+
+
+
+
+Returns TRUE if the entered product key can be used for an edition upgrade of Windows 10 desktop devices.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+
+
+
+
+**Example**:
```xml
@@ -243,9 +146,328 @@ Values:
```
> [!NOTE]
-> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
+> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the Data tag should be replaced with your product key.
+
-**Edition**
+
+
+
+## DeviceLicensingService
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/DeviceLicensingService
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceLicensingService/AcquireDeviceLicense
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/AcquireDeviceLicense
+```
+
+
+
+
+Acquire and Refresh Device License. Does not reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+### DeviceLicensingService/DeviceLicensingLastError
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/DeviceLicensingLastError
+```
+
+
+
+
+Returns the last error code of Refresh/Remove Device License operation. Value would be empty(0) in absence of error.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceLicensingService/DeviceLicensingLastErrorDescription
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/DeviceLicensingLastErrorDescription
+```
+
+
+
+
+Returns last error description from Device Licensing. Value would be empty, if error decription can not be evaluated.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceLicensingService/DeviceLicensingStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/DeviceLicensingStatus
+```
+
+
+
+
+Returns the status of Refresh/Remove Device License operation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceLicensingService/LicenseType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/LicenseType
+```
+
+
+
+
+License Type: User Based Subscription or Device Based Subscription.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | User Based Subscription. |
+| 1 | Device Based Subscription. |
+
+
+
+
+
+
+
+
+
+### DeviceLicensingService/RemoveDeviceLicense
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/RemoveDeviceLicense
+```
+
+
+
+
+Remove Device License. Device would be ready for user based license after this operation. Does not reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## Edition
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/Edition
+```
+
+
+
+
+Returns a value that maps to the Windows 10 edition running on desktop or mobile devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+**Example**:
```xml
@@ -262,8 +484,46 @@ Values:
```
+
-**LicenseKeyType**
+
+
+
+## LicenseKeyType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/LicenseKeyType
+```
+
+
+
+
+Returns the parameter type used by Windows 10 devices for an edition upgrade. Windows 10 desktop devices require a product key for an edition upgrade. Windows 10 mobile devices require a license for an edition upgrade.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+**Example**:
```xml
@@ -280,76 +540,92 @@ Values:
```
+
-**Status**
+
-```xml
-
-
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/WindowsLicensing/Status
-
-
-
-
-
-
+
+## SMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/SMode
```
+
-**UpgradeEditionWithProductKey**
+
+
+Interior node for managing S mode.
+
-```xml
-
-
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey
-
-
- chr
-
- XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
-
-
-
-
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### SMode/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/SMode/Status
```
+
-> [!NOTE]
-> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
+
+
+Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request.
+
-
+
+Possible values:
-**UpgradeEditionWithLicense**
+- Request fails with error code 404: no SwitchFromSMode request has been made.
+- 0: The device successfully switched out of S mode.
+- 1: The device is processing the request to switch out of S mode.
+- 3: The device was already switched out of S mode.
+- 4: The device failed to switch out of S mode.
+
-```xml
-
-
-
- $CmdID$
-
-
- ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithLicense
-
-
- chr
-
- YOUR XML ENCODED LICENSE GOES HERE
-
-
-
-
-
-```
--->
+
+**Description framework properties**:
-**Get S mode status**
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+**Example**:
```xml
@@ -368,8 +644,46 @@ Values:
```
+
-**Execute SwitchFromSMode**
+
+
+
+### SMode/SwitchFromSMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/SMode/SwitchFromSMode
+```
+
+
+
+
+Switches a device out of S mode if possible. Does not reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+**Example**:
```xml
@@ -393,97 +707,504 @@ Values:
```
+
-**Add S mode SwitchingPolicy**
+
-```xml
-
-
-
- 4
-
-
-
- ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
-
-
-
- int
- text/plain
-
- 1
-
-
-
-
-
+
+### SMode/SwitchingPolicy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
```
+
-**Get S mode SwitchingPolicy**
+
+
+Policy that determines whether a consumer can switch the device out of S mode.
+
+
+
+
+This setting is only applicable to devices available in S mode.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | No Restriction: The user is allowed to switch the device out of S mode. |
+| 1 | User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. |
+
+
+
+
+**Examples**:
+
+- Add S Mode SwitchingPolicy
+
+ ```xml
+
+
+
+ 4
+
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
+
+
+
+ int
+ text/plain
+
+ 1
+
+
+
+
+
+ ```
+
+- Get S Mode Switching Policy
+
+ ```xml
+
+
+
+ 2
+
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
+
+
+
+
+
+
+
+ ```
+
+- Replace S mode SwitchingPolicy
+
+ ```xml
+
+
+
+ 1
+
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
+
+
+
+ int
+ text/plain
+
+ 1
+
+
+
+
+
+ ```
+
+- Delete S mode SwitchingPolicy
+
+ ```xml
+
+
+
+ 3
+
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
+
+
+
+
+
+
+
+ ```
+
+
+
+
+
+## Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/Status
+```
+
+
+
+
+Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+**Example**:
```xml
- 2
-
-
-
- ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
-
-
-
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/WindowsLicensing/Status
+
+
```
+
-**Replace S mode SwitchingPolicy**
+
+
+
+## Subscriptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/Subscriptions
+```
+
+
+
+
+Node for subscriptions.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Subscriptions/{SubscriptionId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/Subscriptions/{SubscriptionId}
+```
+
+
+
+
+Node for subscription IDs.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+#### Subscriptions/{SubscriptionId}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/Subscriptions/{SubscriptionId}/Name
+```
+
+
+
+
+Returns the name of the subscription.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Subscriptions/{SubscriptionId}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/Subscriptions/{SubscriptionId}/Status
+```
+
+
+
+
+Returns the status of the subscription.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## UpgradeEditionWithLicense
+
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/UpgradeEditionWithLicense
+```
+
+
+
+
+Provide a license for an edition upgrade of Windows 10 mobile devices. Does not require reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | xml |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+## UpgradeEditionWithProductKey
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey
+```
+
+
+
+
+Enter a product key for an edition upgrade of Windows 10 desktop devices. Requires reboot.
+
+
+
+
+When a product key is pushed from an MDM server to a user's device, `changepk.exe` runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart.
+
+After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
+
+> [!NOTE]
+> If another policy requires a system reboot that occurs when `changepk.exe` is running, the edition upgrade will fail.
+
+If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and `changepk.exe` runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart.
+
+After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
+
+This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key doesn't require a reboot and is a silent process for the user.
+
+> [!IMPORTANT]
+> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
+
+The following are valid edition upgrade paths when using this node through an MDM:
+
+- Windows 10/11 Enterprise to Windows 10/11 Education
+- Windows 10/11 Home to Windows 10/11 Education
+- Windows 10/11 Pro to Windows 10/11 Education
+- Windows 10/11 Pro to Windows 10/11 Enterprise
+
+Activation or changing a product key can be carried out on the following editions:
+
+- Windows 10/11 Education
+- Windows 10/11 Enterprise
+- Windows 10/11 Home
+- Windows 10/11 Pro
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+| Reboot Behavior | Automatic |
+
+
+
+
+**Example**:
```xml
-
- 1
-
-
-
- ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
-
-
-
- int
- text/plain
-
- 1
-
-
-
+
+ $CmdID$
+
+
+ ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey
+
+
+ chr
+
+ XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
+
+
+
```
-**Delete S mode SwitchingPolicy**
+> [!NOTE]
+> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the Data tag should be replaced with your product key.
+
-```xml
-
-
-
- 3
-
-
-
- ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
-
-
-
-
-
-
-
-```
+
-## Related topics
+
+
+
-[Configuration service provider reference](index.yml)
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index 00f97205ee..ad27537130 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,44 +1,399 @@
---
title: WindowsLicensing DDF file
-description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP).
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/16/2017
+ms.topic: reference
---
+
+
# WindowsLicensing DDF file
-> [!WARNING]
-> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1809 and later.
+The following XML file contains the device description framework (DDF) for the WindowsLicensing configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ WindowsLicensing
+ ./Vendor/MSFT
+
+
+
+
+ This is the root node for the WindowsLicensing configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCD;
+
+
+
+ UpgradeEditionWithProductKey
+
+
+
+
+ Enter a product key for an edition upgrade of Windows 10 desktop devices. Requires reboot.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Automatic
+
+
+
+ ChangeProductKey
+
+
+
+
+ Installs a product key for Windows 10 desktop devices. Does not reboot.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.2
+
+
+
+
+
+
+ Edition
+
+
+
+
+ Returns a value that maps to the Windows 10 edition running on desktop or mobile devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UpgradeEditionWithLicense
+
+
+
+
+ Provide a license for an edition upgrade of Windows 10 mobile devices. Does not require reboot.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LicenseKeyType
+
+
+
+
+ Returns the parameter type used by Windows 10 devices for an edition upgrade. Windows 10 desktop devices require a product key for an edition upgrade. Windows 10 mobile devices require a license for an edition upgrade.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CheckApplicability
+
+
+
+
+ Returns TRUE if the entered product key can be used for an edition upgrade of Windows 10 desktop devices.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Subscriptions
+
+
+
+
+ Node for subscriptions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.1
+
+
- WindowsLicensing
- ./Vendor/MSFT
+
+
+ Node for subscription IDs.
+
+
+
+
+
+
+ SubscriptionId
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Returns the status of the subscription.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ Returns the name of the subscription.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SMode
+
+
+
+
+ Interior node for managing S mode.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+ SwitchingPolicy
+
+
+
+
+
+
+
+ Policy that determines whether a consumer can switch the device out of S mode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ No Restriction: The user is allowed to switch the device out of S mode.
+
+
+ 1
+ User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
+
+
+
+
+
+ SwitchFromSMode
+
+
+
+
+ Switches a device out of S mode if possible. Does not reboot.
+
+
+
@@ -46,309 +401,206 @@ The XML below is for Windows 10, version 1809 and later.
- com.microsoft/1.3/MDM/WindowsLicensing
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DeviceLicensingService
+
+
+
+
+ Insert Description Here
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621
+ 1.4
+
+
+
+ LicenseType
+
+
+
+
+
+
+
+ License Type: User Based Subscription or Device Based Subscription
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ User Based Subscription
+
+
+ 1
+ Device Based Subscription
+
+
+
+
+
+ DeviceLicensingStatus
+
+
+
+
+ Returns the status of Refresh/Remove Device License operation.
+
+
+
+
+
+
+
+
+
+
+
-
- UpgradeEditionWithProductKey
-
-
-
-
- Enter a product key for an edition upgrade of Windows 10 desktop devices. Requires reboot.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ChangeProductKey
-
-
-
-
- Installs a product key for Windows 10 desktop devices. Does not reboot.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Edition
-
-
-
-
- Returns a value that maps to the Windows 10 or Windows 11 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Returns the status of an edition upgrade on Windows 10 or Windows 11 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CheckApplicability
-
-
-
-
- Returns TRUE if the entered product key can be used for an edition upgrade of Windows 10 desktop devices.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Subscriptions
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SubscriptionId
-
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Name
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- SMode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SwitchingPolicy
-
-
-
-
-
-
-
- Policy that determines whether a consumer can switch the device out of S mode
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SwitchFromSMode
-
-
-
-
- Switches a device out of S mode if possible. Does not reboot.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request.
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+ DeviceLicensingLastError
+
+
+
+
+ Returns the last error code of Refresh/Remove Device License operation. Value would be empty(0) in absence of error.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DeviceLicensingLastErrorDescription
+
+
+
+
+ Returns last error description from Device Licensing. Value would be empty, if error decription can not be evaluated.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AcquireDeviceLicense
+
+
+
+
+ Acquire and Refresh Device License. Does not reboot.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoveDeviceLicense
+
+
+
+
+ Remove Device License. Device would be ready for user based license after this operation. Does not reboot.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[WindowsLicensing configuration service provider](windowslicensing-csp.md)
\ No newline at end of file
+[WindowsLicensing configuration service provider reference](windowslicensing-csp.md)
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index ecbdc67678..b4cc4b0e26 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -1,70 +1,201 @@
---
title: WiredNetwork CSP
-description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP. Learn how it works.
+description: Learn more about the WiredNetwork CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/28/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/27/2018
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# WiredNetwork CSP
-The table below shows the applicability of Windows:
+
+
+The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have group policy to enable them to access corporate Internet over ethernet.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+The following list shows the WiredNetwork configuration service provider nodes:
-> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- ./Device/Vendor/MSFT/WiredNetwork
+ - [EnableBlockPeriod](#deviceenableblockperiod)
+ - [LanXML](#devicelanxml)
+- ./User/Vendor/MSFT/WiredNetwork
+ - [EnableBlockPeriod](#userenableblockperiod)
+ - [LanXML](#userlanxml)
+
-The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809.
+
+## Device/EnableBlockPeriod
-The following example shows the WiredNetwork configuration service provider in tree format.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiredNetwork/EnableBlockPeriod
```
-./User/Vendor/MSFT
-WiredNetwork
-----LanXML
-----EnableBlockPeriod
+
+
+
+Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
+
-./Device/Vendor/MSFT
-WiredNetwork
-----LanXML
-----EnableBlockPeriod
+
+
+
+
+**Description framework properties**:
-./User/Vendor/MSFT
-./Device/Vendor/MSFT
-WiredNetwork
-----LanXML
-----EnableBlockPeriod
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+## Device/LanXML
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/WiredNetwork/LanXML
```
-**./Device/Vendor/MSFT/WiredNetwork**
-The root node for the wirednetwork configuration service provider.
+
-**LanXML**
-Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx.
+
+
+XML describing the wired network configuration and follows the LAN_profile schemas
+
-- Supported operations are Add, Get, Replace, and Delete.
-- Value type is string.
+
+
+
-**EnableBlockPeriod**
- Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
+
+**Description framework properties**:
-- Supported operations are Add, Get, Replace, and Delete.
-- Value type is integer.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## User/EnableBlockPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```User
+./User/Vendor/MSFT/WiredNetwork/EnableBlockPeriod
+```
+
+
+
+
+Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+
+
+
+
+
+
+
+
+
+## User/LanXML
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```User
+./User/Vendor/MSFT/WiredNetwork/LanXML
+```
+
+
+
+
+XML describing the wired network configuration and follows the LAN_profile schemas
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+
+## Examples
The following example shows how to add a wired network profile:
+
```xml
@@ -83,7 +214,10 @@ The following example shows how to add a wired network profile:
```
+
-## Related topics
+
-[Configuration service provider reference](index.yml)
\ No newline at end of file
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index 95d8425592..42f5285262 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -1,173 +1,190 @@
---
title: WiredNetwork DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider.
+description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/16/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/28/2018
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
# WiredNetwork DDF file
-
-This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. This CSP was added in Windows 10, version 1511.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the WiredNetwork configuration service provider.
```xml
-]>
+]>
1.2
-
- WiredNetwork
- ./User/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- LanXML
-
-
-
-
-
-
-
- XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnableBlockPeriod
-
-
-
-
-
-
-
- Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- WiredNetwork
- ./Device/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- LanXML
-
-
-
-
-
-
-
- XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnableBlockPeriod
-
-
-
-
-
-
-
- Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+ WiredNetwork
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ LanXML
+
+
+
+
+
+
+
+ XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableBlockPeriod
+
+
+
+
+
+
+
+ Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+
+ WiredNetwork
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ LanXML
+
+
+
+
+
+
+
+ XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableBlockPeriod
+
+
+
+
+
+
+
+ Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
```
-## Related topics
+## Related articles
-[WiredNetwork CSP](wirednetwork-csp.md)
+[WiredNetwork configuration service provider reference](wirednetwork-csp.md)
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index adb471edb7..4e59e30993 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -1,6 +1,6 @@
---
title: Use Quick Assist to help users
-description: How IT Pros can use Quick Assist to help users.
+description: Learn how IT Pros can use Quick Assist to help users.
ms.prod: windows-client
ms.topic: article
ms.technology: itpro-manage
@@ -9,10 +9,13 @@ author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.reviewer: pmadrigal
+appliesto:
+ - ✅ Windows 10 and later
+ - ✅ Windows 11 and later
ms.collection:
- highpri
- tier1
-ms.date: 08/26/2022
+ms.date: 03/06/2023
---
# Use Quick Assist to help users
@@ -23,8 +26,8 @@ Quick Assist is a Microsoft Store application that enables a person to share the
All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
-> [!NOTE]
-> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
+> [!IMPORTANT]
+> Quick Assist is not available in the Azure Government cloud.
### Authentication
@@ -45,7 +48,7 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
| `*.registrar.skype.com` | Required for Azure Communication Service. |
| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
| `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
-| `aadcdn.msauth.net` | Required for logging in to the application (AAD). |
+| `aadcdn.msauth.net` | Required for logging in to the application (Azure AD). |
| `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
| `login.microsoftonline.com` | Required for Microsoft login service. |
| `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. |
@@ -54,21 +57,32 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
> [!IMPORTANT]
> Quick Assist uses Edge WebView2 browser control. For a list of domain URLs that you need to add to the allow list to ensure that the Edge WebView2 browser control can be installed and updated, see [Allow list for Microsoft Edge endpoints](/deployedge/microsoft-edge-security-endpoints).
+## Working with Quick Assist
+
+Either the support staff or a user can start a Quick Assist session.
+
+1. Support staff ("helper") and the user ("sharer") can start Quick Assist in any of a few ways:
+ - Type *Quick Assist* in the Windows search and press ENTER.
+ - Press **CTRL** + **Windows** + **Q**.
+ - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
+ - For **Windows 11** users, from the Start menu, select **All Apps**, and then select **Quick Assist**.
+1. In the **Help someone** section, the helper selects the **Help someone** button. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
+1. Helper shares the security code with the user over the phone or with a messaging system.
+1. The sharer enters the provided code in the **Security code from assistant** box under the **Get help** section, and then selects **Submit**.
+1. The sharer receives a dialog asking for permission to allow screen sharing. The sharer gives permission by selecting the **Allow** button and the screen sharing session is established.
+1. After the screen sharing session is established, the helper can optionally request control of the sharer's screen by selecting **Request control**. The sharer then receives a dialog asking them if they want to **Allow** or **Deny** the request for control.
+
+> [!NOTE]
+> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
+
## How it works
1. Both the helper and the sharer start Quick Assist.
-
-2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
-
-3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.
-
-4. The helper is prompted to select **View Only** or **Full Control**.
-
-5. The sharer is prompted to confirm allowing the helper to share their desktop with the helper.
-
-6. Quick Assist starts RDP control and connects to the RDP Relay service.
-
-7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
+1. The helper selects **Help someone**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
+1. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.
+1. The sharer is prompted to confirm allowing the helper to share their desktop with the helper.
+1. Quick Assist starts RDP control and connects to the RDP Relay service.
+1. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established.":::
@@ -77,61 +91,39 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
Microsoft logs a small amount of session data to monitor the health of the Quick Assist system. This data includes the following information:
- Start and end time of the session
-
- Errors arising from Quick Assist itself, such as unexpected disconnections
-
- Features used inside the app such as view only, annotation, and session pause
-No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session.
-
-The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days.
+> [!NOTE]
+> No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session.
+>
+> The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days.
In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
-## Working with Quick Assist
-
-Either the support staff or a user can start a Quick Assist session.
-
-1. Support staff ("helper") starts Quick Assist in any of a few ways:
-
- - Type *Quick Assist* in the search box and press ENTER.
- - Press **CTRL** + **Windows** + **Q**
- - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**.
- - For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**.
-
-2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
-
-3. Helper shares the security code with the user over the phone or with a messaging system.
-
-4. Quick Assist opens on the sharer's device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
-
-5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After they choose an option, the helper selects **Continue**.
-
-6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.
-
## Install Quick Assist
### Install Quick Assist from the Microsoft Store
1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5).
-1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, you'll see **Get** change to **Open**. :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
+1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, **Get** changes to **Open**. :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
### Install Quick Assist with Intune
-Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
+Before installing Quick Assist, you need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
-1. Select **Manage** / **Settings** and turn on **Show offline apps**.
+1. Select **Manage** / **Settings** and enable **Show offline apps**.
1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
1. Search for **Quick Assist** and select it from the Search results.
1. Choose the **Offline** license and select **Get the app**
-1. In the Endpoint Manager admin center, choose **Sync**.
+1. In the Intune admin center, choose **Sync**.
1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
-1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link.
-1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
+1. Select it to view its properties.
+1. By default, the app isn't assigned to any user or device, select the **Edit** link. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
> [!NOTE]
> Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context.
@@ -140,18 +132,19 @@ Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps
### Install Quick Assist Offline
-To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
+To install Quick Assist offline, you need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
1. Start **Windows PowerShell** with Administrative privileges.
-1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD <*location of package file*>)
-1. Run the following command to install Quick Assist: *Add-appxprovisionedpackage -online -PackagePath "MicrosoftCorporationII.QuickAssist_2022.509.2259.0_neutral___8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"*
-1. After Quick Assist has installed, run this command: _Get-appxpackage \*QuickAssist* -alluser_
-
-After running the command, you'll see Quick Assist 2.X is installed for the user.
+1. In PowerShell, change the directory to the location you've saved the file to in step 1: `cd `
+1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
+1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
## Microsoft Edge WebView2
-The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately.
+The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function.
+
+- For Windows 11 users, this runtime control is built in.
+- For Windows 10 users, the Quick Assist Store app detects if WebView2 is present on launch and if necessary, installs it automatically. If an error message or prompt is shown indicating WebView2 isn't present, it needs to be installed separately.
For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 5b27211b1f..bd831a11be 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -98,10 +98,10 @@ items:
href: administrative-tools-in-windows-10.md
- name: Use Quick Assist to help users
href: quick-assist.md
- - name: Create mandatory user profiles
- href: mandatory-user-profile.md
- name: Connect to remote Azure Active Directory-joined PC
href: connect-to-remote-aadj-pc.md
+ - name: Create mandatory user profiles
+ href: mandatory-user-profile.md
- name: New policies for Windows 10
href: new-policies-for-windows-10.md
- name: Windows 10 default media removal policy
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 979f7648a6..b3887ade44 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -126,6 +126,8 @@
href: provisioning-packages/provisioning-multivariant.md
- name: PowerShell cmdlets for provisioning Windows client (reference)
href: provisioning-packages/provisioning-powershell.md
+ - name: Diagnose provisioning packages
+ href: provisioning-packages/diagnose-provisioning-packages.md
- name: Windows Configuration Designer command-line interface (reference)
href: provisioning-packages/provisioning-command-line.md
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index 0fa0a01630..7ef410564c 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -132,7 +132,7 @@ This section shows you how to create a pinned list policy in Intune. There isn't
To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment).
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index dfcaee8191..a97023b5d9 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -29,7 +29,7 @@ For example, you can override the default set of apps with your own a set of pin
To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
-This article shows you how to create the XML file, add apps to the XML, and deploy the XML file.
+This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons).
## Before you begin
@@ -170,7 +170,7 @@ MDM providers can deploy policies to devices managed by the organization, includ
Use the following steps to create an Intune policy that deploys your taskbar XML file:
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index ff5c66875f..ebd6bb9d28 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -55,7 +55,7 @@ Two features enable Start layout control:
The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout:
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
new file mode 100644
index 0000000000..b3207522a4
--- /dev/null
+++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
@@ -0,0 +1,42 @@
+---
+title: Diagnose Provisioning Packages
+description: Diagnose general failures in provisioning.
+ms.reviewer:
+manager: aaroncz
+ms.author: lizlong
+ms.topic: article
+ms.prod: windows-client
+ms.technology: itpro-manage
+author: lizgt2000
+ms.date: 01/18/2023
+ms.collection: highpri
+---
+
+# Diagnose Provisioning Packages
+
+This article helps diagnose common issues with applying provisioning packages. You can use the [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) to diagnose general provisioning failures.
+
+## Unable to apply power settings
+
+When applying a provisioning package (PPKG) containing power settings, elevated permissions are required. Because elevated permissions are required, power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used.
+
+To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings).
+
+## Unable to perform bulk enrollment in Azure AD
+
+When [enrolling devices into Azure AD using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
+
+> [!NOTE]
+> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected.
+
+## Unable to apply a multivariant provisioning package
+
+When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it may be difficult to diagnose why a certain target did not get applied. There may have been improperly authored conditions that did not evaluate as expected.
+
+Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package was not applied.
+
+You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report:
+
+```powershell
+([XML](Get-Content MDMDiagReport.xml)).SelectNodes('//Multivariant') | Select -ExpandProperty Condition
+```
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 8796ceac18..e92747be63 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -57,7 +57,7 @@ On devices running Windows client, you can install [the Windows Configuration De
- When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-).
-- Windows Configuration Designer doesn't work properly if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
+- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step will display oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons won't be displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled.
- You can only run one instance of Windows Configuration Designer on your computer at a time.
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 874a5657cc..7600808ed5 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -90,7 +90,7 @@ You can apply the customized Start layout with images for secondary tiles by usi
In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md
index b51d7becb9..a24ff5885a 100644
--- a/windows/configuration/supported-csp-taskbar-windows.md
+++ b/windows/configuration/supported-csp-taskbar-windows.md
@@ -18,53 +18,65 @@ ms.topic: article
- Windows 11
-The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices.
-
-This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start).
+The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices.
For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
+## CSP policies to customize Windows 11 taskbar buttons
+
+- [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode)
+ - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar`
+ - Local setting: Settings > Personalization > Taskbar > Search
+
+- [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
+ - Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button`
+ - Local setting: Settings > Personalization > Taskbar > Task view
+
+- [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests)
+ - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets`
+ - Local setting: Settings > Personalization > Taskbar > Widgets
+
+- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar)
+ - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting`
+ - Local setting: Settings > Personalization > Taskbar > Chat
+
## Existing CSP policies that Windows 11 taskbar supports
-- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
+- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
- Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
-- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
+- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
- Local setting: None
-- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#experience-configurechaticonvisibilityonthetaskbar)
- - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat`
- - Local setting: Settings > Personalization > Taskbar > Chat
-
## Existing CSP policies that Windows 11 doesn't support
The following list includes some of the CSP policies that aren't supported on Windows 11:
-- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall)
+- [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
-- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar)
+- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
-- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar)
+- [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
-- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock)
+- [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
-- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize)
+- [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
-- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar)
+- [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
-- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping)
+- [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
-- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
-
-- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled)
+- [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`
+
+- [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md
index 528e7fcbba..1c23a9707e 100644
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@@ -8,7 +8,6 @@ author: lizgt2000
ms.reviewer:
manager: aaroncz
ms.localizationpriority: medium
-ms.date: 09/20/2022
ms.topic: conceptual
ms.collection: tier1
appliesto:
@@ -60,7 +59,9 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
-- [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
+- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
+
+- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience.
## Hearing
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 084263aadb..4fc092c907 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -35,7 +35,7 @@
- name: Plan
items:
- name: Plan for Windows 11
- href: /windows/whats-new/windows-11-plan
+ href: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Create a deployment plan
href: update/create-deployment-plan.md
- name: Define readiness criteria
@@ -72,7 +72,7 @@
- name: Prepare
items:
- name: Prepare for Windows 11
- href: /windows/whats-new/windows-11-prepare
+ href: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Prepare to deploy Windows client updates
href: update/prepare-deploy-windows.md
- name: Evaluate and update infrastructure
@@ -334,6 +334,8 @@
href: update/windows-update-overview.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
+ - name: Update CSP policies
+ href: /windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Additional Windows Update settings
href: update/waas-wu-settings.md
- name: Delivery Optimization reference
diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md
index 1d67fee4df..8a3e5bc940 100644
--- a/windows/deployment/add-store-apps-to-image.md
+++ b/windows/deployment/add-store-apps-to-image.md
@@ -5,10 +5,8 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
-ms.reviewer:
manager: aaroncz
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml
index bbaa26132d..c7cea673bd 100644
--- a/windows/deployment/breadcrumb/toc.yml
+++ b/windows/deployment/breadcrumb/toc.yml
@@ -34,4 +34,15 @@ items:
- name: Deployment
tocHref: /mem/intune/protect/
topicHref: /windows/deployment/
-
+
+- name: Learn
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows/
+ topicHref: /windows/resources/
+ items:
+ - name: Deployment
+ tocHref: /windows/client-management/mdm
+ topicHref: /windows/deployment/
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index 3dbdf7eef2..f3f16802b4 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -7,7 +7,6 @@ author: frankroj
manager: aaroncz
ms.author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index f19a79ea47..7239ce998b 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
-ms.collection: highpri
+ms.collection: highpri, tier2
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 6ec6b46d6c..b8025d4dc9 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -1,6 +1,5 @@
---
title: Deploy Windows 10 with Microsoft 365
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
@@ -8,7 +7,6 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 309fe14ba0..5c8f6ce68d 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -7,8 +7,7 @@ ms.localizationpriority: medium
ms.prod: windows-client
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 23b36c4d59..94c3d4ad20 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -1,14 +1,12 @@
---
title: Add a Windows 10 operating system image using Configuration Manager
description: Operating system images are typically the production image used for deployment throughout the organization.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index feff4155ed..49a76b890d 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -1,14 +1,12 @@
---
title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index bc6f5f88b1..8c9f73f7e0 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -1,14 +1,12 @@
---
title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Configuration Manager.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
index dc5fff054b..95074a8b3d 100644
--- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -1,7 +1,6 @@
---
title: Create a task sequence with Configuration Manager (Windows 10)
description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 7a7d509012..8c8f05cc7c 100644
--- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -1,8 +1,6 @@
---
title: Create an app to deploy with Windows 10 using Configuration Manager
description: Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
-ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index 6a0dd625b6..e3a76f89f8 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -1,7 +1,6 @@
---
title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
description: In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences.
-ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 581ec6010d..603cdd71f6 100644
--- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -1,14 +1,12 @@
---
title: Finalize operating system configuration for Windows 10 deployment
description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 2fa98b5ab7..2cbc8a589e 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -1,7 +1,6 @@
---
title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index d87aff2989..2ea7c6d6a7 100644
--- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,14 +1,12 @@
---
title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index dd75747e26..f2a38e6125 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,15 +1,12 @@
---
title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
description: In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager.
-ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
index db3236d549..9de18e31aa 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
@@ -1,14 +1,12 @@
---
title: Perform in-place upgrade to Windows 10 via Configuration Manager
description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Configuration Manager task sequence.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/27/2022
---
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index 80c99d9d57..1f8a403732 100644
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -1,7 +1,6 @@
---
title: Assign applications using roles in MDT (Windows 10)
description: This article will show you how to add applications to a role in the MDT database and then assign that role to a computer.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index 043e8f7ab8..dbfe7666fd 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -1,8 +1,6 @@
---
title: Build a distributed environment for Windows 10 deployment (Windows 10)
description: In this article, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
-ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
index eb84fdcd77..36f7e1544c 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
@@ -1,7 +1,6 @@
---
title: Configure MDT deployment share rules (Windows 10)
description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
index 19adc65b02..443854bdd5 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
@@ -1,7 +1,6 @@
---
title: Configure MDT for UserExit scripts (Windows 10)
description: In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index cfb17a3eee..167059f1e7 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -1,8 +1,6 @@
---
title: Configure MDT settings (Windows 10)
description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization.
-ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index b26c222f91..7100f080ec 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -1,7 +1,6 @@
---
title: Create a Windows 10 reference image (Windows 10)
description: Creating a reference image is important because that image serves as the foundation for the devices in your organization.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index f92a6f30dc..8a735ec6c4 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -1,7 +1,6 @@
---
title: Deploy a Windows 10 image using MDT (Windows 10)
description: This article will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -9,8 +8,7 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.date: 11/28/2022
---
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index 73c2d4b629..757c32ec36 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -1,7 +1,6 @@
---
title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
description: This article will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -9,8 +8,7 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.date: 11/28/2022
---
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index e5eb7ae010..bf1a4099cc 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -1,7 +1,6 @@
---
title: Prepare for deployment with MDT (Windows 10)
description: This article will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -9,8 +8,7 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.date: 11/28/2022
---
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index b38d0d58a8..23267929fa 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -1,7 +1,6 @@
---
title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
description: This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index b240a4f426..9983df7350 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -1,8 +1,6 @@
---
title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10)
description: In this article, you'll learn how to replace a Windows 7 device with a Windows 10 device.
-ms.custom: seo-marvel-apr2020
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index b8460e77a7..e08bd4f051 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -1,6 +1,5 @@
---
title: Set up MDT for BitLocker (Windows 10)
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT.
@@ -8,7 +7,6 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-mar2020
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index b9a293d1de..8c40be4dcd 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -1,7 +1,6 @@
---
title: Simulate a Windows 10 deployment in a test environment (Windows 10)
description: This article will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 83c7037743..6c8c9c684a 100644
--- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -1,7 +1,6 @@
---
title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index 141bdd8589..c8e060d3cb 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -1,7 +1,6 @@
---
title: Use Orchestrator runbooks with MDT (Windows 10)
description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 61bd481d35..ddb614d625 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -1,7 +1,6 @@
---
title: Use MDT database to stage Windows 10 deployment info (Windows 10)
description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 02770d5644..1a264d2ee7 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -1,7 +1,6 @@
---
title: Use web services in MDT (Windows 10)
description: Learn how to create a web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index 0a538f15f8..9276cbf7c4 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -1,14 +1,12 @@
---
title: Deploy Windows To Go in your organization (Windows 10)
description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface and programatically with Windows PowerShell.
-ms.reviewer:
manager: aaroncz
author: frankroj
ms.author: frankroj
ms.prod: windows-client
ms.technology: itpro-deploy
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.date: 11/23/2022
---
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 6274640054..b72a595c2a 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -1,14 +1,12 @@
---
title: Deploy Windows 10 (Windows 10)
description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment.
-ms.reviewer:
manager: aaroncz
author: frankroj
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md
index 49b08e601c..9bdd82e8d5 100644
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@@ -9,7 +9,8 @@ ms.localizationpriority: medium
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
-manager: naengler
+manager: aaroncz
+ms.collection: tier3
---
# Delivery Optimization and Microsoft Connected Cache content type endpoints
diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md
index ef06dbd00a..bab58db796 100644
--- a/windows/deployment/do/delivery-optimization-proxy.md
+++ b/windows/deployment/do/delivery-optimization-proxy.md
@@ -1,14 +1,15 @@
---
title: Using a proxy with Delivery Optimization
-manager: dansimp
+manager: aaroncz
description: Settings to use with various proxy configurations to allow Delivery Optimization to work
ms.prod: windows-client
-author: carmenf
+author: cmknox
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
+ms.collection: tier3
---
# Using a proxy with Delivery Optimization
diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md
index a7af3ce745..7ce46ef46c 100644
--- a/windows/deployment/do/delivery-optimization-test.md
+++ b/windows/deployment/do/delivery-optimization-test.md
@@ -1,5 +1,5 @@
---
-title: Testing Delivery Optimization
+title: Testing Delivery Optimization
description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different test scenarios.
ms.date: 11/08/2022
ms.prod: windows-client
@@ -9,7 +9,8 @@ ms.localizationpriority: medium
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
-manager: naengler
+manager: aaroncz
+ms.collection: tier3
---
# Testing Delivery Optimization
diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md
index 5083d8f0da..2c4b6f9158 100644
--- a/windows/deployment/do/delivery-optimization-workflow.md
+++ b/windows/deployment/do/delivery-optimization-workflow.md
@@ -1,14 +1,15 @@
---
title: Delivery Optimization client-service communication explained
-manager: dougeby
+manager: aaroncz
description: Details of how Delivery Optimization communicates with the server when content is requested to download.
ms.prod: windows-client
-author: carmenf
+author: cmknox
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
+ms.collection: tier3
---
# Delivery Optimization client-service communication explained
diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
index 5d80bf89fd..47fd869124 100644
--- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
+++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
@@ -3,13 +3,12 @@ title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diag
manager: aaroncz
description: Elixir images read me file
ms.prod: windows-client
-ms.mktglfcycl: deploy
-audience: itpro
author: nidos
ms.author: nidos
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+robots: noindex
---
# Read Me
diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md
index 16badd2d4a..b0039d5c54 100644
--- a/windows/deployment/do/includes/get-azure-subscription.md
+++ b/windows/deployment/do/includes/get-azure-subscription.md
@@ -1,10 +1,10 @@
---
author: amymzhou
ms.author: amyzhou
-manager: dougeby
+manager: aaroncz
ms.date: 10/18/2022
-ms.prod: w10
-ms.collection: M365-modern-desktop
+ms.prod: windows-client
+ms.technology: itpro-deploy
ms.topic: include
ms.localizationpriority: medium
---
diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md
index f90bc995e6..d264cc0f93 100644
--- a/windows/deployment/do/includes/mcc-prerequisites.md
+++ b/windows/deployment/do/includes/mcc-prerequisites.md
@@ -1,9 +1,9 @@
---
author: amyzhou
ms.author: amyzhou
-manager: dougeby
-ms.prod: w10
-ms.collection: M365-modern-desktop
+manager: aaroncz
+ms.prod: windows-client
+ms.technology: itpro-deploy
ms.topic: include
ms.date: 11/09/2022
ms.localizationpriority: medium
diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
index 5f75f6344a..0d11fcb79e 100644
--- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
+++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
@@ -1,9 +1,9 @@
---
author: mestew
ms.author: mstewart
-manager: dougeby
-ms.prod: w10
-ms.collection: M365-modern-desktop
+manager: aaroncz
+ms.prod: windows-client
+ms.technology: itpro-deploy
ms.topic: include
ms.date: 04/06/2022
ms.localizationpriority: medium
diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml
index 8ba99b0ff9..7c057be789 100644
--- a/windows/deployment/do/index.yml
+++ b/windows/deployment/do/index.yml
@@ -9,8 +9,7 @@ metadata:
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-updates
- ms.collection:
- - highpri
+ ms.collection: highpri, tier3
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
index d9eab5ddf8..7f45db43f3 100644
--- a/windows/deployment/do/mcc-enterprise-appendix.md
+++ b/windows/deployment/do/mcc-enterprise-appendix.md
@@ -8,6 +8,7 @@ ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Appendix
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index 52b3515a34..b549733da5 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -1,6 +1,6 @@
---
title: Deploying your cache node
-manager: dougeby
+manager: aaroncz
description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node
ms.prod: windows-client
author: amymzhou
@@ -8,6 +8,7 @@ ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Deploying your cache node
@@ -163,7 +164,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
1. Enable nested virtualization:
```powershell
- Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
+ Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
```
1. Enable MAC spoofing:
diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md
index 2e5773468b..f1a81788a0 100644
--- a/windows/deployment/do/mcc-enterprise-prerequisites.md
+++ b/windows/deployment/do/mcc-enterprise-prerequisites.md
@@ -1,6 +1,6 @@
---
title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education
-manager: dougeby
+manager: aaroncz
description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
@@ -8,6 +8,7 @@ ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md
index 83882c952c..1a995a17cf 100644
--- a/windows/deployment/do/mcc-enterprise-update-uninstall.md
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@@ -1,6 +1,6 @@
---
title: Update or uninstall Microsoft Connected Cache for Enterprise and Education
-manager: dougeby
+manager: aaroncz
description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
@@ -8,6 +8,7 @@ ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Update or uninstall Microsoft Connected Cache for Enterprise and Education
diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md
index 8d8bc76577..1ab223ec25 100644
--- a/windows/deployment/do/mcc-isp-cache-node-configuration.md
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@@ -8,6 +8,7 @@ ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Cache node configuration
diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md
index 885330563a..7eecb4983c 100644
--- a/windows/deployment/do/mcc-isp-create-provision-deploy.md
+++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md
@@ -8,6 +8,7 @@ ms.author: nidos
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Create, configure, provision, and deploy the cache node in Azure portal
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index 07d8f242c0..1d912e7b10 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -5,8 +5,7 @@ metadata:
author: amymzhou
ms.author: amymzhou
manager: aaroncz
- ms.collection:
- - highpri
+ ms.collection: highpri, tier3
ms.topic: faq
ms.date: 09/30/2022
ms.prod: windows-client
diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md
index f407f4d6cd..ca3e78f917 100644
--- a/windows/deployment/do/mcc-isp-signup.md
+++ b/windows/deployment/do/mcc-isp-signup.md
@@ -3,13 +3,12 @@ title: Operator sign up and service onboarding
manager: aaroncz
description: Service onboarding for Microsoft Connected Cache for ISP
ms.prod: windows-client
-ms.mktglfcycl: deploy
-audience: itpro
author: nidos
ms.author: nidos
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Operator sign up and service onboarding for Microsoft Connected Cache
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
index a10e0f5a63..5fb2e95dbe 100644
--- a/windows/deployment/do/mcc-isp-support.md
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -3,12 +3,12 @@ title: Support and troubleshooting
manager: aaroncz
description: Troubleshooting issues for Microsoft Connected Cache for ISP
ms.prod: windows-client
-audience: itpro
author: nidos
ms.author: nidos
ms.topic: reference
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Support and troubleshooting
diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md
index 2e74cc5a44..0b9a530e78 100644
--- a/windows/deployment/do/mcc-isp-update.md
+++ b/windows/deployment/do/mcc-isp-update.md
@@ -3,13 +3,12 @@ title: Update or uninstall your cache node
manager: aaroncz
description: How to update or uninstall your cache node
ms.prod: windows-client
-ms.mktglfcycl: deploy
-audience: itpro
author: amyzhou
ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Update or uninstall your cache node
diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md
index 1e31838cd4..ebe7e20158 100644
--- a/windows/deployment/do/mcc-isp-verify-cache-node.md
+++ b/windows/deployment/do/mcc-isp-verify-cache-node.md
@@ -2,14 +2,13 @@
title: Verify cache node functionality and monitor health and performance
manager: aaroncz
description: How to verify the functionality of a cache node
-keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
-audience: itpro
author: amyzhou
ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
+ms.collection: tier3
---
# Verify cache node functionality and monitor health and performance
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
index 5bd6e00e83..e56fc1ef3a 100644
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -8,6 +8,7 @@ ms.author: amyzhou
ms.topic: reference
ms.technology: itpro-updates
ms.date: 12/31/2017
+ms.collection: tier3
---
# Enhancing cache performance
diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md
index 34b12c0d9b..27de31c9b1 100644
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
@@ -10,6 +10,7 @@ ms.reviewer: carmenf
manager: aaroncz
ms.topic: how-to
ms.date: 05/20/2022
+ms.collection: tier3
---
# Microsoft Connected Cache for Internet Service Providers (early preview)
diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml
index 0827ee5979..cb916610f0 100644
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@@ -8,8 +8,7 @@ metadata:
ms.author: carmenf
manager: dougeby
ms.technology: itpro-updates
- ms.collection:
- - highpri
+ ms.collection: highpri, tier3
ms.topic: faq
ms.date: 08/04/2022
title: Delivery Optimization Frequently Asked Questions
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index c76958e4f8..ad50cecaaa 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -1,16 +1,15 @@
---
title: Delivery Optimization reference
-ms.reviewer:
-manager: dougeby
+manager: aaroncz
description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings.
ms.prod: windows-client
-author: carmenf
+author: cmknox
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-updates
ms.date: 12/31/2017
+ms.collection: tier3
---
# Delivery Optimization reference
@@ -124,11 +123,11 @@ Download mode dictates which download sources clients are allowed to use when do
| Download mode option | Functionality when set |
| --- | --- |
-| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
+| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source or a Microsoft Connected Cache server. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
| LAN (**1 – Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
| Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
-| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
+| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. |
| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. |
> [!NOTE]
@@ -248,7 +247,7 @@ Starting in Windows 10, version 1903, set this policy to delay the fallback from
### Minimum Background QoS
-This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources . The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
### Modify Cache Drive
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index a619d741c0..9fa907d90e 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -1,7 +1,7 @@
---
title: Set up Delivery Optimization
description: In this article, learn how to set up Delivery Optimization.
-author: carmenf
+author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
@@ -10,6 +10,7 @@ ms.technology: itpro-updates
ms.localizationpriority: medium
ms.topic: how-to
ms.date: 12/19/2022
+ms.collection: tier3
---
# Set up Delivery Optimization for Windows
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 8bcab9c5ee..0f88d16b68 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -1,15 +1,13 @@
---
title: What is Delivery Optimization?
-manager: dougeby
+manager: aaroncz
description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
ms.prod: windows-client
-author: carmenf
+author: cmknox
ms.localizationpriority: medium
ms.author: carmenf
-ms.collection:
- - highpri
+ms.collection: tier3, highpri
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md
index dcfac57aad..3f99fd1880 100644
--- a/windows/deployment/do/waas-microsoft-connected-cache.md
+++ b/windows/deployment/do/waas-microsoft-connected-cache.md
@@ -3,12 +3,13 @@ title: Microsoft Connected Cache overview
manager: aaroncz
description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
ms.prod: windows-client
-author: carmenf
+author: cmknox
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
+ms.collection: tier3
---
# Microsoft Connected Cache overview
diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md
index 9253808ee6..c3d46c8e64 100644
--- a/windows/deployment/do/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/do/waas-optimize-windows-10-updates.md
@@ -3,13 +3,13 @@ title: Optimize Windows update delivery
description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache.
ms.prod: windows-client
ms.localizationpriority: medium
-author: aaroncz
-ms.author: aaroncz
-ms.reviewer:
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
+ms.collection: tier3
---
# Optimize Windows update delivery
diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md
index 3239c88eeb..87d135c896 100644
--- a/windows/deployment/do/whats-new-do.md
+++ b/windows/deployment/do/whats-new-do.md
@@ -1,15 +1,15 @@
---
title: What's new in Delivery Optimization
-manager: dougeby
+manager: aaroncz
description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
ms.prod: windows-client
-author: carmenf
+author: cmknox
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-updates
ms.date: 12/31/2017
+ms.collection: tier3
---
# What's new in Delivery Optimization
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 58bb72052d..5e9e859e17 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -9,8 +9,7 @@ metadata:
ms.topic: landing-page
ms.technology: itpro-apps
ms.prod: windows-client
- ms.collection:
- - highpri
+ ms.collection: highpri, tier1
author: frankroj
ms.author: frankroj
manager: aaroncz
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index eb154e5d93..4caffd0228 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -8,8 +8,7 @@ ms.date: 11/23/2022
manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.custom: seo-marvel-apr2020
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index 4a758fcbc4..07cf3c224a 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -1,7 +1,6 @@
---
title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10)
description: The Microsoft Application Compatibility Toolkit (ACT) helps you see if the apps and devices in your org are compatible with different versions of Windows.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
index a66f84e71b..17ef12c6b3 100644
--- a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
+++ b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
@@ -1,7 +1,6 @@
---
title: Applying Filters to Data in the SUA Tool (Windows 10)
description: Learn how to apply filters to results from the Standard User Analyzer (SUA) tool while testing your application.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
index 1d00068f16..4e03a9e206 100644
--- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
+++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
@@ -1,7 +1,6 @@
---
title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
index 64b214e0e5..07285db62e 100644
--- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
+++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
@@ -1,7 +1,6 @@
---
title: Best practice recommendations for Windows To Go (Windows 10)
description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md
index 57500f6608..64ed4fae58 100644
--- a/windows/deployment/planning/compatibility-administrator-users-guide.md
+++ b/windows/deployment/planning/compatibility-administrator-users-guide.md
@@ -1,13 +1,11 @@
---
title: Compatibility Administrator User's Guide (Windows 10)
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows.
ms.prod: windows-client
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-mar2020
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
index e6aa979948..49fca85218 100644
--- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
+++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
@@ -1,6 +1,5 @@
---
title: Compatibility Fix Database Management Strategies and Deployment (Windows 10)
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database.
@@ -8,7 +7,6 @@ ms.prod: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.custom: seo-marvel-mar2020
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
index 36d1893c70..79207612a8 100644
--- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
+++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -1,14 +1,12 @@
---
title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista
description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
index 82a1bae472..18f1b3e14e 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
@@ -1,7 +1,6 @@
---
title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10)
description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
index 01691fdc5d..80892aa2d5 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -1,7 +1,6 @@
---
title: Create a Custom Compatibility Mode (Windows 10)
description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
index 78bd540870..31f4cff7a1 100644
--- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -1,7 +1,6 @@
---
title: Create AppHelp Message in Compatibility Administrator (Windows 10)
description: Create an AppHelp text message with Compatibility Administrator; a message that appears upon starting an app with major issues on the Windows® operating system.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 45096f66f5..e4cce0cd24 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -1,13 +1,11 @@
---
title: Deployment considerations for Windows To Go (Windows 10)
description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
index 6be90716a2..a6299026c3 100644
--- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -1,13 +1,11 @@
---
title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
index 8f65a9df75..a39866b132 100644
--- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
+++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
@@ -1,7 +1,6 @@
---
title: Fixing Applications by Using the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index 4744b0559a..2cf46ee778 100644
--- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -1,7 +1,6 @@
---
title: Install/Uninstall Custom Databases (Windows 10)
description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
index 99aae19234..9c90b3ca24 100644
--- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
+++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -1,7 +1,6 @@
---
title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10)
description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index a1328a53ce..5f5b94be3f 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -1,13 +1,11 @@
---
title: Prepare your organization for Windows To Go (Windows 10)
-description: Though Windows To Go is no longer being developed, you can find info here about the "what", "why", and "when" of deployment.
-ms.reviewer:
+description: Though Windows To Go is no longer being developed, you can find info here about the what, why, and when of deployment.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
index 05272344a0..826f2dfc4c 100644
--- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -1,7 +1,6 @@
---
title: Searching for Fixed Applications in Compatibility Administrator (Windows 10)
description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 5d49ad0b11..4c0f2e2689 100644
--- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -1,7 +1,6 @@
---
title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10)
description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
index 6eeb930f19..b376163521 100644
--- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
@@ -1,7 +1,6 @@
---
title: Security and data protection considerations for Windows To Go (Windows 10)
description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
index e08401cc6b..25850695fc 100644
--- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
+++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
@@ -1,7 +1,6 @@
---
title: Showing Messages Generated by the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md
index 2da3a82f9e..4f53104c76 100644
--- a/windows/deployment/planning/sua-users-guide.md
+++ b/windows/deployment/planning/sua-users-guide.md
@@ -1,8 +1,6 @@
---
title: SUA User's Guide (Windows 10)
description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature.
-ms.custom: seo-marvel-apr2020
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
index 4b809cd144..a2dff7087c 100644
--- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
+++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
@@ -1,7 +1,6 @@
---
title: Tabs on the SUA Tool Interface (Windows 10)
description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md
index 28f0233990..b2ff9f8850 100644
--- a/windows/deployment/planning/testing-your-application-mitigation-packages.md
+++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md
@@ -1,7 +1,6 @@
---
title: Testing Your Application Mitigation Packages (Windows 10)
description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
index fe304771ef..ee6976fca5 100644
--- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
+++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
@@ -1,7 +1,6 @@
---
title: Understanding and Using Compatibility Fixes (Windows 10)
description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
index 586884be61..cb156708b7 100644
--- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md
+++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
@@ -1,7 +1,6 @@
---
title: Using the Compatibility Administrator Tool (Windows 10)
description: This section provides information about using the Compatibility Administrator tool.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index 9ce7891647..f6e1a6fbee 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -1,7 +1,6 @@
---
title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
index 6e2479ed22..5b72bfbc4b 100644
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ b/windows/deployment/planning/using-the-sua-tool.md
@@ -1,7 +1,6 @@
---
title: Using the SUA Tool (Windows 10)
description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index 5ce139085f..ce121c5440 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -1,7 +1,6 @@
---
title: Using the SUA wizard (Windows 10)
description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
index 88e06925c5..44cf622430 100644
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
@@ -1,7 +1,6 @@
---
title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 11fe1573d4..e444794da2 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -1,7 +1,6 @@
---
title: Windows 10 compatibility (Windows 10)
description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 09dbb881a7..2a900b672d 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -1,7 +1,6 @@
---
title: Windows 10 deployment considerations (Windows 10)
description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 26aff43d39..7341f4b302 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -1,7 +1,6 @@
---
title: Windows 10 infrastructure requirements (Windows 10)
description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index 5465e73df5..f9b22c70d2 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -1,15 +1,13 @@
---
title: Windows To Go feature overview (Windows 10)
description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.date: 10/28/2022
---
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 6263da1c9b..edf0aba102 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -7,7 +7,6 @@ manager: aaroncz
author: frankroj
ms.author: frankroj
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index d60d4df294..c73105ae1b 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -2,25 +2,12 @@
title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
ms.date: 08/16/2022
-ms.author: v-nishmi
-author: DocsPreview
-manager: jren
+ms.author: mstewart
+author: mestew
+manager: aaroncz
ms.reviewer: mstewart
ms.topic: how-to
ms.prod: windows-client
-localization_priority: medium
-ms.custom:
- - Adm_O365
- - 'O365P_ServiceHealthModern'
- - 'O365M_ServiceHealthModern'
- - 'O365E_ViewStatusServices'
- - 'O365E_ServiceHealthModern'
- - 'seo-marvel-apr2020'
-search.appverid:
- - MET150
- - MOE150
- - BCS160
- - IWA160
ms.technology: itpro-updates
---
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index bc649af09d..0f0a693609 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -110,32 +110,3 @@ During the broad deployment phase, you should focus on the following activities:
- Deploy to all devices in the organization.
- Work through any final unusual issues that weren't detected in your Limited ring.
-
-
-## Ring deployment planning
-
-Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We've combined many of these tasks, and more, into a single interface with Desktop Analytics.
-
-
-[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Configuration Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
-make informed decisions about the readiness of your Windows devices.
-
-In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Configuration Manager can help you assess app compatibility with the latest
-feature update. You can create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions.
-
-> [!IMPORTANT]
-> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity.
-
-### Deployment plan options
-
-There are two ways to implement a ring deployment plan, depending on how you manage your devices:
-
-- If you're using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans).
-- If you're using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide).
-
-For more about Desktop Analytics, see these articles:
-
-- [How to set up Desktop Analytics](/mem/configmgr/desktop-analytics/set-up)
-- [Tutorial: Deploy Windows 10 to Pilot](/mem/configmgr/desktop-analytics/tutorial-windows10)
-- [Desktop Analytics documentation](/mem/configmgr/desktop-analytics/overview)
-- [Intune deployment planning, design, and implementation guide](/mem/intune/fundamentals/planning-guide)
diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md
index d30f45fc12..5c884406fd 100644
--- a/windows/deployment/update/deploy-updates-intune.md
+++ b/windows/deployment/update/deploy-updates-intune.md
@@ -8,8 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index 2063dfd073..d7608bf6f1 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -221,7 +221,7 @@ The following truncated response displays:
## Approve driver content for deployment
-Each driver update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). Approve content for drivers and firmware by adding a [content approval](/graph/api/resources/windowsupdates-contentapproval) for the catalog entry to an existing policy. Content approval is a [compliance change](/graph/api/resources/windowsupdates-compliance) for the policy.
+Each driver update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). Approve content for drivers and firmware by adding a [content approval](/graph/api/resources/windowsupdates-contentapproval) for the catalog entry to an existing policy. Content approval is a [compliance change](/graph/api/resources/windowsupdates-compliancechange) for the policy.
> [!IMPORTANT]
> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for the content approval will be combined with the existing [update policy's](#create-an-update-policy) deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used.
@@ -277,7 +277,7 @@ Review all of the compliance changes to a policy with the most recent changes li
```
> [!TIP]
- > There should only be one **Compliance Change ID** per **Catalog ID** for a policy. If there are multiple **Compliance Change IDs** for the same **Catalog ID** then, most likely, there's multiple deployments for the same piece of content targeted to the same audience but with different deployment behaviors. To remove the duplicate, [delete the compliance change](/graph/api/resources/windowsupdates-compliancechange-delete) with the duplicate **Catalog ID**. Deleting the compliance change will mark any deployments created by the approval as `archived`.
+ > There should only be one **Compliance Change ID** per **Catalog ID** for a policy. If there are multiple **Compliance Change IDs** for the same **Catalog ID** then, most likely, there's multiple deployments for the same piece of content targeted to the same audience but with different deployment behaviors. To remove the duplicate, [delete the compliance change](/graph/api/windowsupdates-compliancechange-delete) with the duplicate **Catalog ID**. Deleting the compliance change will mark any deployments created by the approval as `archived`.
To retrieve the deployment ID, use the [expand parameter](/graph/query-parameters#expand-parameter) to review the deployment information related the content approval. The following example displays the content approval and the deployment information for **Compliance Change ID** `c03911a7-9876-5432-10ab-cdef98765432` in update **Policy ID** `9011c330-1234-5678-9abc-def012345678`:
@@ -287,7 +287,7 @@ To retrieve the deployment ID, use the [expand parameter](/graph/query-parameter
### Edit deployment settings for a content approval
-Since content approval is a compliance change for the policy, when you [update a content approval](/graph/api/resources/windowsupdates--contentapproval-update), you're editing the compliance change for the policy. The following example changes the `startDateTime` for the **Compliance Change ID** of `c03911a7-9876-5432-10ab-cdef98765432` in the update **Policy ID** `9011c330-1234-5678-9abc-def012345678` to February 28, 2023 at 5 AM UTC:
+Since content approval is a compliance change for the policy, when you [update a content approval](/graph/api/windowsupdates-contentapproval-update), you're editing the compliance change for the policy. The following example changes the `startDateTime` for the **Compliance Change ID** of `c03911a7-9876-5432-10ab-cdef98765432` in the update **Policy ID** `9011c330-1234-5678-9abc-def012345678` to February 28, 2023 at 5 AM UTC:
```msgraph-interactive
PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432
@@ -304,11 +304,9 @@ content-type: application/json
}
```
-
## Revoke content approval
-Approval for content can be revoked by setting the `isRevoked` property of the [compliance change](/graph/api/resources/windowsupdates-compliance) to true. This setting can be changed while a deployment is in progress. However, revoking will only prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new [approval](#approve-driver-content-for-deployment) will need to be created.
-
+Approval for content can be revoked by setting the `isRevoked` property of the [compliance change](/graph/api/resources/windowsupdates-compliancechange) to true. This setting can be changed while a deployment is in progress. However, revoking will only prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new [approval](#approve-driver-content-for-deployment) will need to be created.
```msgraph-interactive
PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432
diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md
index e2f45c2ee4..ad489103a6 100644
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@@ -59,7 +59,7 @@ When you use [Windows Update for Business reports](wufb-reports-overview.md) in
## Permissions
-- [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions)
+- [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions)
- Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have the permissions.
> [!NOTE]
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
index 563163371b..23bbb2b2d9 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
The following permissions are needed for the queries listed in this article:
-- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations.
+- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations.
- At least [Device.Read.All](/graph/permissions-reference#device-permissions) permission to display [device](/graph/api/resources/device) information.
Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have these permissions.
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
index ca1b4d103a..3b19cd934d 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
@@ -10,7 +10,7 @@ ms.localizationpriority: medium
---
-For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/windowsupdates-updates?view=graph-rest-beta&preserve-view=true) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/overview).
+For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/adminwindowsupdates) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/graph-explorer-overview).
> [!WARNING]
>
diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md
index cd8a433ab6..37caa47a4d 100644
--- a/windows/deployment/update/includes/wufb-reports-recommend.md
+++ b/windows/deployment/update/includes/wufb-reports-recommend.md
@@ -12,4 +12,4 @@ ms.localizationpriority: medium
> [!Important]
> - Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology).
-> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/deployment/update/windows-diagnostic-data-processor-changes).
+> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data).
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 4d7cf5c662..b25c48f947 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -63,15 +63,3 @@ There is more than one way to choose devices for app validation:
- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.
-
-
-### Desktop Analytics
-
-Desktop Analytics can make all of the tasks discussed in this article significantly easier:
-
-- Creating and maintaining an application and device inventory
-- Assign owners to applications for testing
-- Automatically apply your app classifications (critical, important, not important)
-- Automatically identify application compatibility risks and provide recommendations for reducing those risks
-
-For more information, see [What is Desktop Analytics?](/mem/configmgr/desktop-analytics/overview)
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index 7d787fbeda..a6c241bac8 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -97,7 +97,7 @@ Enable update services on devices. Ensure that every device is running all the s
- Windows Update
- Windows Update Medic Service
-You can check these services manually by using Services.msc, or by using PowerShell scripts, Desktop Analytics, or other methods.
+You can check these services manually by using Services.msc, or by using PowerShell scripts, or other methods.
### Network configuration
@@ -125,7 +125,7 @@ Set up [Delivery Optimization](../do/waas-delivery-optimization.md) for peer net
### Address unhealthy devices
-In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
+In the course of surveying your device population, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
- **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later (and Windows 11) you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
@@ -160,7 +160,7 @@ You can also create and run scripts to perform additional cleanup actions on dev
net start msiserver
```
-- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
+- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component-Based Store from another source. You can fix the problem with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 7d3d501e00..7bb8cf8dca 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -8,8 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index a74559df0f..a7a6c5b72e 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -6,8 +6,7 @@ author: mestew
ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index 14c94f5341..aab7607865 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -33,7 +33,7 @@ This article is specifically targeted at configuring devices enrolled to [Micros
Take the following steps to create a configuration profile that will set required policies for Update Compliance:
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**.
1. On the **Configuration profiles** view, select **Create a profile**.
1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
1. For **Template name**, select **Custom**, and then press **Create**.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 693f8b440d..a7272569b6 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -6,8 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.topic: article
ms.date: 05/03/2022
ms.technology: itpro-updates
@@ -56,7 +55,6 @@ Update Compliance is offered as an Azure Marketplace application that is linked
1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/). The solution was published by Microsoft and named **WaaSUpdateInsights**.
2. Select **Get it now**.
3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
- - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance.
- [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance.
4. After your workspace is configured and selected, select **Create**. You'll receive a notification when the solution has been successfully created.
@@ -125,9 +123,5 @@ Once you've added Update Compliance to a workspace in your Azure subscription, y
After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
-### Update Compliance and Desktop Analytics
-
-If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), you must use the same Log Analytics workspace for both solutions.
-
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index a3f6cdf2a8..5de1f980ef 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 02/28/2023
---
# Configure Windows Update for Business
@@ -27,7 +27,7 @@ ms.date: 12/31/2017
> [!NOTE]
> Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/).
-You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
+You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
> [!IMPORTANT]
> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
@@ -35,7 +35,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi
## Start by grouping devices
-By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
+By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
>[!TIP]
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
@@ -68,7 +68,7 @@ Starting with Windows 10, version 1703, users can configure the branch readiness
After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
-For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
+For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` won't install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
@@ -86,7 +86,7 @@ For example, a device on the General Availability Channel with `DeferFeatureUpda
## Pause feature updates
-You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
+You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
@@ -107,7 +107,7 @@ In cases where the pause policy is first applied after the configured start date
You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
+The local group policy editor (GPEdit.msc) won't reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
@@ -119,7 +119,7 @@ The local group policy editor (GPEdit.msc) will not reflect whether the feature
>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
-- Any active restart notification are cleared or closed.
+- Any active restart notifications are cleared or closed.
- Any pending restarts are canceled.
- Any pending update installations are canceled.
- Any update installation running when pause is activated will attempt to roll back.
@@ -164,7 +164,7 @@ In cases where the pause policy is first applied after the configured start date
You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
+The local group policy editor (GPEdit.msc) won't reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
@@ -176,10 +176,10 @@ The local group policy editor (GPEdit.msc) will not reflect whether the quality
>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
-- Any active restart notification are cleared or closed
+- Any active restart notifications are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
-- Any update installation running when pause is activated will attempt to rollback
+- Any update installation running when pause is activated will attempt to roll back
## Configure when devices receive Windows Insider Preview builds
@@ -201,7 +201,7 @@ The policy settings to **Select when feature updates are received** allows you t
## Exclude drivers from quality updates
-Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete.
+Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy won't apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete.
**Policy settings to exclude drivers**
@@ -210,6 +210,21 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+## Enable features introduced via servicing that are off by default
+
+
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+
+The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
+
+**Policy settings to enable features introduced via servicing that are off by default**
+
+| Policy | Sets registry key under HKLM\Software |
+| --- | --- |
+| GPO for Windows 11, version 22H2 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
+| MDM for Windows 11, version 22H2 and later: ../Vendor/MSFT/Policy/Config/Update/**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
+
+
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later.
@@ -218,26 +233,28 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| BranchReadinessLevel | REG_DWORD | 2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)Other value or absent: receive all applicable updates |
-| DeferQualityUpdates | REG_DWORD | 1: defer quality updatesOther value or absent: don’t defer quality updates |
-| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
-| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
-|DeferFeatureUpdates | REG_DWORD | 1: defer feature updatesOther value or absent: don’t defer feature updates |
-| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
-| PauseFeatureUpdatesStartTime | REG_DWORD |1: pause feature updatesOther value or absent: don’t pause feature updates |
-| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers |
+| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
+| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates |
+| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
+| DeferQualityUpdates | REG_DWORD | 1: Defer quality updatesOther value or absent: Don't defer quality updates |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days |
+| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: Exclude Windows Update driversOther value or absent: Offer Windows Update drivers |
+| PauseFeatureUpdatesStartTime | REG_DWORD |1: Pause feature updatesOther value or absent: Don't pause feature updates |
+| PauseQualityUpdatesStartTime | REG_DWORD | 1: Pause quality updatesOther value or absent: Don't pause quality updates |
**MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update**
| MDM Key | Key type | Value |
| --- | --- | --- |
-| BranchReadinessLevel | REG_DWORD |2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709) 32: systems take feature updates from General Availability Channel Note: Other value or absent: receive all applicable updates |
-| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
-| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
-| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
-| PauseFeatureUpdatesStartTime | REG_DWORD | 1: pause feature updatesOther value or absent: don’t pause feature updates |
-| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers |
+| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
+| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build 32: Systems take feature updates from General Availability Channel Note: Other value or absent: Receive all applicable updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days |
+| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: Exclude Windows Update driversOther value or absent: Offer Windows Update drivers |
+| PauseFeatureUpdatesStartTime | REG_DWORD | 1: Pause feature updatesOther value or absent: Don't pause feature updates |
+| PauseQualityUpdatesStartTime | REG_DWORD | 1: Pause quality updatesOther value or absent: Don't pause quality updates |
## Update devices to newer versions
@@ -245,7 +262,7 @@ Due to the changes in Windows Update for Business, Windows 10, version 1607 uses
### How older version policies are respected on newer versions
-When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
+When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these aren't present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 1257d066aa..231671f5d7 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -7,7 +7,7 @@ ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index dfe5a33f26..2cd41a5831 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -7,7 +7,7 @@ author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index 84840a0222..641b7046a9 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -3,7 +3,6 @@ title: Windows as a service news & resources
description: The latest news for Windows as a service with resources to help you learn more about them.
ms.prod: windows-client
ms.topic: article
-ms.manager: elizapo
author: mestew
ms.author: mstewart
manager: aaroncz
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index dd9bc872b4..184b4e1c7a 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -7,7 +7,7 @@ ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
@@ -41,11 +41,7 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi
### Application compatibility
-Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows.
-
-
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](/mem/configmgr/desktop-analytics/ready-for-windows).
-
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds.
## Servicing
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 4ff1d88197..ea9726a38e 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -7,8 +7,7 @@ ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
-ms.collection: highpri
-date: 09/22/2022
+ms.collection: highpri, tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 6bcdbc9cde..19c313af57 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -7,20 +7,14 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: article
-ms.collection: highpri
-date: 09/22/2022
+ms.collection: highpri, tier2
ms.technology: itpro-updates
-ms.date: 01/06/2023
+ms.date: 03/09/2023
---
# Manage additional Windows Update settings
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+***(Applies to: Windows 11 & Windows 10)***
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -38,7 +32,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
-| | [Windows Update notifications display organization name](#bkmk_display-name) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
+| | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
>[!IMPORTANT]
>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
@@ -256,7 +250,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
-## Display organization name in Windows Update notifications
+## Display organization name in Windows Update notifications
When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index 1d1bbb1115..fbbb54d9b6 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Update for Business by using CSPs and MDM
-description: Walk-through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
+description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
@@ -8,7 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 02/28/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -16,8 +16,8 @@ ms.date: 12/31/2017
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -42,9 +42,9 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
-To enable Microsoft Updates use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
+To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
-Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
+Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
We also recommend that you allow Microsoft product updates as discussed previously.
@@ -52,17 +52,17 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to receive pre-release versions of the next feature update
-1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
-1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you are testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@@ -99,7 +99,7 @@ At this point, the IT administrator can set a policy to pause the update. In thi
-Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
+Now all devices are paused from updating for 35 days. When the pause is removed, they'll be offered the *next* quality update, which ideally won't have the same issue. If there's still an issue, the IT admin can pause updates again.
@@ -156,7 +156,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
- - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
+ - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur:
@@ -174,7 +174,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) – Use the default Windows Update notifications
**1** – Turn off all notifications, excluding restart warnings
@@ -194,4 +194,16 @@ When you disable this setting, users will see **Some settings are managed by you
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
+#### I want to enable features introduced via servicing that are off by default
+
+(*Starting in Windows 11, version 22H2 or later*)
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+
+The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
+
+ You can enable these features by using [AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol). The following options are available:
+
+- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
+ - When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
+- **1** - Not allowed. Features that are shipped turned off by default will remain off
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 286ed2119c..7c7b83dcd3 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,16 +1,15 @@
---
title: Configure Windows Update for Business via Group Policy
-description: Walk-through demonstration of how to configure Windows Update for Business settings using Group Policy.
+description: Walk through of how to configure Windows Update for Business settings using Group Policy.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 02/28/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
@@ -25,7 +24,7 @@ ms.date: 12/31/2017
## Overview
-You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) for more information.
+You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. For more information, see [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) for more information.
An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**.
@@ -53,7 +52,7 @@ Follow these steps on a device running the Remote Server Administration Tools or
5. Right-click the **"Windows Update for Business - Group 1"** object, and then select **Edit**.
-6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices.
+6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You're now ready to start assigning policies to this ring (group) of devices.
## Manage Windows Update offerings
@@ -64,9 +63,9 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
-To enable Microsoft Updates use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**.
+To enable Microsoft Updates, use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**.
-Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
+Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
We also recommend that you allow Microsoft product updates as discussed previously.
@@ -74,7 +73,7 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to receive pre-release versions of the next feature update
-1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release and receive emails and content related to what is coming in the next updates.
2. Use Group Policy Management Console to go to: **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage preview builds** and set the policy to **Enable preview builds** for any of test devices you want to install pre-release builds.
@@ -84,18 +83,18 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and feature updates are Received**
- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received**
#### Example
-In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
+In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of 10 days.
:::image type="content" alt-text="illustration of devices divided into three rings." source="images/waas-wufb-3-rings.png" lightbox="images/waas-wufb-3-rings.png":::
-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
@@ -103,11 +102,11 @@ The devices in the fast ring are offered the quality update the next time they s
:::image type="content" alt-text="illustration of devices with fast ring deployed." source="images/waas-wufb-fast-ring.png" lightbox="images/waas-wufb-fast-ring.png":::
##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.
:::image type="content" alt-text="illustration of devices with slow ring deployed." source="images/waas-wufb-slow-ring.png" lightbox="images/waas-wufb-slow-ring.png":::
-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+If no problems occur, all of the devices that scan for updates will be offered the quality update within 10 days of its release, in three waves.
##### What if a problem occurs with the update?
@@ -119,13 +118,13 @@ At this point, the IT administrator can set a policy to pause the update. In thi
:::image type="content" alt-text="illustration of rings with pause quality update check box selected." source="images/waas-wufb-pause.png" lightbox="images/waas-wufb-pause.png":::
-Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
+Now all devices are paused from updating for 35 days. When the pause is removed, they'll be offered the *next* quality update, which ideally won't have the same issue. If there's still an issue, the IT admin can pause updates again.
#### I want to stay on a specific version
-If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version, use the **Select the target feature update version** setting instead of using the **Specify when Preview Builds and feature updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your devices to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.
+If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version, use the **Select the target feature update version** setting instead of using the **Specify when Preview Builds and feature updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your devices to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it's 60 days past end of service for its edition.
-When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device will not receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals will not be in effect.
+When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device won't receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals won't be in effect.
### Manage how users experience updates
@@ -135,7 +134,7 @@ We recommend that you allow to update automatically--this is the default behavio
For more granular control, you can set the maximum period of active hours the user can set with **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart**.
-It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**.
+It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**.
To update outside of the active hours, you don't need to set any additional settings: simply don't disable automatic restarts. For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Auto download and schedule the install**. You can customize this setting to accommodate the time that you want the update to be installed for your devices.
@@ -145,7 +144,7 @@ When you set these policies, installation happens automatically at the specified
We recommend that you use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts** for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart.
-This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
+This policy also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:
@@ -159,7 +158,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
- - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
+ - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur:
@@ -177,7 +176,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
**0** (default) - Use the default Windows Update notifications
**1** - Turn off all notifications, excluding restart warnings
@@ -192,9 +191,24 @@ Still more options are available in **Computer Configuration > Administrative Te
#### I want to manage the update settings a user can access
-Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
+Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates**.
When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**.
+
+#### I want to enable features introduced via servicing that are off by default
+
+(*Starting in Windows 11, version 22H2 or later*)
+
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+
+The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
+
+ You can enable these features by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > Enable features introduced via servicing that are off by default**. The following options are available:
+
+- **Enabled**: All features in the latest monthly cumulative update are enabled.
+ - When the policy is set to **Enabled**, all features that are currently turned off will turn on when the device next reboots
+- **Disabled** - Features that are shipped turned off by default will remain off
+- **Not configured** - Features that are shipped turned off by default will remain off
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 9ce2940f5d..078c5cb3e0 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -2,7 +2,6 @@
title: Windows as a service
ms.prod: windows-client
ms.topic: article
-ms.manager: dougeby
author: mestew
ms.author: mstewart
description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization.
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index d1fc86d90c..0f3dcb78bb 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -6,7 +6,7 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index 1f773ef7d8..eb4aec825a 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
-ms.date: 12/22/2022
+ms.date: 03/08/2023
ms.technology: itpro-updates
---
@@ -22,7 +22,8 @@ This article is targeted at configuring devices enrolled to [Microsoft Intune](/
1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Windows Update for Business reports](wufb-reports-use.md).
> [!TIP]
-> If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
+> - If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
+> - Intune provides compliance reports and they have their own prerequisites for use. The number of devices that appear in the Intune reports may also vary from the Windows Update for Business reports. For more information, see [Intune compliance reports for updates](/mem/intune/protect/windows-update-compliance-reports).
## Create a configuration profile
@@ -32,69 +33,77 @@ Create a configuration profile that will set the required policies for Windows U
### Settings catalog
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
1. On the **Configuration profiles** view, select **Create profile**.
-1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**.
-1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
-1. On the **Configuration settings** page, you'll be adding multiple settings from the **System** category. Using the **Settings picker**, select the **System** category, then add the following settings and values:
- 1. Required settings for Windows Update for Business reports:
- - **Setting**: Allow Commercial Data Pipeline
- - **Value**: Enabled
- - **Setting**: Allow Telemetry
- - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*)
- - **Setting**: Allow Update Compliance Processing
- - **Value**: Enabled
- 1. Recommended settings, but not required:
- - **Setting**: Configure Telemetry Opt In Settings Ux
- - **Value**: Disabled (*By turning this setting on you are disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports*)
- - **Setting**: Configure Telemetry Opt In Change Notification
- - **Value**: Disabled (*By turning this setting on you are disabling notifications of diagnostic data changes*)
- - **Setting**: Allow device name to be sent in Windows diagnostic data (*If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports*)
+1. Select the following options, then select **Create** when you're done:
+ - **Platform**: Windows 10 and later
+ - **Profile type**: Settings Catalog
+1. You're now on the Configuration profile creation page. On the **Basics** tab, provide a **Name** and **Description** for the profile.
+1. On the **Configuration settings** page, you'll add multiple settings from the **System** category. Using the **Settings picker**, select the **System** category.
+1. Add the following required settings and values the **System** category:
+ - **Setting**: Allow Telemetry
+ - **Value**: Basic
+ - Basic is the minimum value, but it can be safely set to a higher value. Basic is also known as required diagnostic data.
+
+1. Add the following recommended settings and values from the **System** category:
+ > [!Note]
+ > These settings aren't required, but they're recommended to ensure that users of the device cannot override the diagnostic data level of the device.
+ - **Setting**: Configure Telemetry Opt In Settings Ux
+ - **Value**: Disabled
+ - By turning this setting on, you're disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports.
+
+ - **Setting**: Configure Telemetry Opt In Change Notification
+ - **Value**: Disabled
+ - By turning this setting on, you're disabling notifications of diagnostic data changes.
+
+ - **Setting**: Allow device name to be sent in Windows diagnostic data
- **Value**: Allowed
+ - If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports.
1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
1. Review the settings and then select **Create**.
### Custom OMA URI-based profile
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
1. On the **Configuration profiles** view, select **Create profile**.
-1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
-1. For **Template name**, select **Custom**, and then select **Create**.
-1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
+1. Select the following options, then select **Create** when you're done:
+ - **Platform**:Windows 10 and later
+ - **Profile type**: Templates
+ - **Template name**: Custom
+1. You're now on the Configuration profile creation screen. On the **Basics** tab, provide a **Name** and **Description**.
1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md).
- 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Windows Update for Business reports:
- - **Name**: Allow commercial data pipeline
- - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
- - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
- - **Data type**: Integer
- - **Value**: 1
+ **Required settings**:
+
1. Add a setting configuring the **Windows Diagnostic Data level** for devices:
- **Name**: Allow Telemetry
- **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Windows Update for Business reports.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
- **Data type**: Integer
- - **Value**: 1 (*1 is the minimum value meaning basic, but it can be safely set to a higher value*).
- 1. Add a setting to **Allow Update Compliance processing**; this policy is required for Windows Update for Business reports:
- - **Name**: Allow Update Compliance Processing
- - **Description**: Opts device data into Update Compliance processing. Required to see data.
- - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
- - **Data type**: Integer
- - **Value**: 16
- 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports:
+ - **Value**: 1
+ - *1 is the minimum value meaning required or basic diagnostic data, but it can be safely set to a higher value.*
+
+ **Recommended settings, but not required**:
+
+ 1. Add settings for **Disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports:
- **Name**: Disable Telemetry opt-in interface
- **Description**: Disables the ability for end users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
- **Data type**: Integer
- **Value**: 1
- 1. (*Recommended, but not required*) Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Windows Update for Business reports:
+ 1. Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Windows Update for Business reports:
- **Name**: Allow device name in Diagnostic Data
- **Description**: Allows device name in Diagnostic Data.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
- **Data type**: Integer
- **Value**: 1
-
+ 1. Add a setting to **Configure Telemetry Opt In Change Notification**. Diagnostic data opt-in change notifications won't appear when changes occur.
+ - **Name**: Configure Telemetry Opt In Change Notification
+ - **Description**: Disables Telemetry Opt In Change Notification
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification`
+ - **Data type**: Integer
+ - **Value**: 1
1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
1. Review the settings and then select **Create**.
diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md
index 0ee8a75bb0..1d156ad5b7 100644
--- a/windows/deployment/update/wufb-reports-configuration-manual.md
+++ b/windows/deployment/update/wufb-reports-configuration-manual.md
@@ -36,25 +36,23 @@ Windows Update for Business reports has a number of policies that must be approp
Each MDM Policy links to its documentation in the configuration service provider (CSP) hierarchy, providing its exact location in the hierarchy and more details.
-| Policy | Data type | Value | Function |
-|--------------------------|-|-|------------------------------------------------------------|
-|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
-|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
-|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. |
-| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Windows Update for Business report's data processing system and indicates a device's explicit enrollment to the service. |
-| **System/**[AllowCommercialDataPipeline](/windows/client-management/mdm/policy-csp-system#system-allowcommercialdatapipeline) | Integer | 1 - Enabled | Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. |
+| Policy | Data type | Value | Function | Required or recommended|
+|---|---|---|---|---|
+|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | Required |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | Recommended |
+|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. | Recommended |
+| **System/**[**ConfigureTelemetryOptInChangeNotification**](/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinchangenotification) | Integer | 1 - Disabled | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
### Group policies
All Group policies that need to be configured for Windows Update for Business reports are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
-| Policy | Value | Function |
-|---------------------------|-|-----------------------------------------------------------|
-|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the **Configure telemetry opt-in setting user interface**. |
-|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. |
-|**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. |
-|**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Windows Update for Business report's data processing system and indicates a device's explicit enrollment to the service. |
-| **Allow commercial data pipeline** | 1 - Enabled | Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. |
+| Policy | Value | Function | Required or recommended|
+|---|---|---|---|
+|**Allow Diagnostic Data** | Send required diagnostic data (minimum) | Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the **Configure diagnostic data opt-in setting user interface**. | Required |
+|**Configure diagnostic data opt-in setting user interface** | Disable diagnostic data opt in settings | Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | Recommended |
+|**Allow device name to be sent in Windows diagnostic data** | Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. | Recommended |
+|**Configure diagnostic data opt-in change notifications** | Disable diagnostic data change notifications | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
## Required endpoints
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index 7feb6b10b2..3196b89771 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -76,3 +76,7 @@ The policy can be configured using the following two methods:
- [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature)
- [Update/SetPolicyDrivenUpdateSourceForOtherUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforother)
- [Update/SetPolicyDrivenUpdateSourceForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforquality)
+
+
+> [!NOTE]
+> Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be alterred.
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 2e9259fece..60af41b984 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -3,12 +3,11 @@ title: Log files and resolving upgrade errors
manager: aaroncz
ms.author: frankroj
description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process.
-ms.custom: seo-marvel-apr2020
ms.prod: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 6db2339eda..62aa926553 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -3,12 +3,11 @@ title: SetupDiag
manager: aaroncz
ms.author: frankroj
description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors.
-ms.custom: seo-marvel-apr2020
ms.prod: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 2f48ed28eb..5bd00dddf7 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -1,6 +1,5 @@
---
title: Submit Windows 10 upgrade errors using Feedback Hub
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
description: Download the Feedback Hub app, and then submit Windows 10 upgrade errors for diagnosis using feedback hub.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 2fdbd0beea..a49e89b8ed 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index eff1786ff2..7e8b1b574e 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index ece3ab44a0..57c9590028 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -1,6 +1,5 @@
---
title: Windows error reporting - Windows IT Pro
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup.
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index d197dc65f1..9d45ea81e3 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -1,7 +1,6 @@
---
title: Windows Upgrade and Migration Considerations (Windows 10)
description: Discover the Microsoft tools you can use to move files and settings between installations including special considerations for performing an upgrade or migration.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index d9550203d8..b550aa4d52 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -1,7 +1,6 @@
---
title: User State Migration Tool (USMT) - Getting Started (Windows 10)
description: Plan, collect, and prepare your source computer for migration using the User State Migration Tool (USMT).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 677f59ca0c..f8c2dded9b 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -1,7 +1,6 @@
---
title: Migrate Application Settings (Windows 10)
description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 9059505be0..25d04bc4c2 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -1,7 +1,6 @@
---
title: Migration Store Types Overview (Windows 10)
description: Learn about the migration store types and how to determine which migration store type best suits your needs.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 390cc4ad37..c4c1311fb0 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -1,7 +1,6 @@
---
title: Offline Migration Reference (Windows 10)
description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 64fe549a96..d39b9bf79e 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -1,7 +1,6 @@
---
title: Understanding Migration XML Files (Windows 10)
description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index cebdc6bf49..d36ddbbc92 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -1,8 +1,6 @@
---
title: USMT Best Practices (Windows 10)
description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
-ms.custom: seo-marvel-apr2020
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 72982b364a..ab33c29403 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -1,7 +1,6 @@
---
title: Choose a Migration Store Type (Windows 10)
description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in your organization.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index d7332ed880..55cfe5e69c 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -1,7 +1,6 @@
---
title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
description: Learn about the User State Migration Tool (USMT) command-line syntax for using the ScanState tool, LoadState tool, and UsmtUtils tool.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 4f68b4b46e..183565827a 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -1,7 +1,6 @@
---
title: Common Migration Scenarios (Windows 10)
description: See how the User State Migration Tool (USMT) 10.0 is used when planning hardware and/or operating system upgrades.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index 96846a8e88..a144f93cd4 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -1,7 +1,6 @@
---
title: Config.xml File (Windows 10)
description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index e12ed6ff62..b3c5c22025 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -1,7 +1,6 @@
---
title: Conflicts and Precedence (Windows 10)
description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 88db104333..73cf61e887 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -1,7 +1,6 @@
---
title: Custom XML Examples (Windows 10)
description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the My Videos folder.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index 9b4a91454c..7964757619 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -1,7 +1,6 @@
---
title: Customize USMT XML Files (Windows 10)
description: Learn how to customize USMT XML files. Also, learn about the migration XML files that are included with USMT.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
index ed6b5bc177..67138078a2 100644
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@@ -1,7 +1,6 @@
---
title: Determine What to Migrate (Windows 10)
description: Determine migration settings for standard or customized for the User State Migration Tool (USMT) 10.0.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index 2e1ddfc773..e994e3640b 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -1,7 +1,6 @@
---
title: Estimate Migration Store Size (Windows 10)
description: Estimate the disk space requirement for a migration so that you can use User State Migration Tool (USMT).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 0956d47d63..2b5db81c9d 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -1,7 +1,6 @@
---
title: Exclude Files and Settings (Windows 10)
description: In this article, learn how to exclude files and settings when creating a custom .xml file and a Config.xml file.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index b5b02016d8..0e973ffb4e 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -1,7 +1,6 @@
---
title: Extract Files from a Compressed USMT Migration Store (Windows 10)
description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 98148b856d..a7078f7b0b 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -1,7 +1,6 @@
---
title: General Conventions (Windows 10)
description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index b4790b2a5a..c11c83a8f3 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -1,7 +1,6 @@
---
title: Hard-Link Migration Store (Windows 10)
description: Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index 23bb493204..751bdc54ee 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -1,7 +1,6 @@
---
title: How USMT Works (Windows 10)
description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index e234211ca1..0b38e19dbe 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -1,7 +1,6 @@
---
title: User State Migration Tool (USMT) How-to articles (Windows 10)
description: Reference the articles in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md
index 24278e020b..101e8b5666 100644
--- a/windows/deployment/usmt/usmt-identify-application-settings.md
+++ b/windows/deployment/usmt/usmt-identify-application-settings.md
@@ -1,7 +1,6 @@
---
title: Identify Applications Settings (Windows 10)
description: Identify which applications and settings you want to migrate before using the User State Migration Tool (USMT).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index 01625d4d37..049a88b921 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -1,7 +1,6 @@
---
title: Identify File Types, Files, and Folders (Windows 10)
description: Learn how to identify the file types, files, folders, and settings that you want to migrate when you're planning your migration.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
index 9b3d93da8e..6781531b60 100644
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@@ -1,7 +1,6 @@
---
title: Identify Operating System Settings (Windows 10)
description: Identify which system settings you want to migrate, then use the User State Migration Tool (USMT) to select settings and keep the default values for all others.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index 270b1902c3..40a4f58cb6 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -1,7 +1,6 @@
---
title: Identify Users (Windows 10)
description: Learn how to identify users you plan to migrate, and how to migrate local accounts and domain accounts.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index 7249c768be..8e5821354c 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -1,7 +1,6 @@
---
title: Include Files and Settings (Windows 10)
description: Specify the migration .xml files you want, then use the User State Migration Tool (USMT) 10.0 to migrate the settings and components specified.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index b6238044f2..e5c04fe082 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -1,7 +1,6 @@
---
title: LoadState Syntax (Windows 10)
description: Learn about the syntax and usage of the command-line options available when you use the LoadState command.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 06ccc91749..ad51352c37 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -1,7 +1,6 @@
---
title: Log Files (Windows 10)
description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 7b8526be55..c19ee33c65 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -1,7 +1,6 @@
---
title: Migrate EFS Files and Certificates (Windows 10)
description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 518b93c468..d4ecef51aa 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -1,7 +1,6 @@
---
title: Migrate User Accounts (Windows 10)
description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md
index 07c5b088c8..f136ae0f31 100644
--- a/windows/deployment/usmt/usmt-migration-store-encryption.md
+++ b/windows/deployment/usmt/usmt-migration-store-encryption.md
@@ -1,7 +1,6 @@
---
title: Migration Store Encryption (Windows 10)
description: Learn how the User State Migration Tool (USMT) enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 7609e4e147..eb67085ba9 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 6559990881..e7f255af34 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -1,7 +1,6 @@
---
title: Plan Your Migration (Windows 10)
description: Learn how to your plan your migration carefully so your migration can proceed smoothly and so that you reduce the risk of migration failure.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 37172c925e..3239732839 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index 9c2604adf1..fdf20145f0 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -1,7 +1,6 @@
---
title: User State Migration Toolkit (USMT) Reference (Windows 10)
description: Use this User State Migration Toolkit (USMT) article to learn details about USMT, like operating system, hardware, and software requirements, and user prerequisites.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index d0f86bfc08..87a290ad93 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -1,7 +1,6 @@
---
title: USMT Requirements (Windows 10)
description: While the User State Migration Tool (USMT) doesn't have many requirements, these tips and tricks can help smooth the migration process.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index 026a457ea7..8edfb43a05 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -1,7 +1,6 @@
---
title: Reroute Files and Settings (Windows 10)
description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState command lines to reroute files and settings.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index ac1cc27168..63e2f70b4c 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -1,7 +1,6 @@
---
title: USMT Resources (Windows 10)
description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 14b65a281f..d8ee510c34 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -1,7 +1,6 @@
---
title: ScanState Syntax (Windows 10)
description: The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 2504eabb75..b60e82e749 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -1,14 +1,12 @@
---
title: User State Migration Tool (USMT) Technical Reference (Windows 10)
description: The User State Migration Tool (USMT) provides a highly customizable user-profile migration experience for IT professionals.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index a26c2a25cd..9b0981998d 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -1,7 +1,6 @@
---
title: Test Your Migration (Windows 10)
description: Learn about testing your migration plan in a controlled laboratory setting before you deploy it to your entire organization.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index 755df2c928..a1a2c43ef3 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -1,7 +1,6 @@
---
title: User State Migration Tool (USMT) Overview Topics (Windows 10)
description: Learn about User State Migration Tool (USMT) overview articles that describe USMT as a highly customizable user-profile migration experience for IT professionals.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index ede8f237ec..05971e5afd 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -1,7 +1,6 @@
---
title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to help troubleshooting.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index cb67fc466b..2a174b6f13 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -1,7 +1,6 @@
---
title: UsmtUtils Syntax (Windows 10)
description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index be20a22816..b8a8f9f4dc 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -1,7 +1,6 @@
---
title: What does USMT migrate (Windows 10)
description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index 34115d72da..e669804e3e 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -1,7 +1,6 @@
---
title: XML Elements Library (Windows 10)
description: Learn about the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index af25e49152..8d3f0e6ae2 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -1,7 +1,6 @@
---
title: USMT XML Reference (Windows 10)
description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows 10.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index 60856e7a7e..f96e15394d 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -1,7 +1,6 @@
---
title: Verify the Condition of a Compressed Migration Store (Windows 10)
description: Use these tips and tricks to verify the condition of a compressed migration store when using User State Migration Tool (USMT).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index 156809cb6d..787fa3f640 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -1,7 +1,6 @@
---
title: XML File Requirements (Windows 10)
description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index cc4d7b7b90..0b6ed5832d 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -1,11 +1,9 @@
---
title: Configure VDA for Windows subscription activation
description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.custom: seo-marvel-apr2020
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
index b00e515b54..956036f01b 100644
--- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
@@ -1,8 +1,7 @@
---
title: Activate by Proxy an Active Directory Forest (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index dc8833d2f8..ce77d52b35 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -1,8 +1,7 @@
---
title: Activate an Active Directory Forest Online (Windows 10)
description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 73f32edf78..2495b86782 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,8 +1,7 @@
---
title: Activate using Active Directory-based activation
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
author: frankroj
ms.author: frankroj
@@ -11,7 +10,7 @@ ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: how-to
-ms.collection: highpri
+ms.collection: highpri, tier2
---
# Activate using Active Directory-based activation
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index c9d04453fb..72dd3657cf 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -1,8 +1,7 @@
---
title: Activate using Key Management Service (Windows 10)
description: Learn how to use Key Management Service (KMS) to activate Windows.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -10,7 +9,7 @@ author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-fundamentals
---
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 3166add837..f3d7c238f3 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -1,8 +1,7 @@
---
title: Activate clients running Windows 10 (Windows 10)
description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
index 48855f3afa..37122356a9 100644
--- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md
+++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
@@ -1,8 +1,7 @@
---
title: Active Directory-Based Activation Overview (Windows 10)
description: Enable your enterprise to activate its computers through a connection to their domain using Active Directory-Based Activation (ADBA).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md
index 53a1f70b1b..a57398003d 100644
--- a/windows/deployment/volume-activation/add-manage-products-vamt.md
+++ b/windows/deployment/volume-activation/add-manage-products-vamt.md
@@ -1,8 +1,7 @@
---
title: Add and Manage Products (Windows 10)
description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index 55297e1791..20e49eabe0 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -1,8 +1,7 @@
---
title: Add and Remove Computers (Windows 10)
description: The Discover products function on the Volume Activation Management Tool (VAMT) allows you to search the Active Directory domain or a general LDAP query.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index 5fa51a1c12..229cb229b6 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -1,8 +1,7 @@
---
title: Add and Remove a Product Key (Windows 10)
description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index 0aa4fe2fb3..be88aa7204 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -1,8 +1,7 @@
---
title: Appendix Information sent to Microsoft during activation (Windows 10)
description: Learn about the information sent to Microsoft during activation.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
author: frankroj
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 189f8488ed..a2282b3152 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -1,8 +1,7 @@
---
title: Configure Client Computers (Windows 10)
description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
author: frankroj
ms.author: frankroj
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 63e839c6dd..378f187d4d 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -1,8 +1,7 @@
---
title: Import and export VAMT data
description: Learn how to use the VAMT to import product-activation data from a file into SQL Server.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index 833bc9a283..c2f7b56ef2 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -1,8 +1,7 @@
---
title: Install and Configure VAMT (Windows 10)
description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index ed311b84f5..1788056d42 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -1,8 +1,7 @@
---
title: Install a KMS Client Key (Windows 10)
description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 00ea59707d..e98a27e5cd 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -1,8 +1,7 @@
---
title: Install a Product Key (Windows 10)
description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 1ea051c4fe..c204b95d16 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,8 +1,7 @@
---
title: Install VAMT (Windows 10)
description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 1d5ba5f37c..ecd19f7dcc 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -1,8 +1,7 @@
---
title: Introduction to VAMT (Windows 10)
description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md
index 348a87ba6b..5c00b19da0 100644
--- a/windows/deployment/volume-activation/kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/kms-activation-vamt.md
@@ -1,8 +1,7 @@
---
title: Perform KMS Activation (Windows 10)
description: The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md
index e189dd781a..51ac686f69 100644
--- a/windows/deployment/volume-activation/local-reactivation-vamt.md
+++ b/windows/deployment/volume-activation/local-reactivation-vamt.md
@@ -1,8 +1,7 @@
---
title: Perform Local Reactivation (Windows 10)
description: An initially activated a computer using scenarios like MAK, retail, or CSLVK (KMS host), can be reactivated with Volume Activation Management Tool (VAMT).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 17dfa9af6d..92fe7a7905 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -1,8 +1,7 @@
---
title: Manage Activations (Windows 10)
description: Learn how to manage activations and how to activate a client computer by using various activation methods.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index 2b9594e4f6..51995c11dc 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -1,8 +1,7 @@
---
title: Manage Product Keys (Windows 10)
description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index d2499a44f3..174118be90 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -1,8 +1,7 @@
---
title: Manage VAMT Data (Windows 10)
description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index 7205e81894..87357dbe84 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -1,7 +1,6 @@
---
title: Monitor activation (Windows 10)
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
description: Understand the most common methods to monitor the success of the activation process for a computer running Windows.
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index f1dcda98ce..8ca7a4f5bd 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -1,8 +1,7 @@
---
title: Perform Online Activation (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 97cdedeb4f..1cc96ae7ed 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -1,8 +1,7 @@
---
title: Plan for volume activation (Windows 10)
description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md
index 2410bc8ba2..756957a315 100644
--- a/windows/deployment/volume-activation/proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/proxy-activation-vamt.md
@@ -1,8 +1,7 @@
---
title: Perform Proxy Activation (Windows 10)
description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that don't have Internet access.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index b8118e73e2..1da6d8b48a 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -1,8 +1,7 @@
---
title: Remove Products (Windows 10)
description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index 85a3fe5222..414c9569db 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -1,8 +1,7 @@
---
title: Scenario 3 KMS Client Activation (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index c234aa5c7d..8040430270 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -1,8 +1,7 @@
---
title: Scenario 1 Online Activation (Windows 10)
description: Achieve network access by deploying the Volume Activation Management Tool (VAMT) in a Core Network environment.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 223ef377b2..61b958307c 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -1,8 +1,7 @@
---
title: Scenario 2 Proxy Activation (Windows 10)
description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index be82deed6b..3a5330083f 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -1,8 +1,7 @@
---
title: Update Product Status (Windows 10)
description: Learn how to use the Update license status function to add the products that are installed on the computers.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index a381b30b76..d086a0d8ca 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -1,8 +1,7 @@
---
title: Use the Volume Activation Management Tool (Windows 10)
description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index e965f4be1c..7f990d6a31 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -1,8 +1,7 @@
---
title: Use VAMT in Windows PowerShell (Windows 10)
description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 4c29fd57a4..4b52470719 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -1,17 +1,13 @@
---
title: VAMT known issues (Windows 10)
description: Find out the current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.custom:
- - CI 111496
- - CSSTroubleshooting
ms.technology: itpro-fundamentals
---
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index 47e54481c4..d66ce6f5a0 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -1,8 +1,7 @@
---
title: VAMT Requirements (Windows 10)
description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index 2378579069..e085f009c8 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -1,8 +1,7 @@
---
title: VAMT Step-by-Step Scenarios (Windows 10)
description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index 3f9a5a7264..6d157c6365 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -1,8 +1,7 @@
---
title: VAMT technical reference
description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -10,7 +9,6 @@ ms.technology: itpro-fundamentals
author: frankroj
ms.date: 11/07/2022
ms.topic: overview
-ms.custom: seo-marvel-apr2020
---
# Volume Activation Management Tool (VAMT) technical reference
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index 3bc4621e7a..29dfd02ddc 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -1,8 +1,7 @@
---
title: Volume Activation for Windows 10
description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows.
-ms.reviewer:
- - nganguly
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 32807ff581..6849160ab4 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -7,7 +7,6 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 677807d5c7..25168e8c14 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -1,7 +1,6 @@
---
title: Windows 10 deployment process posters
description: View and download Windows 10 deployment process flows for Microsoft Configuration Manager and Windows Autopilot.
-ms.reviewer:
manager: aaroncz
author: frankroj
ms.author: frankroj
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index fec86dadb3..3ee6b7d8a5 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -1,7 +1,6 @@
---
title: Windows 10 deployment tools reference
description: Learn about the tools available to deploy Windows 10, like Volume Activation Management Tool (VAMT) and User State Migration Tool (USMT).
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
author: frankroj
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index e20b0e50ff..b4187d65df 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -1,7 +1,6 @@
---
title: Windows 10 deployment tools
description: Learn how to use Windows 10 deployment tools to successfully deploy Windows 10 to your organization.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
author: frankroj
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 66d08877b8..c57dd5bce0 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -4,7 +4,6 @@ description: Learn about volume license media in Windows 10, and channels such a
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 11/23/2022
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
author: frankroj
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 3741412fbb..61823c8faa 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -4,7 +4,6 @@ description: In this article, you'll learn how to deploy Windows 10 in a test la
ms.prod: windows-client
ms.localizationpriority: medium
ms.date: 11/23/2022
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
author: frankroj
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 46c6a2b39c..87d0a1a2d5 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -4,7 +4,6 @@ description: Learn how to deploy Windows 10 in a test lab using Microsoft Config
ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
author: frankroj
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 0998486d71..40769fc671 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -1,7 +1,6 @@
---
title: Configure a test lab to deploy Windows 10
description: Learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
-ms.reviewer:
manager: aaroncz
ms.author: frankroj
author: frankroj
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 4f8562a41b..4430523e8a 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -7,10 +7,7 @@ ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.collection:
- - highpri
-search.appverid:
- - MET150
+ms.collection: highpri, tier2
ms.topic: conceptual
ms.date: 11/23/2022
appliesto:
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index fa4844aef5..ec97a45acf 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -8,6 +8,8 @@
href: overview/windows-autopatch-overview.md
- name: Roles and responsibilities
href: overview/windows-autopatch-roles-responsibilities.md
+ - name: Privacy
+ href: overview/windows-autopatch-privacy.md
- name: FAQ
href: overview/windows-autopatch-faq.yml
- name: Prepare
@@ -47,6 +49,8 @@
- name: Windows updates
href:
items:
+ - name: Customize Windows Update settings
+ href: operate/windows-autopatch-windows-update.md
- name: Windows quality updates
href: operate/windows-autopatch-windows-quality-update-overview.md
items:
@@ -88,7 +92,7 @@
href: operate/windows-autopatch-deregister-devices.md
- name: Unenroll your tenant
href: operate/windows-autopatch-unenroll-tenant.md
- - name: Reference
+ - name: References
href:
items:
- name: Update policies
@@ -100,8 +104,6 @@
href: references/windows-autopatch-microsoft-365-policies.md
- name: Changes made at tenant enrollment
href: references/windows-autopatch-changes-to-tenant.md
- - name: Privacy
- href: references/windows-autopatch-privacy.md
- name: What's new
href:
items:
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index b01e97264d..4a3c6c4c86 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Add and verify admin contacts
@@ -17,7 +17,7 @@ msreviewer: hathind
There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
> [!IMPORTANT]
-> You might have already added these contacts in the Microsoft Endpoint Manager admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
+> You might have already added these contacts in the Microsoft Intune admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
You must have an admin contact for each specified area of focus. The Windows Autopatch Service Engineering Team will contact these individuals for assistance with your support request. Admin contacts should be the best person or group that can answer questions and make decisions for different [areas of focus](#area-of-focus).
@@ -35,7 +35,7 @@ Your admin contacts will receive notifications about support request updates and
**To add admin contacts:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**.
1. Select **+Add**.
1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index d1e52e4ced..b6ead33041 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: andredm7
+ms.reviewer: andredm7
---
# Device registration overview
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index 340afa6233..076f04ca7b 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: andredm7
+ms.reviewer: andredm7
---
# Post-device registration readiness checks (public preview)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 5a0761c2f4..fcc1e157cf 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: andredm7
+ms.reviewer: andredm7
---
# Register your devices
@@ -139,12 +139,12 @@ For more information, see [Device registration overview](../deploy/windows-autop
## Steps to register devices
-Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads).
+Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads).
Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group.
**To register devices with Windows Autopatch:**
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Devices**.
4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
@@ -164,7 +164,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W
**To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:**
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the left pane, select **Devices**.
1. Navigate to Provisioning > **Windows 365**.
1. Select Provisioning policies > **Create policy**.
diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml
index 1f245af013..2105efa402 100644
--- a/windows/deployment/windows-autopatch/index.yml
+++ b/windows/deployment/windows-autopatch/index.yml
@@ -14,8 +14,8 @@ metadata:
ms.custom: intro-hub-or-landing
ms.prod: windows-client
ms.technology: itpro-updates
- ms.collection:
- - highpri
+ ms.collection: highpri, tier2
+
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
index 15b45c91d4..1792c44913 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: andredm7
+ms.reviewer: andredm7
---
# Deregister a device
@@ -18,7 +18,7 @@ To avoid end-user disruption, device deregistration in Windows Autopatch only de
**To deregister a device:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
@@ -42,7 +42,7 @@ You can hide unregistered devices you don't expect to be remediated anytime soon
**To hide unregistered devices:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
index bc8fc2e428..c45d4d9c97 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Microsoft Edge
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index aa13524ff2..b67ec6d208 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Maintain the Windows Autopatch environment
@@ -37,7 +37,7 @@ Windows Autopatch deploys, manages and maintains all configurations related to t
The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**.
> [!IMPORTANT]
-> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../references/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal.
+> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../overview/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal.
The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index ebe7cda8b7..43d2a3e596 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -1,22 +1,27 @@
---
title: Microsoft 365 Apps for enterprise
-description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch
-ms.date: 08/08/2022
+description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
+ms.date: 03/10/2023
ms.prod: windows-client
ms.technology: itpro-updates
-ms.topic: conceptual
+ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Microsoft 365 Apps for enterprise
## Service level objective
-Windows Autopatch aims to keep at least 90% of eligible devices on a [supported version](/deployoffice/overview-update-channels#support-duration-for-monthly-enterprise-channel) of the Monthly Enterprise Channel (MEC) for [Enterprise Standard Suite](/deployoffice/about-microsoft-365-apps) (Access, Excel, OneNote, Outlook, PowerPoint, and Word). Microsoft 365 Apps deployed on the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) are supported for two months.
+Windows Autopatch aims to keep at least 90% of eligible devices on a [supported version](/deployoffice/overview-update-channels#support-duration-for-monthly-enterprise-channel) of the Monthly Enterprise Channel (MEC) for the:
+
+- [Enterprise Standard Suite](/deployoffice/about-microsoft-365-apps). The Enterprise Standard Suite includes Access, Excel, OneNote, Outlook, PowerPoint, and Word.
+- Subscription versions of Microsoft Project and Visio desktop apps, for example, Project Plan 3 or Visio Plan 2.
+
+Microsoft 365 Apps deployed on the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) are supported for two months.
> [!NOTE]
> [Microsoft Teams](../operate/windows-autopatch-teams.md) uses a different update channel from the rest of Microsoft 365 Apps.
@@ -25,14 +30,17 @@ Windows Autopatch aims to keep at least 90% of eligible devices on a [supported
For a device to be eligible for Microsoft 365 Apps for enterprise updates (both 32-bit and 64-bit versions), as a part of Windows Autopatch, they must meet the following criteria:
+- The device must be turned on and have an internet connection.
+- The device must be able to access the [required network endpoints](../prepare/windows-autopatch-configure-network.md#required-microsoft-product-endpoints) to reach the Office Content Delivery Network (CDN).
- There are no policy conflicts between Microsoft Autopatch policies and customer policies.
- The device must have checked into the Intune service in the last five days.
+- If Microsoft 365 Apps are running, the apps must close for the update process to complete.
## Update release schedule
-All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN).
+All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN).
-Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
+Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
## Deployment rings
@@ -40,52 +48,76 @@ Since the Office CDN determines when devices are offered updates, Windows Autopa
## End user experience
-There are two parts of the end user experience that are configured by Windows Autopatch:
+Windows Autopatch configures the following end user experiences:
- Behavior during updates
- Office client
### Behavior during updates
-Updates can only be applied when Microsoft 365 Apps aren't running. Therefore, notifications usually appear because the user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days.
+> [!NOTE]
+> If Microsoft 365 Apps are running, the apps must close for the update process to complete.
-Once the device has downloaded the update, users are given notifications leading up to the deadline. They'll receive the following message in the notification area in Windows, reminding them that updates are ready to be applied.
+Updates are only applied when Microsoft 365 Apps aren't running. Therefore, [end user notifications for Microsoft 365 Apps](/deployoffice/updates/end-user-update-notifications-microsoft-365-apps) usually appear when:
-*Updates ready to be applied
-Updates are required by your system admin are blocked by one or more apps. Office will restart at mm/dd/yyyy h:mm AM/PM to apply updates.*
-
-Alternatively, users can select **Update now** to apply the updates. The user is then prompted to close all open Office programs. After the updates are applied, the message disappears.
-
-When the deadline arrives and the updates still aren't applied, users will:
-
-1. See a dialog box that warns them that they have 15 minutes before the updates are applied.
-1. Have 15 minutes to save and close any work.
-
-When the countdown reaches 00∶00, any open Office programs are closed, and the updates are applied.
+- The user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days.
+- The update [deadline arrives](/deployoffice/updates/end-user-update-notifications-microsoft-365-apps#notifications-your-users-see-when-you-set-an-update-deadline-for-microsoft-365-apps) and the updates still aren't applied.
### Office client app configuration
To ensure that users are receiving automatic updates, Windows Autopatch prevents the user from opting out of automatic updates.
-## Update controls
+## Microsoft 365 Apps for enterprise update controls
-If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might pause the update by forcing Microsoft 365 Apps to stay on a specific version.
+Windows Autopatch doesn't allow you to pause or roll back an update in the Microsoft Intune admin center.
-Windows Autopatch will either:
-
-- Choose to stay on the previous version for rings that haven't received the update yet.
-- Force all devices to roll back to the previous version.
+[Submit a support request](../operate/windows-autopatch-support-request.md) to the Windows Autopatch Service Engineering Team to pause or roll back an update when needed.
> [!NOTE]
-> Windows Autopatch doesn't currently allow customers to force their devices to stay on a previous version or rollback to a previous version.
+> Updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). Therefore, we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
-Since quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
+## Allow or block Microsoft 365 App updates
+
+For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch won't provide Microsoft 365 App updates on your behalf, and your organizations will have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
+
+**To allow or block Microsoft 365 App updates:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Navigate to the **Devices** > **Release Management** > **Release settings**.
+3. Go to the **Microsoft 365 apps updates** section. By default, the **Allow/Block** toggle is set to **Allow**.
+4. Turn off the **Allow** toggle to opt out of Microsoft 365 App update policies. You'll see the notification: *Update in process. This setting will be unavailable until the update is complete.*
+5. Once the update is complete, you’ll receive the notification: *This setting is updated.*
+
+> [!NOTE]
+> If the notification: *This setting couldn’t be updated. Please try again or submit a support request.* appears, use the following steps:
Refresh your page.
Please repeat the same steps in To block Windows Autopatch Microsoft 365 apps updates.
If the issue persists, [submit a support request](../operate/windows-autopatch-support-request.md).
+
+**To verify if the Microsoft 365 App update setting is set to Allow:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Navigate to **Devices** > **Configuration profiles** > **Profiles**.
+3. The following **five** profiles should be discoverable from the list of profiles:
+ 1. Windows Autopatch - Office Configuration
+ 2. Windows Autopatch - Office Update Configuration [Test]
+ 3. Windows Autopatch - Office Update Configuration [First]
+ 4. Windows Autopatch - Office Update Configuration [Fast]
+ 5. Windows Autopatch - Office Update Configuration [Broad]
+
+**To verify if the Microsoft 365 App update setting is set to Block:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Navigate to **Devices** > **Configuration profiles** > **Profiles**.
+3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords “Office Configuration”. The result should return *0 profiles filtered*.
+ 1. Windows Autopatch - Office Configuration
+ 2. Windows Autopatch - Office Update Configuration [Test]
+ 3. Windows Autopatch - Office Update Configuration [First]
+ 4. Windows Autopatch - Office Update Configuration [Fast]
+ 5. Windows Autopatch - Office Update Configuration [Broad]
## Compatibility with Servicing Profiles
[Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting.
-A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
+A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 79ff9e1b78..c4a87a93ba 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Submit a support request
@@ -23,7 +23,7 @@ Support requests are triaged and responded to as they're received.
**To submit a new support request:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
1. In the **Windows Autopatch** section, select **Support requests**.
1. In the **Support requests** section, select **+ New support request**.
1. Enter your question(s) and/or a description of the problem.
@@ -57,7 +57,7 @@ You can see the summary status of all your support requests. At any time, you ca
**To view all your active support requests:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Support request**.
1. From this view, you can export the summary view or select any case to view the details.
@@ -67,7 +67,7 @@ You can edit support request details, for example, updating the primary case con
**To edit support request details:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Support request**.
1. In the **Support requests** section, use the search bar or filters to find the case you want to edit.
1. Select the case to open the request's details.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
index 3a14dd0be0..b348eca592 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Microsoft Teams
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
index ec414612c4..8a69ef3f78 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Unenroll your tenant
@@ -32,7 +32,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
| Responsibility | Description |
| ----- | ----- |
-| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). |
+| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). |
## Your responsibilities after unenrolling your tenant
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index 92e00968e2..3c850cf312 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: andredm7
+ms.reviewer: andredm7
---
# Software update management
@@ -71,7 +71,7 @@ If you want to move separate devices to different deployment rings, after Window
**To move devices in between deployment rings:**
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
2. In the **Windows Autopatch** section, select **Devices**.
3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify.
4. Select **Device actions** from the menu.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
index 65e90a8a96..cdbcde747d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
@@ -9,12 +9,12 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Windows feature update end user experience
-Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.
+Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing restarts during business hours.
## User notifications
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index c806472b1e..ce6d60f33d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: andredm7
+ms.reviewer: andredm7
---
# Windows feature updates
@@ -38,7 +38,7 @@ If a device is registered with Windows Autopatch, and the device is:
- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device.
> [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use a [LTSC media](/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Windows feature update policy configuration
@@ -82,14 +82,14 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
### Pausing and resuming a release
> [!CAUTION]
-> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
+> It's recommended to only use Windows Autopatch's Release management blade to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
> [!IMPORTANT]
> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.
For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
**To pause or resume a Windows feature update:**
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Release management**.
4. In the **Release management** blade, select either: **Pause** or **Resume**.
@@ -109,7 +109,7 @@ If you've paused an update, the specified release will have the **Customer Pause
Windows Autopatch doesn’t support the rollback of Windows feature updates.
> [!CAUTION]
-> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
+> It's recommended to only use Windows Autopatch's Release management blade to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
## Contact support
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
index 1aeecfd623..f48428da15 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
@@ -1,6 +1,6 @@
---
title: All devices report—historical
-description: Provides a visual representation of the update status trend for all devices over the last 90 days.
+description: Provides a visual representation of the update status trend for all devices over the last 90 days.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: adnich
+ms.reviewer: adnich
---
# All devices report—historical
@@ -18,7 +18,7 @@ The historical All devices report provides a visual representation of the update
**To view the historical All devices report:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **All devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
index beb945d17e..a89b5943b8 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
@@ -1,6 +1,6 @@
---
title: All devices report
-description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
+description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: adnich
+ms.reviewer: adnich
---
# All devices report
@@ -18,7 +18,7 @@ The All devices report provides a per device view of the current update status f
**To view the All devices report:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **All devices report**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
index 9fc28bcbbb..ddf26cae19 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Windows quality update communications
@@ -24,7 +24,7 @@ Communications are posted to, as appropriate for the type of communication, to t
- Message center
- Service health dashboard
-- Windows Autopatch messages section of the Microsoft Endpoint Manager admin center
+- Windows Autopatch messages section of the Microsoft Intune admin center
:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png":::
@@ -38,7 +38,7 @@ Communications are posted to, as appropriate for the type of communication, to t
## Communications during release
-The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
+The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
There are some circumstances where Autopatch will need to change the release schedule based on new information.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
index 8b2577d48c..f3d6012c50 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
@@ -1,6 +1,6 @@
---
title: Eligible devices report—historical
-description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
+description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: adnich
+ms.reviewer: adnich
---
# Eligible devices report—historical
@@ -18,7 +18,7 @@ The historical Eligible devices report provides a visual representation of the u
**To view the historical Eligible devices report:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **Eligible devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
index 9f8570c024..e18ee9ef48 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
@@ -9,12 +9,12 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Windows quality update end user experience
-Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.
+Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing restarts during business hours.
## User notifications
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
index dbcc2d106f..330088a5e0 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
@@ -1,6 +1,6 @@
---
title: Ineligible devices report—historical
-description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
+description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: adnich
+ms.reviewer: adnich
---
# Ineligible devices report—historical
@@ -21,7 +21,7 @@ The historical Ineligible devices report provides a visual representation of why
**To view the historical Ineligible devices report:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **Ineligible devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 6245326cc1..c687882aaf 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: andredm7
+ms.reviewer: andredm7
---
# Windows quality updates
@@ -94,7 +94,7 @@ By default, the service expedites quality updates as needed. For those organizat
**To turn off service-driven expedited quality updates:**
-1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
+1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
> [!NOTE]
@@ -106,7 +106,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
**To view deployed Out of Band quality updates:**
-1. Go to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
+1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
> [!NOTE]
@@ -115,7 +115,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
### Pausing and resuming a release
> [!CAUTION]
-> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
+> It's recommended to only use Windows Autopatch's Release management blade to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
@@ -126,7 +126,7 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
**To pause or resume a Windows quality update:**
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Release management**.
4. In the **Release management** blade, select either: **Pause** or **Resume**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
index e73bb77716..c3ea51727d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
@@ -1,6 +1,6 @@
---
title: Windows quality update reports
-description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch
+description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: adnich
+ms.reviewer: adnich
---
# Windows quality update reports
@@ -39,7 +39,7 @@ Users with the following permissions can access the reports:
## About data latency
-The data source for these reports is the [Windows diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
+The data source for these reports is the [Windows diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
## Windows quality update statuses
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
index fb93cc88c6..492e76ed01 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Windows quality update signals
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
index 88f6e4ec66..95dd437451 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
@@ -1,6 +1,6 @@
---
title: Summary dashboard
-description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
+description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: adnich
+ms.reviewer: adnich
---
# Summary dashboard
@@ -18,7 +18,7 @@ The Summary dashboard provides a summary view of the current update status for a
**To view the current update status for all your enrolled devices:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
:::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png":::
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
new file mode 100644
index 0000000000..508c99fa46
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
@@ -0,0 +1,113 @@
+---
+title: Customize Windows Update settings
+description: This article explains how to customize Windows Updates in Windows Autopatch
+ms.date: 03/08/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: rekhanr
+---
+
+# Customize Windows Update settings (public preview)
+
+> [!IMPORTANT]
+> This feature is in **public preview**. The feature is being actively developed, and may not be complete. You can test and use these features in production environments and provide feedback.
+
+You can customize the Windows Update deployment schedule for each deployment ring per your business and organizational needs. We recommend that you use the Windows Autopatch service default. However, you may have devices that need different schedules for updates deployment.
+
+When the deployment cadence is customized, Windows Autopatch will override our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) may not count towards the Windows Autopatch [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
+
+## Deployment cadence
+
+### Cadence types
+
+For each tenant, at the deployment ring level, there are two cadence types to configure and manage your Windows Update deployments for all the devices in those deployment rings:
+
+- [Deadline-driven](#deadline-driven)
+- [Scheduled install](#scheduled-install)
+
+#### Deadline-driven
+
+With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements.
+
+There are certain limits that Windows Autopatch defines and you'll only be able to make changes with those boundaries. The following boundaries are implemented so that Windows Autopatch can maintain update compliance.
+
+| Boundary | Description |
+| ----- | ----- |
+| Deferrals and deadlines | Windows Autopatch will enforce that deadline plus deferral days for a deployment ring to be less than or equal to 14 days. |
+| Grace period | The permitted customization range is zero to seven days. |
+
+> [!NOTE]
+> The configured grace period will apply to both Windows quality updates and Windows feature updates.
+
+Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, will be applied.
+
+It's possible for you to change the cadence from the Windows Autopatch Release management blade while update deployments are in progress. Windows Autopatch will abide by the principle to always respect your preferences over service-defined values.
+
+However, if an update has already started for a particular deployment ring, Windows Autopatch won't be able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle.
+
+#### Scheduled install
+
+> [!NOTE]
+> If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
+
+While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will prevent forced restarts and interruptions to critical business activities for end users, thereby minimizing disruptions. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. The expectation is that devices would only update and restart according to the time specified.
+
+> [!NOTE]
+> The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type.
+
+Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device may have the Windows Update scan and install during active hours.
+
+##### Scheduled install types
+
+> [!NOTE]
+> For devices with **Active hours** configured, if the device is consistently unavailable, Windows will attempt to keep the devices up to date, including installation of updates during Active hours.
For Windows 10 devices, Windows Update can start 30 minutes prior to the specified install time. If the installation start time is specified at 2:00 AM, some of the devices may start the installation 30 mins prior.
+
+The Scheduled install cadence has two options:
+
+| Option | Description |
+| ----- | ----- |
+| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.
The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business will scan, install and restart the device.
+| Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:
Weekly
Bi-weekly
Monthly
Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.
|
+
+> [!NOTE]
+> Changes made in one deployment ring won't impact other rings in your tenant.
Configured **Active hours** and **Scheduled install and restart** options will apply to both Windows quality updates and Windows feature updates.
+
+### User notifications
+
+In addition to the cadence type, you can also manage the end user notification settings. End users will receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings:
+
+- Not configured
+- Use the default Windows Update notifications
+- Turn off all notifications excluding restart warnings
+- Turn off all notifications including restart warnings
+
+For more information, see [Windows Update settings you can manage with Intune update ring policies for Windows 10/11 devices](/mem/intune/protect/windows-update-settings).
+
+## Customize the Windows Update deployment cadence
+
+**To customize the Windows Update deployment cadence:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings** select **Customize Windows Update cadence (preview)**. The page lists the existing settings for each of the rings in the tenant.
+3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings.
+4. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings.
+ 1. Select one of the cadence types for the ring:
+ 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option will enforce forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default".
+ 1. Select **Scheduled install** to opt-out of deadline-based forced restart.
+ 1. Select either **Active hours** or **Schedule install and restart time**.
+ 2. Select **Save**.
+5. Select **Manage notifications**. A fly-in pane opens.
+ 1. Select one of following [Windows Update restart notifications](#user-notifications) for your devices that are part of the selected deployment ring. By default, Windows Autopatch recommends that you enable all notifications.
+ 1. Not configured
+ 1. Use the default Windows Update notifications
+ 1. Turn off all notifications excluding restart warnings
+ 1. Turn off all notifications included restart warnings
+ 1. Select **Save** once you select the preferred setting.
+6. Repeat the same process to customize each of the rings. Once done, select **Next**.
+7. In **Review + apply**, you’ll be able to review the selected settings for each of the rings.
+8. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index fd6ef0d1ef..c323dd4908 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: windows-client
ms.topic: faq
- ms.date: 08/26/2022
+ ms.date: 02/28/2023
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -93,7 +93,7 @@ sections:
answer: |
Autopatch relies on the following capabilities to help resolve update issues:
- Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release).
- - Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls).
+ - Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls).
- question: Can I permanently pause a Windows feature update deployment?
answer: |
Yes. Windows Autopatch provides a [permanent pause of either a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release).
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 6458591d05..35df585aa1 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -9,9 +9,8 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
+ms.reviewer: hathind
---
# What is Windows Autopatch?
@@ -64,7 +63,7 @@ Microsoft remains committed to the security of your data and the [accessibility]
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:
|
### Have feedback or would like to start a discussion?
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
similarity index 95%
rename from windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
rename to windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index f3e41c6ebe..3b9a3b050f 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -1,7 +1,7 @@
---
title: Privacy
-description: This article provides details about the data platform and privacy compliance for Autopatch
-ms.date: 02/02/2023
+description: This article provides details about the data platform and privacy compliance for Autopatch
+ms.date: 03/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Privacy
@@ -72,12 +72,12 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
| Enterprise application name | Usage | Permissions |
| ----- | ----- | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
|
+| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
|
### Service accounts
> [!IMPORTANT]
-> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise application](windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal.
+> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal.
Windows Autopatch creates and uses guest accounts using just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 6e707c4ca8..d185fe21d6 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
-ms.date: 12/12/2022
+ms.date: 03/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Roles and responsibilities
@@ -25,7 +25,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
| Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: |
-| [Review the service data platform and privacy compliance details](../references/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
+| [Review the service data platform and privacy compliance details](../overview/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
| Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
@@ -38,10 +38,13 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
-| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Endpoint Manager | :heavy_check_mark: | :x: |
+| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Intune | :heavy_check_mark: | :x: |
| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
| Educate users on the Windows Autopatch end user update experience
[Windows quality update end user experience](../operate/windows-autopatch-windows-quality-update-end-user-exp.md)
[Windows feature update end user experience](../operate/windows-autopatch-windows-feature-update-end-user-exp.md)
[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
| :heavy_check_mark: | :x: |
-| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
+| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
+| [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: |
+| [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: |
+| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | :heavy_check_mark: | :x: |
| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: |
| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
| [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
@@ -56,14 +59,15 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
-| [Maintain contacts in the Microsoft Endpoint Manager admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
+| [Maintain contacts in the Microsoft Intune admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
| [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
| [Run on-going checks to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
| [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
| Monitor [Windows update signals](../operate/windows-autopatch-windows-quality-update-signals.md) for safe update release | :x: | :heavy_check_mark: |
| Test specific [business update scenarios](../operate/windows-autopatch-windows-quality-update-signals.md) | :heavy_check_mark: | :x: |
-| [Define and implement release schedule](../operate/windows-autopatch-windows-quality-update-overview.md) | :x: | :heavy_check_mark: |
+| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | :heavy_check_mark: | :x: |
+| [Define and implement service default release schedule](../operate/windows-autopatch-windows-quality-update-overview.md) | :x: | :heavy_check_mark: |
| Communicate the update [release schedule](../operate/windows-autopatch-windows-quality-update-communications.md) | :x: | :heavy_check_mark: |
| Release updates (as scheduled)
| :x: | :heavy_check_mark: |
| [Release updates (expedited)](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :x: | :heavy_check_mark: |
@@ -83,7 +87,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
| [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
-| Review and respond to Message Center and Service Health Dashboard notifications
[Windows quality and feature update communications](../operate/windows-autopatch-windows-quality-update-communications.md)
[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
| :heavy_check_mark: | :x: |
+| Review and respond to Message Center and Service Health Dashboard notifications
[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
| :heavy_check_mark: | :x: |
| [Highlight Windows Autopatch Tenant management alerts that require customer action](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :x: | :heavy_check_mark: |
| [Review and respond to Windows Autopatch Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :heavy_check_mark: | :x: |
| [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index a1c0a63417..e223d515a4 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Configure your network
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index b091a73a97..7e202554d2 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Enroll your tenant
@@ -19,7 +19,7 @@ Before you enroll in Windows Autopatch, there are settings, and other parameters
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
-The Readiness assessment tool, accessed in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
+The Readiness assessment tool, accessed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
## Step 1: Review all prerequisites
@@ -37,7 +37,7 @@ The Readiness assessment tool checks the settings in [Microsoft Intune](#microso
> [!IMPORTANT]
> You must be a Global Administrator to run the Readiness assessment tool.
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**.
> [!IMPORTANT]
@@ -109,7 +109,7 @@ Windows Autopatch retains the data associated with these checks for 12 months af
**To delete the data we collect:**
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to Windows Autopatch > **Tenant enrollment**.
3. Select **Delete all data**.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index 44447d5697..c36d207090 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Submit a tenant enrollment support request
@@ -35,6 +35,6 @@ If you have a question about the case, the best way to get in touch is to reply
**To view all your active tenant enrollment support requests:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 776fb296c0..0c4b7973da 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Fix issues found by the Readiness assessment tool
@@ -35,7 +35,7 @@ For each check, the tool will report one of four possible results:
## Microsoft Intune settings
-You can access Intune settings at the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
### Unlicensed admins
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index b66883ee6d..c2f86d2ca3 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Prerequisites
@@ -22,7 +22,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
|
| Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.
Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
Devices must be connected to the internet.
Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
|
-| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
+| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md). |
## More about licenses
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index 5155521cf1..fed0830f19 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -9,12 +9,12 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Changes made at tenant enrollment
-The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service.
+The following configuration details explain the changes made to your tenant when enrolling into the Windows Autopatch service.
> [!IMPORTANT]
> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.
@@ -27,17 +27,19 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
| Enterprise application name | Usage | Permissions |
| ----- | ------ | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
|
### Service principal
-Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:
+Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:
- Modern Workplace Customer APIs
## Azure Active Directory groups
-Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications).
+Windows Autopatch will create the required Azure Active Directory groups to operate the service.
+
+The following groups target Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications).
| Group name | Description |
| ----- | ----- |
@@ -59,8 +61,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
-| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO
Assigned to:
Modern Workplace Devices-Windows Autopatch-Test
Modern Workplace Devices-Windows Autopatch-First
Modern Workplace Devices-Windows Autopatch-Fast
Modern Workplace Devices-Windows Autopatch-Broad
| [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked |
-| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.
Assigned to:
Modern Workplace Devices-Windows Autopatch-Test
Modern Workplace Devices-Windows Autopatch-First
Modern Workplace Devices-Windows Autopatch-Fast
Modern Workplace Devices-Windows Autopatch-Broad
|
[Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
[Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
|
## Deployment rings for Windows 10 and later
@@ -76,13 +78,13 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring
Assigned to:
Modern Workplace Devices-Windows Autopatch-Fast
|
QualityUpdatesDeferralPeriodInDays
FeatureUpdatesDeferralPeriodInDays
FeatureUpdatesRollbackWindowInDays
BusinessReadyUpdatesOnly
AutomaticUpdateMode
InstallTime
DeadlineForFeatureUpdatesInDays
DeadlineForQualityUpdatesInDays
DeadlineGracePeriodInDays
PostponeRebootUntilAfterDeadline
DriversExcluded
|
6
0
30
All
WindowsDefault
3
5
2
2
False
False
|
| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring
Assigned to:
Modern Workplace Devices-Windows Autopatch-Broad
|
QualityUpdatesDeferralPeriodInDays
FeatureUpdatesDeferralPeriodInDays
FeatureUpdatesRollbackWindowInDays
BusinessReadyUpdatesOnly
AutomaticUpdateMode
InstallTime
DeadlineForFeatureUpdatesInDays
DeadlineForQualityUpdatesInDays
DeadlineGracePeriodInDays
PostponeRebootUntilAfterDeadline
DriversExcluded
|
9
0
30
All
WindowsDefault
3
5
5
2
False
False
|
-## Feature update policies
+## Windows feature update policies
- Windows Autopatch - DSS Policy [Test]
- Windows Autopatch - DSS Policy [First]
- Windows Autopatch - DSS Policy [Fast]
- Windows Autopatch - DSS Policy [Broad]
-- Windows Autopatch - DSS Policy [Windows 11]
+- Modern Workplace DSS Policy [Windows 11]
| Policy name | Policy description | Value |
| ----- | ----- | ----- |
@@ -90,7 +92,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Windows Autopatch - DSS Policy [First] | DSS policy for First device group | Assigned to:
Modern Workplace Devices-Windows Autopatch-First
Modern Workplace - Windows 11 Pre-Release Test Devices
|
| Windows Autopatch - DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
Modern Workplace Devices-Windows Autopatch-Fast
Exclude from:
Modern Workplace - Windows 11 Pre-Release Test Devices
|
| Windows Autopatch - Policy [Broad] | DSS policy for Broad device group | Assigned to:
Modern Workplace Devices-Windows Autopatch-Broad
Exclude from:
Modern Workplace - Windows 11 Pre-Release Test Devices
|
-| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
Modern Workplace - Windows 11 Pre-Release Test Devices
|
+| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
Modern Workplace - Windows 11 Pre-Release Test Devices
|
## Microsoft Office update policies
@@ -103,10 +105,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.
Assigned to:
Modern Workplace Devices-Windows Autopatch-Test
Modern Workplace Devices-Windows Autopatch-First
Modern Workplace Devices-Windows Autopatch-Fast
Modern Workplace Devices-Windows Autopatch-Broad
|
Enable Automatic Updates
Hide option to enable or disable updates
Update Channel
Channel Name (Device)
Hide Update Notifications
Update Path
|
Enabled
Enabled
Enabled
Monthly Enterprise Channel
Disabled
Enabled
|
-| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline
Assigned to:
Modern Workplace Devices-Windows Autopatch-Test
|
Delay downloading and installing updates for Office
Update Deadline
|
Enabled;Days(Device) == 0 days
Enabled;Update Deadline(Device) == 7 days
|
-| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline
Assigned to:
Modern Workplace Devices-Windows Autopatch-First
|
Delay downloading and installing updates for Office
Update Deadline
|
Enabled;Days(Device) == 0 days
Enabled;Update Deadline(Device) == 7 days
|
-| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline
Assigned to:
Modern Workplace Devices-Windows Autopatch-Fast
|
Delay downloading and installing updates for Office
Update Deadline
|
Enabled;Days(Device) == 3 days
Enabled;Update Deadline(Device) == 7 days
|
-| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline Assigned to:
Modern Workplace Devices-Windows Autopatch-Broad
|
Delay downloading and installing updates for Office
Update Deadline
|
Enabled;Days(Device) == 7 days
Enabled;Update Deadline(Device) == 7 days
|
+| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline
Assigned to:
Modern Workplace Devices-Windows Autopatch-Test
|
Delay downloading and installing updates for Office
Update Deadline
|
Enabled; `Days(Device) == 0 days`
Enabled; `Update Deadline(Device) == 7 days`
|
+| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline
Assigned to:
Modern Workplace Devices-Windows Autopatch-First
|
Delay downloading and installing updates for Office
Update Deadline
|
Enabled; `Days(Device) == 0 days`
Enabled; `Update Deadline(Device) == 7 days`
|
+| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline
Assigned to:
Modern Workplace Devices-Windows Autopatch-Fast
|
Delay downloading and installing updates for Office
Update Deadline
|
Enabled; `Days(Device) == 3 days`
Enabled; `Update Deadline(Device) == 7 days`
|
+| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline Assigned to:
Modern Workplace Devices-Windows Autopatch-Broad
|
Delay downloading and installing updates for Office
Update Deadline
|
Enabled; `Days(Device) == 7 days`
Enabled; `Update Deadline(Device) == 7 days`
|
## Microsoft Edge update policies
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
index 85965b7535..47d7aa1795 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# Microsoft 365 Apps for enterprise update policies
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
index 09842260a5..01ddeb4f2e 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: adnich
+ms.reviewer: adnich
---
# Windows update policies
@@ -26,10 +26,10 @@ The following policies contain settings which apply to both Windows quality and
| ----- | ----- | ----- | ----- | ----- |
| Microsoft product updates | Allow | Allow | Allow | Allow |
| Windows drivers | Allow | Allow | Allow | Allow |
-| Quality update deferral period | 0 | 1 | 6 | 9 |
-| Feature update deferral period | 0 | 0 | 0 | 0 |
+| Windows quality update deferral period | 0 | 1 | 6 | 9 |
+| Windows feature update deferral period | 0 | 0 | 0 | 0 |
| Upgrade Windows 10 to latest Windows 11 release | No | No | No | No |
-| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days |
+| Set Windows feature update uninstall period | 30 days | 30 days | 30 days | 30 days |
| Servicing channel | General availability | General availability | General availability | General availability |
### Windows 10 and later user experience settings
@@ -41,8 +41,8 @@ The following policies contain settings which apply to both Windows quality and
| Option to pause updates | Disable | Disable | Disable | Disable |
| Option to check for Windows updates | Default | Default | Default | Default |
| Change notification update level | Default | Default | Default | Default |
-| Deadline for feature updates | 5 | 5 | 5 | 5 |
-| Deadline for quality updates | 0 | 2 | 2 | 5 |
+| Deadline for Windows feature updates | 5 | 5 | 5 | 5 |
+| Deadline for Windows quality updates | 0 | 2 | 2 | 5 |
| Grace period | 0 | 2 | 2 | 2 |
| Auto-restart before deadline | Yes | Yes | Yes | Yes |
@@ -53,24 +53,24 @@ The following policies contain settings which apply to both Windows quality and
| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
| Excluded groups | None | None | None | None |
-## Feature update policies
+## Windows feature update policies
-The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices.
+The service deploys policies using Microsoft Intune to control how Windows feature updates are deployed to devices.
-### Feature updates for Windows 10 and later
+### Windows feature updates for Windows 10 and later
These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention:
**Modern Workplace DSS Policy [ring name]**
-#### Feature update deployment settings
+#### Windows feature update deployment settings
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows |
| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start |
-#### Feature update policy assignments
+#### Windows feature update policy assignments
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
@@ -105,8 +105,8 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de
| Allowed policy | Policy CSP | Description |
| ----- | ----- | ----- |
-| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | Update/ActiveHoursStart | This policy controls the end of the protected window where devices won't reboot.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
-| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
+| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | Update/ActiveHoursStart | This policy controls the end of the protected window where devices won't restart.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
+| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't restart.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.
This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. |
### Group policy and other policy managers
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
index b79ce348b0..dc5d2ccde2 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-msreviewer: hathind
+ms.reviewer: hathind
---
# What's new 2022
@@ -43,7 +43,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
-| [Privacy](../references/windows-autopatch-privacy.md) | Updated data center locations
[MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
+| [Privacy](../overview/windows-autopatch-privacy.md) | Updated data center locations
[MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated multiple sections because of the OMA-URI to Intune Settings Catalog policy migration
[MC443898](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Configure your network](../prepare/windows-autopatch-configure-network.md) | Added information on Delivery Optimization |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | 32 and 64-bit versions are supported |
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index cc3ce24386..abee39860b 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,15 +1,15 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 02/17/2023
+ms.date: 03/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
-manager: dougeby
-msreviewer: hathind
+manager: dougeby
+ms.reviewer: hathind
---
# What's new 2023
@@ -18,20 +18,44 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
+## March 2023
+
+### March feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) |
Added support for subscription versions of Microsoft Project and Visio desktop apps
Updated device eligibility criteria
Clarified update controls
|
+| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview
|
+
+### March service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public preview - Customize Windows Update settings |
+
## February 2023
### February feature releases or updates
| Article | Description |
| ----- | ----- |
+| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Added [Allow or block Microsoft 365 App updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) section |
| [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md#) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version) |
| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) |
| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) |
-| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section |
+| [Privacy](../overview/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) |
Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section
Added more information about assigning less-privileged user accounts
|
+### February service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC521882](https://admin.microsoft.com/adminportal/home#/MessageCenter) | February 2023 Windows Autopatch baseline configuration update |
+| [MC517330](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Ability to opt out of Microsoft 365 App updates |
+| [MC517327](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned service maintenance downtime for European Union (EU) Windows Autopatch customers enrolled before November 8, 2022 |
+
## January 2023
### January feature releases or updates
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 7e8bbc7ba7..4ca53207b6 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -7,8 +7,7 @@ ms.technology: itpro-deploy
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
-ms.collection:
- - highpri
+ms.collection: highpri, tier2
ms.topic: tutorial
ms.date: 10/28/2022
---
@@ -400,7 +399,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
### Autopilot registration using Intune
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
@@ -456,7 +455,7 @@ Pick one:
The Autopilot deployment profile wizard asks for a device group, so you must create one first. To create a device group:
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
2. In the **Group** pane:
1. For **Group type**, choose **Security**.
@@ -605,7 +604,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n
### Delete (deregister) Autopilot device
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
> [!div class="mx-imgBorder"]
> 
diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml
index 567e5d62a8..82cba08343 100644
--- a/windows/deployment/windows-autopilot/index.yml
+++ b/windows/deployment/windows-autopilot/index.yml
@@ -9,8 +9,7 @@ metadata:
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-deploy
- ms.collection:
- - highpri
+ ms.collection: highpri, tier1
author: frankroj
ms.author: frankroj
manager: aaroncz
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index aa9a8e5a92..34186301e4 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -233,9 +233,9 @@ additionalContent:
url: /mem/endpoint-manager-overview
- text: What is Microsoft Intune?
url: /mem/intune/fundamentals/what-is-intune
- - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11
+ - text: Microsoft Intune services simplify upgrades to Windows 11
url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886
- - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager
+ - text: Understanding readiness for Windows 11 with Microsoft Intune services
url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866
- text: Microsoft endpoint management blog
url: https://aka.ms/memblog
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 2e0e69b856..b0975595c9 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -2164,7 +2164,7 @@ The following fields are available:
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
@@ -5030,12 +5030,27 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly.
+The following fields are available:
-
-### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
-
-This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
-
+- **AhaVersion** The binary version of the App Health Analyzer tool.
+- **ApplicationErrors** The count of application errors from the event log.
+- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit).
+- **device_level** Various JRE/JAVA versions installed on a particular device.
+- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type.
+- **Jar** Flag to determine if an app has a Java JAR file dependency.
+- **Jre** Flag to determine if an app has JRE framework dependency.
+- **Jre_version** JRE versions an app has declared framework dependency for.
+- **Name** Name of the application.
+- **NonDPIAware** Flag to determine if an app is non-DPI aware.
+- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location.
+- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution.
+- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution.
+- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility.
+- **VB6** Flag to determine if an app is based on VB6 framework.
+- **VB6v2** Additional flag to determine if an app is based on VB6 framework.
+- **Version** Version of the application.
+- **VersionCheck** Flag to determine if an app has a static dependency on OS version.
+- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 62bff63b9e..76b11fdfd5 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -36,10 +36,6 @@ You can learn more about Windows functional and diagnostic data through these ar
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
-
-
-
-
## Appraiser events
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
@@ -1287,7 +1283,6 @@ The following fields are available:
- **objectInstanceId** Object identity which is unique within the device scope.
- **objectType** Indicates the object type that the event applies to.
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-
## Component-based servicing events
@@ -1715,6 +1710,18 @@ The following fields are available:
## Holographic events
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated
+
+This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **IsForCompositor** True/False to indicate whether the holographic space is for compositor process.
+- **Source** An enumeration indicating the source of the log.
+- **WindowInstanceId** Unique value for each window instance.
+
+
### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated
This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
@@ -2196,6 +2203,33 @@ The following fields are available:
- **resultCode** HR result of the cancellation.
+## Other events
+
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
+
+This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
+
+
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
+
+This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **EventHistory** Unique number of event history.
+- **ExternalComponentState** State of external component.
+- **LastEvent** Unique number of last event.
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
+
+
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -2405,6 +2439,22 @@ The following fields are available:
## Update events
+### Update360Telemetry.FellBackToDownloadingAllPackageFiles
+
+This event indicates whether a failure occurred during Missing File List generation and is applicable to Quality Update downloads.
+
+The following fields are available:
+
+- **ErrorCode** Error code returned during Missing File List generation.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique ID for each flight.
+- **Package** Name of the package for which Missing File List generation failed and we fell back to downloading all package files.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId** Unique ID for each Update.
+
+
### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
@@ -3323,6 +3373,29 @@ The following fields are available:
This event is derived event results for the LaunchPageDuration scenario.
+
+### Microsoft.Windows.Update.WUClient.DownloadPaused
+
+This event is fired when the Download stage is paused.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **HandlerInfo** Blob of Handler related information.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **Props** Commit Props {MergedUpdate}
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UusVersion** The version of the Update Undocked Stack.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -3375,4 +3448,4 @@ The following fields are available:
- **ScenarioSupported** Whether the updated scenario that was passed in was supported.
- **SessionId** The UpdateAgent “SessionId” value.
- **UpdateId** Unique identifier for the Update.
-- **WuId** Unique identifier for the Windows Update client.
+- **WuId** Unique identifier for the Windows Update client.
\ No newline at end of file
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 4ef29c2463..2c8573d89d 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -1916,7 +1916,11 @@ Fires at the beginning and end of the HVCI auto-enablement process in sysprep.
The following fields are available:
-- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure.
+- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure.
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciAlreadyEnabled
+
+Fires when HVCI is already enabled so no need to continue auto-enablement.
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed
@@ -2160,6 +2164,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
+
## Common data fields
### Ms.Device.DeviceInventoryChange
@@ -2174,6 +2179,7 @@ The following fields are available:
- **objectType** Indicates the object type that the event applies to.
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
## Component-based servicing events
### CbsServicingProvider.CbsCapabilityEnumeration
@@ -3032,6 +3038,18 @@ The following fields are available:
- **Version** The version number of the program.
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents what drivers an application installs. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component
+- **ProgramIds** The unique program identifier the driver is associated with
+
+
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
@@ -3420,12 +3438,6 @@ This event sends details collected for a specific application on the source devi
-### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
-
-This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
-
-
-
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd
This event provides basic information about active memory slots on the device.
@@ -3758,6 +3770,17 @@ The following fields are available:
## Migration events
+### Microsoft.Windows.MigrationCore.MigObjectCountDLSys
+
+This event is used to indicate object count for system paths during different phases of Windows feature update.
+
+The following fields are available:
+
+- **migDiagSession->CString** Indicates the phase of the update.
+- **objectCount** Number of files being tracked for the corresponding phase of the update.
+- **sfInfo.Name** This indicates well know folder location path (Ex: PUBLIC_downloads etc.)
+
+
### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
@@ -6143,6 +6166,26 @@ The following fields are available:
- **updateId** Unique identifier for each update.
+### Microsoft.Windows.Update.NotificationUx.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows secure and up-to-date by indicating when a reboot is scheduled by the system or a user for a security, quality, or feature update.
+
+The following fields are available:
+
+- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device.
+- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot.
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours.
+- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically).
+- **rebootState** The current state of the restart.
+- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler.
+- **revisionNumber** Revision number of the update that is getting installed with this restart.
+- **scheduledRebootTime** Time of the scheduled restart.
+- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time.
+- **updateId** ID of the update that is getting installed with this restart.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
### Microsoft.Windows.Update.Orchestrator.Client.BizCriticalStoreAppInstallResult
This event returns the result after installing a business critical store application. The data collected with this event is used to help keep Windows secure and up to date.
@@ -6231,7 +6274,6 @@ The following fields are available:
- **uptimeMinutes** Duration USO for up for in the current boot session.
- **wilActivity** Wil Activity related information.
-
### Microsoft.Windows.Update.WUClientExt.UUSLoadModuleFailed
This is the UUSLoadModule failed event and is used to track the failure of loading an undocked component. The data collected with this event is used to help keep Windows up to date and secure.
@@ -6345,6 +6387,27 @@ The following fields are available:
- **WuId** Unique ID for the Windows Update client.
+### Mitigation360Telemetry.MitigationCustom.CryptcatsvcRebuild
+
+This event sends data specific to the CryptcatsvcRebuild mitigation used for OS Updates. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId** The unique identifier for each flight.
+- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationNeeded** Information on whether the mitigation was needed.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
+- **ServiceDisabled** Information on whether the service was disabled.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each Update.
+- **WuId** Unique ID for the Windows Update client.
+
+
### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date.
@@ -6468,7 +6531,7 @@ The following fields are available:
- **TargetUserFreeSpace** The target user free space that was passed into the reserve manager to determine reserve sizing post upgrade.
- **UpdateScratchFinalUsedSpace** The used space in the scratch reserve.
- **UpdateScratchInitialUsedSpace** The utilization of the scratch reserve after initialization.
-- **UpdateScratchReserveFinalSize** The utilization of the scratch reserve after initialization.
+- **UpdateScratchReserveFinalSize** The final size of the scratch reserve.
- **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization.
@@ -6511,8 +6574,6 @@ The following fields are available:
This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. The data collected with this event is used to help keep Windows secure and up to date.
-
-
### Microsoft.Windows.UpdateReserveManager.TurnOffReserves
This event is sent when the Update Reserve Manager turns off reserve functionality for certain operations. The data collected with this event is used to help keep Windows secure and up to date.
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 8b787d70e3..a001e395da 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1227,8 +1227,8 @@ The following fields are available:
- **CpuStepping** Cpu stepping.
- **CpuVendor** Cpu vendor.
- **PlatformId** CPU platform identifier.
-- **ProcessorName** OEM processor name.
-- **ProductName** OEM product name.
+- **ProcessorName** The name of the processor.
+- **ProductName** The name of the product.
- **SysReqOverride** Appraiser decision about system requirements override.
@@ -2474,6 +2474,7 @@ The following fields are available:
- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure.
+
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed
Fires when driver scanning fails to get results.
@@ -3113,6 +3114,290 @@ The following fields are available:
## Direct to update events
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
+
+This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run
+- **ClientID** Client ID being run
+- **CoordinatorVersion** Coordinator version of DTU
+- **CV** Correlation vector
+- **hResult** HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
+
+This event indicates that the Coordinator Cleanup call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run
+- **ClientID** Client ID being run
+- **CoordinatorVersion** Coordinator version of DTU
+- **CV** Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
+
+This event indicates that the Coordinator Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
+
+This event indicates that the Coordinator Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
+
+This event indicates that the Coordinator Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
+
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
+
+This event indicates that the Coordinator's progress callback has been called. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **DeployPhase** Current Deploy Phase.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator WaitForRebootUi call.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
+
+This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run
+- **ClientID** Client ID being run
+- **CoordinatorVersion** Coordinator version of DTU
+- **CV** Correlation vector
+- **CV_new** New correlation vector
+- **hResult** HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
+
+This event indicates that the Handler CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ApplicabilityResult** The result code indicating whether the update is applicable.
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckIfCoordinatorMinApplicableVersion call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run
+- **ClientID** Client ID being run
+- **CoordinatorVersion** Coordinator version of DTU
+- **CV** Correlation vector
+- **hResult** HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
+
+This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
+
+This event indicates that the Handler Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.run
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded
+
+This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run
+- **ClientID** Client ID being run
+- **CoordinatorVersion** Coordinator version of DTU
+- **CV** Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
+
+This event indicates that the Handler Download and Extract cab call failed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed.
+- **hResult** HRESULT of the failure.
+
+
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
This event indicates that the Handler Download and Extract cab call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
@@ -3125,6 +3410,193 @@ The following fields are available:
- **CV** Correlation vector.
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
+
+This event indicates that the Handler Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
+
+This event indicates that the Handler Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
+
+This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** The ID of the campaigning being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** The HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
+
+This event indicates that the Handler WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEnteringState
+
+This event indicates that DTUNotificationUX has started processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CampaignID** The ID of the campaign being run.
+- **ClientID** The ID of the client being run.
+- **CoordinatorVersion** The coordinator version of Direct To Update.
+- **CV** Correlation vector.
+- **State** State of the workflow.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEvaluationError
+
+This event indicates that Applicability DLL failed on a test. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CampaignID** The ID of the campaign being run.
+- **ClientID** The ID of the client being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **FailedTest** The enumeration code of the test that failed.
+- **HRESULT** An error (if any) that occurred.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUNotificationUXExitingState
+
+This event indicates that DTUNotificationUX has stopped processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CampaignID** The ID of the campaign being run.
+- **ClientID** The ID of the client being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **HRESULT** Error (if any) that occurred.
+- **NextState** Next workflow state we will enter.
+- **State** The state of the workflow.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFinalAcceptDialogDisplayed
+
+This event indicates that the Final Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CampaignID** The ID of the campaign being run.
+- **ClientID** The ID of the client being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot.
+- **HRESULT** Error (if any) that occurred.
+- **UserResponse** The enumeration code indicating the user response to a dialog.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFirstAcceptDialogDisplayed
+
+This event indicates that the First Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CampaignID** The ID of the campaign being run.
+- **ClientID** The ID of the client being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot.
+- **HRESULT** Error (if any) that occurred.
+- **UserResponse** Enumeration code indicating the user response to a dialog.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUNotificationUXLaunch
+
+This event indicates that DTUNotificationUX has launched. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CampaignID** The ID of the campaign being run.
+- **ClientID** The ID of the client being run.
+- **CommandLine** Command line passed to DTUNotificationUX.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
## DISM events
### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
@@ -3727,6 +4199,35 @@ The following fields are available:
- **devinv** The file version of the Device inventory component.
+### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd
+
+This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **CatalogSigners** Signers from catalog. Each signer starts with Chain.
+- **DigestAlgorithm** The pseudonymizing (hashing) algorithm used when the file or package was signed.
+- **DriverPackageStrongName** Optional. Available only if FileSigningInfo is collected on a driver package.
+- **EmbeddedSigners** Embedded signers. Each signer starts with Chain.
+- **FileName** The file name of the file whose signatures are listed.
+- **FileType** Either exe or sys, depending on if a driver package or application executable.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Thumbprint** Comma separated hash of the leaf node of each signer. Semicolon is used to separate CatalogSigners from EmbeddedSigners. There will always be a trailing comma.
+
+
+### Microsoft.Windows.Inventory.Core.FileSigningInfoStartSync
+
+The FileSigningInfoStartSync event indicates that a new set of FileSigningInfoAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd
This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date.
@@ -4215,12 +4716,6 @@ This event sends details collected for a specific application on the source devi
-### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
-
-This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
-
-
-
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd
This event provides basic information about active memory slots on the device.
@@ -4571,12 +5066,12 @@ The following fields are available:
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
-- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. E.g. Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z
-- **appPingEventDownloadMetricsCdnCache** Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) E.g. HIT from proxy.domain.tld, MISS from proxy.local
+- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z.
+- **appPingEventDownloadMetricsCdnCache** Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) For example, HIT from proxy.domain.tld, MISS from proxy.local.
- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
-- **appPingEventDownloadMetricsCdnMSEdgeRef** Used to help correlate client-to-AFD (Azure Front Door) conversations. E.g. Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z
-- **appPingEventDownloadMetricsCdnP3P** Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. E.g. CP=\"CAO PSA OUR\"
+- **appPingEventDownloadMetricsCdnMSEdgeRef** Used to help correlate client-to-AFD (Azure Front Door) conversations. For example, Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z.
+- **appPingEventDownloadMetricsCdnP3P** Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. For example, CP=\"CAO PSA OUR\".
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
@@ -6365,7 +6860,7 @@ The following fields are available:
- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager.
- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager.
- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is managed by Windows Update for Business.
-- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device ismanaged by Windows Update for Business.
+- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is managed by Windows Update for Business.
- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
@@ -8282,7 +8777,7 @@ The following fields are available:
- **seekerUpdateIdList** The list of “seeker” update identifiers.
- **seekerUpdateList** The list of “seeker” updates.
- **services** The list of services that were called during update.
-- **wilActivity** The activity results.
+- **wilActivity** The activity results.
### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
@@ -8737,6 +9232,16 @@ The following fields are available:
- **ResultId** The final result of the interaction campaign.
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSDownloadAndExtractCabResult
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) attempted DownloadAndExtractCab.
+
+The following fields are available:
+
+- **failureReason** The failure reason returned by DownloadAndExtractCab.
+- **hrResult** Error encountered (if any) during download and extract CAB step.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -8784,6 +9289,27 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHBeginPresentation
+
+This event is generated when RUXIM is about to present an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **InteractionCampaignID** GUID identifying interaction campaign being presented.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHEndPresentation
+
+This event is generated when Interaction Handler completes presenting an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hrPresentation** Error, if any, occurring during the presentation.
+- **InteractionCampaignID** GUID identifying the interaction campaign being presented.
+- **ResultId** Result generated by the presentation.
+- **WasCompleted** True if the interaction campaign is now considered complete.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -8833,7 +9359,7 @@ The following fields are available:
- **PresentationCount** Number of times the interaction campaign has been presented.
- **ResultId** The result ID currently recorded for the interaction campaign.
- **StateCreationTime** Time the state was created.
-- **StateModificationTime** Time the state was last modified.
+- **StateModificationTime** Time the state was last modified.
- **ThrottlingRoll** Randomly generated throttling roll for the interaction campaign.
@@ -9023,7 +9549,7 @@ The following fields are available:
- **TargetUserFreeSpace** The target user free space that was passed into the reserve manager to determine reserve sizing post upgrade.
- **UpdateScratchFinalUsedSpace** The used space in the scratch reserve.
- **UpdateScratchInitialUsedSpace** The utilization of the scratch reserve after initialization.
-- **UpdateScratchReserveFinalSize** The utilization of the scratch reserve after initialization.
+- **UpdateScratchReserveFinalSize** The final size of the scratch reserve.
- **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization.
@@ -9184,4 +9710,4 @@ The following fields are available:
- **videoResolution** Video resolution to use.
- **virtualMachineName** VM name.
- **waitForClientConnection** True if we should wait for client connection.
-- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.
+- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.
\ No newline at end of file
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 9f840b293a..38c4f1639f 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -162,7 +162,21 @@
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
- href: information-protection/personal-data-encryption/configure-pde-in-intune.md
+ items:
+ - name: Configure Personal Data Encryption (PDE) in Intune
+ href: information-protection/personal-data-encryption/configure-pde-in-intune.md
+ - name: Enable Personal Data Encryption (PDE)
+ href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
+ - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
+ href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
+ - name: Disable kernel-mode crash dumps and live dumps for PDE
+ href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
+ - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
+ href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
+ - name: Disable hibernation for PDE
+ href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
+ - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
+ href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security
@@ -385,19 +399,19 @@
href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
- name: Smart Card Events
href: identity-protection/smart-cards/smart-card-events.md
- - name: Virtual Smart Cards
+ - name: Virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
items:
- - name: Understanding and Evaluating Virtual Smart Cards
+ - name: Understand and evaluate virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
items:
- - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
+ - name: Get started with virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
- - name: Use Virtual Smart Cards
+ - name: Use virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
- - name: Deploy Virtual Smart Cards
+ - name: Deploy virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
- - name: Evaluate Virtual Smart Card Security
+ - name: Evaluate virtual smart card security
href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
- name: Tpmvscmgr
href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
diff --git a/windows/security/apps.md b/windows/security/apps.md
index 6ae3789ec4..cbf8e3d5c8 100644
--- a/windows/security/apps.md
+++ b/windows/security/apps.md
@@ -1,21 +1,21 @@
---
title: Windows application security
-description: Get an overview of application security in Windows 10 and Windows 11
+description: Get an overview of application security in Windows
ms.reviewer:
manager: aaroncz
-ms.author: dansimp
-author: dansimp
+ms.author: paoloma
+author: paolomatarazzo
ms.prod: windows-client
ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.date: 03/09/2023
ms.topic: article
---
# Windows application security
-Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security.
+Cyber-criminals regularly gain access to valuable data by hacking applications. This can include *code injection* attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security.
-The following table summarizes the Windows security features and capabilities for apps:
+The following table summarizes the Windows security features and capabilities for apps:
| Security Measures | Features & Capabilities |
|:---|:---|
@@ -23,4 +23,5 @@ The following table summarizes the Windows security features and capabilities fo
| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). |
| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](threat-protection\windows-sandbox\windows-sandbox-overview.md)
| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) |
-| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |
+| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |
+
diff --git a/windows/security/cloud.md b/windows/security/cloud.md
index 27db0f26ae..6d99441988 100644
--- a/windows/security/cloud.md
+++ b/windows/security/cloud.md
@@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table: Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.
To learn more, see [Mobile device management](/windows/client-management/mdm/). |
-| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.
The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.
To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).|
+| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.
The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.
To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).|
| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.
The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).
If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.
To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index ceef5206ad..0310c13313 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -68,15 +68,28 @@
},
"fileMetadata": {
"author":{
- "identity-protection/**/*.md": "paolomatarazzo"
+ "identity-protection/**/*.md": "paolomatarazzo",
+ "threat-protection/windows-firewall/**/*.md": "aczechowski"
},
"ms.author":{
- "identity-protection/**/*.md": "paoloma"
+ "identity-protection/**/*.md": "paoloma",
+ "threat-protection/windows-firewall/*.md": "aaroncz"
},
"ms.reviewer":{
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
- "identity-protection/access-control/*.md": "sulahiri"
+ "identity-protection/access-control/*.md": "sulahiri",
+ "threat-protection/windows-firewall/*.md": "paoloma"
+ },
+ "ms.collection":{
+ "identity-protection/hello-for-business/*.md": "tier1",
+ "information-protection/bitlocker/*.md": "tier1",
+ "information-protection/personal-data-encryption/*.md": "tier1",
+ "information-protection/pluton/*.md": "tier1",
+ "information-protection/tpm/*.md": "tier1",
+ "threat-protection/auditing/*.md": "tier3",
+ "threat-protection/windows-defender-application-control/*.md": "tier3",
+ "threat-protection/windows-firewall/*.md": "tier3"
}
},
"template": [],
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index 262ed05694..781c1f164d 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -1,7 +1,6 @@
---
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
-search.appverid: MET150
author: frankroj
ms.author: frankroj
manager: aaroncz
@@ -9,9 +8,6 @@ ms.topic: overview
ms.date: 09/22/2022
ms.prod: windows-client
ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.collection:
-ms.custom:
ms.reviewer: rafals
---
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 0f1ca8d5c4..4ddce5cb4e 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -29,14 +29,14 @@ Object owners generally grant permissions to security groups rather than to indi
This content set contains:
-- [Dynamic Access Control Overview](dynamic-access-control.md)
-- [Security identifiers](security-identifiers.md)
-- [Security Principals](security-principals.md)
+- [Dynamic Access Control Overview](/windows-server/identity/solution-guides/dynamic-access-control-overview)
+- [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
+- [Security Principals](/windows-server/identity/ad-ds/manage/understand-security-principals)
- [Local Accounts](local-accounts.md)
- - [Active Directory Accounts](active-directory-accounts.md)
- - [Microsoft Accounts](microsoft-accounts.md)
- - [Service Accounts](service-accounts.md)
- - [Active Directory Security Groups](active-directory-security-groups.md)
+ - [Active Directory Accounts](/windows-server/identity/ad-ds/manage/understand-default-user-accounts)
+ - [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts)
+ - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
+ - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
## Practical applications
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif
deleted file mode 100644
index fb60cd5599..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png
deleted file mode 100644
index 93e5e8e098..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png
deleted file mode 100644
index 7aad6b6a7b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png
deleted file mode 100644
index 2b6c1394b9..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png
deleted file mode 100644
index 65508e5cf4..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png
deleted file mode 100644
index 4653a66f29..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png
deleted file mode 100644
index b4e379a357..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png
deleted file mode 100644
index c725fd4f55..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png
deleted file mode 100644
index 999303a2d6..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png
deleted file mode 100644
index b80fc69397..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png
deleted file mode 100644
index 412f425ccf..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png
deleted file mode 100644
index b80fc69397..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png
deleted file mode 100644
index b2f6d3e1e2..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png
deleted file mode 100644
index 8dda5403cf..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png
deleted file mode 100644
index e96b26abe1..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif b/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif
deleted file mode 100644
index d8a4d99dd2..0000000000
Binary files a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/corpnet.gif b/windows/security/identity-protection/access-control/images/corpnet.gif
deleted file mode 100644
index f76182ee25..0000000000
Binary files a/windows/security/identity-protection/access-control/images/corpnet.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png
deleted file mode 100644
index e70fa02c92..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png
deleted file mode 100644
index 085993f92c..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png
deleted file mode 100644
index 282cdb729d..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png
deleted file mode 100644
index 89fc916400..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png
deleted file mode 100644
index d8d5af1336..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png
deleted file mode 100644
index ba3f15f597..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png
deleted file mode 100644
index 2d44e29e1b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png
deleted file mode 100644
index 89136d1ba0..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png
deleted file mode 100644
index f2d3a7596b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg b/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg
deleted file mode 100644
index cd7d341065..0000000000
Binary files a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 5a35d2853f..f6baab162b 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -4,6 +4,7 @@ description: Learn how to secure and manage access to the resources on a standal
ms.date: 12/05/2022
ms.collection:
- highpri
+ - tier2
ms.topic: article
appliesto:
- ✅ Windows 10 and later
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index ebee2bafa4..a4f523f78b 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -4,6 +4,7 @@ description: Learn how to deploy and manage Windows Defender Credential Guard us
ms.date: 11/23/2022
ms.collection:
- highpri
+ - tier2
ms.topic: article
appliesto:
- ✅ Windows 10 and later
@@ -66,7 +67,7 @@ To enforce processing of the group policy, you can run `gpupdate /force`.
### Enable Windows Defender Credential Guard by using Microsoft Intune
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
1. Select **Configuration Profiles**.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
deleted file mode 100644
index 5051ce94cd..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ /dev/null
@@ -1,494 +0,0 @@
----
-title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
-description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
-ms.date: 11/22/2022
-ms.topic: reference
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
----
-
-# Windows Defender Credential Guard: scripts for certificate authority issuance policies
-
-Expand each section to see the PowerShell scripts:
-
-
-
-Get the available issuance policies on the certificate authority
-
-Save this script file as get-IssuancePolicy.ps1.
-
-```powershell
-#######################################
-## Parameters to be defined ##
-## by the user ##
-#######################################
-Param (
-$Identity,
-$LinkedToGroup
-)
-#######################################
-## Strings definitions ##
-#######################################
-Data getIP_strings {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
-help2 = Usage:
-help3 = The following parameter is mandatory:
-help4 = -LinkedToGroup:
-help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
-help6 = "no" will return only Issuance Policies that are not currently linked to any group.
-help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
-help8 = The following parameter is optional:
-help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
-help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
-help11 = Examples:
-errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
-ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
-ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
-ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
-LinkedIPs = The following Issuance Policies are linked to groups:
-displayName = displayName : {0}
-Name = Name : {0}
-dn = distinguishedName : {0}
- InfoName = Linked Group Name: {0}
- InfoDN = Linked Group DN: {0}
-NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
-'@
-}
-##Import-LocalizedData getIP_strings
-import-module ActiveDirectory
-#######################################
-## Help ##
-#######################################
-function Display-Help {
- ""
- $getIP_strings.help1
- ""
-$getIP_strings.help2
-""
-$getIP_strings.help3
-" " + $getIP_strings.help4
-" " + $getIP_strings.help5
- " " + $getIP_strings.help6
- " " + $getIP_strings.help7
-""
-$getIP_strings.help8
- " " + $getIP_strings.help9
- ""
- $getIP_strings.help10
-""
-""
-$getIP_strings.help11
- " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
- " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
- " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
-""
-}
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-$configNCDN = [String]$root.configurationNamingContext
-if ( !($Identity) -and !($LinkedToGroup) ) {
-display-Help
-break
-}
-if ($Identity) {
- $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
- if ($OIDs -eq $null) {
-$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
-write-host $errormsg -ForegroundColor Red
- }
- foreach ($OID in $OIDs) {
- if ($OID."msDS-OIDToGroupLink") {
-# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
- $groupDN = $OID."msDS-OIDToGroupLink"
- $group = get-adgroup -Identity $groupDN
- $groupName = $group.Name
-# Analyze the group
- if ($group.groupCategory -ne "Security") {
-$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- if ($group.groupScope -ne "Universal") {
- $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
- }
- $members = Get-ADGroupMember -Identity $group
- if ($members) {
- $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
- foreach ($member in $members) {
- write-host " " $member -ForeGroundColor Red
- }
- }
- }
- }
- return $OIDs
- break
-}
-if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
- $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
- $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
- write-host ""
- write-host "*****************************************************"
- write-host $getIP_strings.LinkedIPs
- write-host "*****************************************************"
- write-host ""
- if ($LinkedOIDs -ne $null){
- foreach ($OID in $LinkedOIDs) {
-# Display basic information about the Issuance Policies
- ""
- $getIP_strings.displayName -f $OID.displayName
- $getIP_strings.Name -f $OID.Name
- $getIP_strings.dn -f $OID.distinguishedName
-# Get the linked group.
- $groupDN = $OID."msDS-OIDToGroupLink"
- $group = get-adgroup -Identity $groupDN
- $getIP_strings.InfoName -f $group.Name
- $getIP_strings.InfoDN -f $groupDN
-# Analyze the group
- $OIDName = $OID.displayName
- $groupName = $group.Name
- if ($group.groupCategory -ne "Security") {
- $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- if ($group.groupScope -ne "Universal") {
- $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- $members = Get-ADGroupMember -Identity $group
- if ($members) {
- $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- foreach ($member in $members) {
- write-host " " $member -ForeGroundColor Red
- }
- }
- write-host ""
- }
- }else{
-write-host "There are no issuance policies that are mapped to a group"
- }
- if ($LinkedToGroup -eq "yes") {
- return $LinkedOIDs
- break
- }
-}
-if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
- $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
- $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
- write-host ""
- write-host "*********************************************************"
- write-host $getIP_strings.NonLinkedIPs
- write-host "*********************************************************"
- write-host ""
- if ($NonLinkedOIDs -ne $null) {
- foreach ($OID in $NonLinkedOIDs) {
-# Display basic information about the Issuance Policies
-write-host ""
-$getIP_strings.displayName -f $OID.displayName
-$getIP_strings.Name -f $OID.Name
-$getIP_strings.dn -f $OID.distinguishedName
-write-host ""
- }
- }else{
-write-host "There are no issuance policies which are not mapped to groups"
- }
- if ($LinkedToGroup -eq "no") {
- return $NonLinkedOIDs
- break
- }
-}
-```
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-
-
-
-
-Link an issuance policy to a group
-
-Save the script file as set-IssuancePolicyToGroupLink.ps1.
-
-```powershell
-#######################################
-## Parameters to be defined ##
-## by the user ##
-#######################################
-Param (
-$IssuancePolicyName,
-$groupOU,
-$groupName
-)
-#######################################
-## Strings definitions ##
-#######################################
-Data ErrorMsg {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
-help2 = Usage:
-help3 = The following parameters are required:
-help4 = -IssuancePolicyName:
-help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
-help6 = The following parameter is optional:
-help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
-help8 = Examples:
-help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
-help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
-MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
-NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
-IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
-MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
-confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
-OUCreationSuccess = Organizational Unit "{0}" successfully created.
-OUcreationError = Error: Organizational Unit "{0}" could not be created.
-OUFoundSuccess = Organizational Unit "{0}" was successfully found.
-multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
-confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
-groupCreationSuccess = Univeral Security group "{0}" successfully created.
-groupCreationError = Error: Univeral Security group "{0}" could not be created.
-GroupFound = Group "{0}" was successfully found.
-confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
-UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
-UnlinkError = Removing the link failed.
-UnlinkExit = Exiting without removing the link from the issuance policy to the group.
-IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
-ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
-ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
-ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
-ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
-LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
-LinkError = The certificate issuance policy could not be linked to the specified group.
-ExitNoLinkReplacement = Exiting without setting the new link.
-'@
-}
-# import-localizeddata ErrorMsg
-function Display-Help {
-""
-write-host $ErrorMsg.help1
-""
-write-host $ErrorMsg.help2
-""
-write-host $ErrorMsg.help3
-write-host "`t" $ErrorMsg.help4
-write-host "`t" $ErrorMsg.help5
-""
-write-host $ErrorMsg.help6
-write-host "`t" $ErrorMsg.help7
-""
-""
-write-host $ErrorMsg.help8
-""
-write-host $ErrorMsg.help9
-".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
-""
-write-host $ErrorMsg.help10
-'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
-""
-}
-# Assumption: The group to which the Issuance Policy is going
-# to be linked is (or is going to be created) in
-# the domain the user running this script is a member of.
-import-module ActiveDirectory
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-if ( !($IssuancePolicyName) ) {
-display-Help
-break
-}
-#######################################
-## Find the OID object ##
-## (aka Issuance Policy) ##
-#######################################
-$searchBase = [String]$root.configurationnamingcontext
-$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
-if ($OID -eq $null) {
-$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($OID.GetType().IsArray) {
-$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-else {
-$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
-write-host $tmp -ForeGroundColor Green
-}
-#######################################
-## Find the container of the group ##
-#######################################
-if ($groupOU -eq $null) {
-# default to the Users container
-$groupContainer = $domain.UsersContainer
-}
-else {
-$searchBase = [string]$domain.DistinguishedName
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-if ($groupContainer.count -gt 1) {
-$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
-write-host $tmp -ForegroundColor Red
-break;
-}
-elseif ($groupContainer -eq $null) {
-$tmp = $ErrorMsg.confirmOUcreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
-if ($?){
-$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
-write-host $tmp -ForegroundColor Green
-}
-else{
-$tmp = $ErrorMsg.OUCreationError -f $groupOU
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
-write-host $tmp -ForegroundColor Green
-}
-}
-#######################################
-## Find the group ##
-#######################################
-if (($groupName -ne $null) -and ($groupName -ne "")){
-##$searchBase = [String]$groupContainer.DistinguishedName
-$searchBase = $groupContainer
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-if ($group -ne $null -and $group.gettype().isarray) {
-$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($group -eq $null) {
-$tmp = $ErrorMsg.confirmGroupCreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
-if ($?){
-$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
-write-host $tmp -ForegroundColor Green
-}else{
-$tmp = $ErrorMsg.groupCreationError -f $groupName
-write-host $tmp -ForeGroundColor Red
-break
-}
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.GroupFound -f $group.Name
-write-host $tmp -ForegroundColor Green
-}
-}
-else {
-#####
-## If the group is not specified, we should remove the link if any exists
-#####
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
-if ($?) {
-$tmp = $ErrorMsg.UnlinkSuccess
-write-host $tmp -ForeGroundColor Green
-}else{
-$tmp = $ErrorMsg.UnlinkError
-write-host $tmp -ForeGroundColor Red
-}
-}
-else {
-$tmp = $ErrorMsg.UnlinkExit
-write-host $tmp
-break
-}
-}
-else {
-$tmp = $ErrorMsg.IPNotLinked
-write-host $tmp -ForeGroundColor Yellow
-}
-break;
-}
-#######################################
-## Verify that the group is ##
-## Universal, Security, and ##
-## has no members ##
-#######################################
-if ($group.GroupScope -ne "Universal") {
-$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-if ($group.GroupCategory -ne "Security") {
-$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$members = Get-ADGroupMember -Identity $group
-if ($members -ne $null) {
-$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
-break;
-}
-#######################################
-## We have verified everything. We ##
-## can create the link from the ##
-## Issuance Policy to the group. ##
-#######################################
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
-write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Replace $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-} else {
-$tmp = $Errormsg.ExitNoLinkReplacement
-write-host $tmp
-break
-}
-}
-else {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Add $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-}
-```
-
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 6548d02f17..0ab05c22ab 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -5,6 +5,7 @@ ms.date: 11/22/2022
ms.topic: article
ms.collection:
- highpri
+ - tier2
appliesto:
- ✅ Windows 10 and later
- ✅ Windows Server 2016 and later
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 33c5c76b9f..1ca04993a0 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,104 +1,108 @@
---
-title: Multi-factor Unlock
-description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
-ms.date: 03/20/2018
+title: Multi-factor unlock
+description: Learn how Windows offers multi-factor device unlock by extending Windows Hello with trusted signals.
+ms.date: 03/09/2023
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+ms.topic: how-to
---
-# Multi-factor Unlock
+# Multi-factor unlock
Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
-Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim.
+Windows Hello for Business can be configured with *multi-factor unlock*, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock them.
-Which organizations can take advantage of Multi-factor unlock? Those who:
+Multi-factor unlock is ideal for organizations that:
-- Have expressed that PINs alone do not meet their security needs
+- Have expressed that PINs alone don't meet their security needs
- Want to prevent Information Workers from sharing credentials
- Want their organizations to comply with regulatory two-factor authentication policy
- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution
-
-You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
-## The Basics: How it works
+## How it works
-First unlock factor credential provider and Second unlock credential provider are responsible for the bulk of the configuration. Each of these components contains a globally unique identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credential provider from each category before Windows allows the user to proceed to their desktop.
+**First unlock factor credential provider** and **Second unlock credential provider** are responsible for the bulk of the configuration. Each of these components contains a globally unique identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credential provider from each category before Windows allows the user to proceed to their desktop.
The policy setting has three components:
-* First unlock factor credential provider
-* Second unlock factor credential provider
-* Signal rules for device unlock
-## Configuring Unlock Factors
+- First unlock factor credential provider
+- Second unlock factor credential provider
+- Signal rules for device unlock
-The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers.
+## Configure unlock factors
-Supported credential providers include:
+The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers.
+
+Supported credential providers include:
|Credential Provider| GUID|
|:------------------|:----|
-|PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}|
-|Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}|
-|Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}|
-|Trusted Signal (Phone proximity, Network location) | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
+|PIN| `{D6886603-9D2F-4EB2-B667-1971041FA96B}`|
+|Fingerprint| `{BEC09223-B018-416D-A0AC-523971B639F5}`|
+|Facial Recognition| `{8AF662BF-65A0-4D0A-A540-A338A999D36F}`|
+|Trusted Signal (Phone proximity, Network location) | `{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}`|
>[!NOTE]
>Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
The default credential providers for the **First unlock factor credential provider** include:
-* PIN
-* Fingerprint
-* Facial Recognition
+
+- PIN
+- Fingerprint
+- Facial Recognition
The default credential providers for the **Second unlock factor credential provider** include:
-* Trusted Signal
-* PIN
-Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, remember that a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers do not need to be in any specific order.
+- Trusted Signal
+- PIN
-For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor. However, whichever factor they used to satisfy the first unlock factor cannot be used to satisfy the second unlock factor. Each factor can therefore be used exactly once. The Trusted Signal provider can *only* be specified as part of the Second unlock factor credential provider list.
+Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers don't need to be in any specific order.
+For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor. Whichever factor you use to satisfy the first unlock factor can't be used to satisfy the second unlock factor. Each factor can therefore be used exactly once. The Trusted Signal provider can *only* be specified as part of the Second unlock factor credential provider list.
## Configure Signal Rules for the Trusted Signal Credential Provider
The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
### Rule element
-You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
-**Example**
+You represent signal rules in XML. Each signal rule has a starting and ending `rule` element that contains the `schemaVersion` attribute and value. The current supported schema version is `1.0`.
+
+#### Example
+
```xml
```
### Signal element
-Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 or later supports the **ipConfig** and **bluetooth** type values.
+Each rule element has a `signal` element. All signal elements have a `type` element and `value`. The values supported are:
-|Attribute|Value|
-|---------|-----|
-| type| "bluetooth" or "ipConfig" (Windows 10, version 1709) or later|
-| type| "wifi" (Windows 10, version 1803 or later)
+- bluetooth
+- ipConfig
+- wifi
#### Bluetooth
-You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
+
+You define the bluetooth signal with more attributes in the signal element. The bluetooth configuration doesn't use any other elements. You can end the signal element with short ending tag `/>`.
|Attribute|Value|Required|
|---------|-----|--------|
-|type|"bluetooth"|yes|
-|scenario|"Authentication"|yes|
+|type|`bluetooth`|yes|
+|scenario|`Authentication`|yes|
|classOfDevice|"*number*"|no|
|rssiMin|"*number*"|no|
|rssiMaxDelta|"*number*"|no|
-**Example**
+For example:
+
```xml
```
+
The **classofDevice** attribute defaults to Phone and uses the values from the following table:
|Description|Value|
@@ -115,20 +119,21 @@ The **classofDevice** attribute defaults to Phone and uses the values from the f
|Health|2304|
|Uncategorized|7936|
-The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
-RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+RSSI measurements are relative, and lower as the bluetooth signals between the two paired devices reduces. A measurement of 0 is stronger than -10. A measurement of -10 is stronger than -60, and indicates that the devices are moving further apart from each other.
>[!IMPORTANT]
->Microsoft recommends using the default values for this policy setting. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values.
+>Microsoft recommends using the default values for this policy setting. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values.
#### IP Configuration
-You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements.
+
+You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements don't have attributes or nested elements.
##### IPv4Prefix
-The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
-**Example**
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element. For example:
+
```xml
192.168.100.0/24
```
@@ -136,22 +141,23 @@ The IPv4 network prefix represented in Internet standard dotted-decimal notation
The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration.
##### IPv4Gateway
-The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
-**Example**
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element. For example:
+
```xml
192.168.100.10
```
##### IPv4DhcpServer
-The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
-**Example**
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element. For example:
+
```xml
192.168.100.10
```
##### IPv4DnsServer
+
The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
**Example:**
@@ -160,87 +166,88 @@ The IPv4 DNS server represented in Internet standard dotted-decimal notation. A
```
##### IPv6Prefix
-The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
-**Example**
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element. For example:
+
```xml
21DA:D3::/48
```
##### IPv6Gateway
-The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
-**Example**
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element. For example:
+
```xml
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
```
##### IPv6DhcpServer
-The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
-**Example**
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element. For example:
+
```xml
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%221DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
```
##### dnsSuffix
-The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
-**Example**
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements. For example:
+
```xml
corp.contoso.com
```
#### Wi-Fi
-**Applies to:**
-- Windows 10, version 1803 or later
+You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements don't have attributes or nested elements.
-You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements.
+##### SSID
-#### SSID
-Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
+Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required. For example:
```xml
corpnetwifi
```
-#### BSSID
-Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+##### BSSID
+
+Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional. For example:
-**Example**
```xml
12-ab-34-ff-e5-46
```
-#### Security
-Contains the type of security the client uses when connecting to the wireless network. The security element is required and must contain one of the following values:
+##### Security
+
+Contains the type of security the client uses when connecting to the wireless network. The security element is required and must contain one of the following values:
|Value | Description|
|:----:|:-----------|
-|Open| The wireless network is an open network that does not require any authentication or encryption.|
+|Open| The wireless network is an open network that doesn't require any authentication or encryption.|
|WEP| The wireless network is protected using Wired Equivalent Privacy.|
|WPA-Personal| The wireless network is protected using Wi-Fi Protected Access.|
|WPA-Enterprise| The wireless network is protected using Wi-Fi Protected Access-Enterprise.|
|WPA2-Personal| The wireless network is protected using Wi-Fi Protected Access 2, which typically uses a pre-shared key.|
|WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.|
-**Example**
+For example:
+
```xml
WPA2-Enterprise
```
-#### TrustedRootCA
-Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
-**Example**
+#### TrustedRootCA
+
+Contains the thumbprint of the trusted root certificate of the wireless network. You can use any valid trusted root certificate. The value is represented as hexadecimal string, where each byte in the string is separated by a single space. The element is optional. For example:
+
```xml
a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa
```
@@ -248,17 +255,20 @@ Contains the thumbprint of the trusted root certificate of the wireless network.
#### Sig_quality
Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
-**Example**
+For example:
+
```xml
80
```
-
+
### Sample Trusted Signal Configurations
-These examples are wrapped for readability. Once properly formatted, the entire XML contents must be a single line.
+>[!IMPORTANT]
+> These examples are wrapped for readability. Once properly formatted, the entire XML contents must be a single line.
#### Example 1
-This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements.
+
+The following example configures an **IPConfig** signal type using **Ipv4Prefix**, **Ipv4DnsServer**, and **DnsSuffix** elements.
```xml
@@ -267,30 +277,31 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
10.10.0.110.10.0.2corp.contoso.com
-
+
```
-
#### Example 2
-This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. This configuration is wrapped for reading. Once properly formatted, the entire XML contents must be a single line. This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
+
+The following example configures an **IpConfig** signal type using a **dnsSuffix** element and a **bluetooth** signal for phones. The example implies that either the IpConfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
>[!NOTE]
>Separate each rule element using a comma.
```xml
-
- corp.contoso.com
-
+
+ corp.contoso.com
+ ,
-
+
```
#### Example 3
-This example configures the same as example 2 using compounding And elements. This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
+
+The following example configures the same as example 2 using compounding `and` elements. The example implies that the IpConfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
```xml
@@ -303,69 +314,54 @@ This example configures the same as example 2 using compounding And elements. T
```
-#### Example 4
-This example configures Wi-Fi as a trusted signal (Windows 10, version 1803 or later)
+#### Example 4
+
+The following example configures **Wi-Fi** as a trusted signal.
```xml
-
-
- contoso
- 12-ab-34-ff-e5-46
- WPA2-Enterprise
- a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa
- 80
-
-
+
+
+ contoso
+ 12-ab-34-ff-e5-46
+ WPA2-Enterprise
+ a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa
+ 80
+
+
```
-## Deploying Multifactor Unlock
+## Deploy Multifactor Unlock
>[!IMPORTANT]
>You need to remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
-### How to configure Multifactor Unlock policy settings
-
-You need at least a Windows 10, version 1709 or later workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1709 or later.
-
-Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
-
### Create the Multifactor Unlock Group Policy object
The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
>[!IMPORTANT]
-> * PIN **must** be in at least one of the groups
-> * Trusted signals **must** be combined with another credential provider
-> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both.
-> * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](/windows/client-management/mdm/passportforwork-csp) for more information.
+>
+> - PIN **must** be in at least one of the groups
+> - Trusted signals **must** be combined with another credential provider
+> - You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both
+> - The multifactor unlock feature is also supported via the Passport for Work CSP. For more information, see [Passport For Work CSP](/windows/client-management/mdm/passportforwork-csp).
-1. Start the **Group Policy Management Console** (gpmc.msc).
+1. Start the **Group Policy Management Console** (`gpmc.msc`).
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+1. Right-click **Group Policy object** and select **New**.
+1. Type *Multifactor Unlock* in the name box and select **OK**.
+1. In the content pane, right-click the **Multifactor Unlock** Group Policy object and select **Edit**.
+1. In the navigation pane, expand **Policies** under **Computer Configuration**.
+1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
+ 
+1. In the content pane, open **Configure device unlock factors**. Select **Enable**. The **Options** section populates the policy setting with default values.
+ 
+1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors).
+1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider).
+1. Select **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+## Troubleshoot
-3. Right-click **Group Policy object** and select **New**.
-
-4. Type *Multifactor Unlock* in the name box and click **OK**.
-
-5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
-
-6. In the navigation pane, expand **Policies** under **Computer Configuration**.
-
-7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
-
- 
-
-8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
-
- 
-
-9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
-
-10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider).
-
-11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
-
-## Troubleshooting
Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
### Events
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 25100512b3..fa405ca079 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -49,7 +49,7 @@ We recommend that you disable or manage Windows Hello for Business provisioning
The following method explains how to disable Windows Hello for Business enrollment using Intune.
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 32dc3ba63e..6607d17abb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,23 +1,23 @@
---
-title: Having enough Domain Controllers for Windows Hello for Business deployments
-description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-ms.date: 08/20/2018
+title: Plan an adequate number of Domain Controllers for Windows Hello for Business deployments
+description: Learn how to plan for an adequate number of Domain Controllers to support Windows Hello for Business deployments.
+ms.date: 03/10/2023
appliesto:
- ✅ Windows 10 and later
- ✅ Windows Server 2016 and later
-ms.topic: article
+ms.topic: conceptual
---
-# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
+# Plan an adequate number of Domain Controllers for Windows Hello for Business deployments
> [!NOTE]
->There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
+>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044).
## How many is adequate
How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged.
Windows 10 or Windows 11 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller.
-
+
Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding a domain controller that supports public key mapping (in this case Windows Server 2016 or later) to a deployment of existing domain controllers which do not support public key mapping (Windows Server 2008R2, Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
@@ -55,7 +55,7 @@ The preceding was an example to show why it's unrealistic to have a "one-size-fi
## Determining total AS Request load
Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this.
-
+
Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust. Pick a time when authentication traffic is most significant--Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site. Collect KDC AS Requests performance counters for two hours:
- A half-hour before you expect initial authentication (sign-ins and unlocks) to be significant
@@ -72,15 +72,15 @@ Aggregate the performance data of all domain controllers. Look for the maximum K
Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiply the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent.
Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business.
-
+
## Monitoring Authentication
Using the same methods described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016 or newer. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. It gives you a baseline for your environment to where you can form a statement such as:
```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
-Where *n* equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
-
+Where *n* equals the number of clients you switched to Windows Hello for Business and *x* equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
+
Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 or newer domain controllers. If there is only one Windows Server 2016 or newer domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on.
@@ -88,9 +88,9 @@ Increasing the number of domain controllers distributes the volume of authentica
## Strategy
The simplest strategy you can employ is to upgrade one domain controller and monitor the single domain controller as you continue to phase in new Windows Hello for Business key-trust clients until it reaches a 70 or 80 percent threshold.
-
+
Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environment's designated capacity, you can upgrade another domain controller.
-
+
Repeat until your deployment for that site is complete. Now, monitor authentication across all your domain controllers like you did the very first time. Determine the distribution of authentication for each domain controller. Identify the percentage of distribution for which it is responsible. If a single domain controller is responsible for 70 percent of more of the authentication, you may want to consider adding a domain controller to reduce the distribution of authentication volume.
-
+
However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically-configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application.
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index b7b06e3193..299c09d7f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -37,5 +37,5 @@ Suppose instead that you sign in on **Device B** and change your password for yo
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c9bc5a12f3..e6a01bb2b8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -89,4 +89,4 @@ To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index a73ef3f3f2..5d92d9dcb7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -3,6 +3,7 @@ title: Configure Windows Hello for Business Policy settings in an on-premises ce
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
ms.collection:
- highpri
+ - tier1
ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 64b6af4819..22f170e86e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -55,7 +55,7 @@ Following are the various deployment guides and models included in this topic:
- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
- [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
-For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
## Provisioning
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 424f82c737..8896bacc2b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -3,6 +3,7 @@ title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
ms.collection:
- ContentEngagementFY23
+ - tier1
ms.topic: article
ms.date: 11/15/2022
appliesto:
@@ -105,7 +106,7 @@ Once these requirements are met, a policy can be configured in Intune that provi
This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the Microsoft Intune admin center
1. Select **Devices > Configuration profiles > Create profile**
1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
1. Select **Create**
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index c853063c26..621663aecd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -2,10 +2,13 @@
metadata:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
+ author: paolomatarazzo
+ ms.author: paoloma
ms.collection:
- highpri
+ - tier1
ms.topic: faq
- ms.date: 01/06/2023
+ ms.date: 03/09/2023
appliesto:
- ✅ Windows 10 and later
@@ -77,7 +80,7 @@ sections:
Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
- question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication?
answer: |
- To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
+ To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
- name: Management and operations
questions:
@@ -116,7 +119,7 @@ sections:
- Data about whether people sign in with their face, iris, fingerprint, or PIN
- The number of times they use it
- Whether it works or not
- All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
+ All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
- question: Can I disable the PIN while using Windows Hello for Business?
answer: |
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
@@ -184,7 +187,7 @@ sections:
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
- The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The differences between the two trust types is the issuance of end-entity certificates:
+ The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates:
- The *key trust* model authenticates to Active Directory by using a raw key. Key trust doesn't require an enterprise-issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed)
- The *certificate trust* model authenticates to Active Directory by using a certificate. Therefore, you need to issue certificates to users. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing CA
- question: What is convenience PIN?
@@ -195,7 +198,7 @@ sections:
No. While it's possible to set a convenience PIN on Azure AD joined and hybrid Azure AD joined devices, convenience PIN isn't supported for Azure AD user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
- question: What about virtual smart cards?
answer: |
- Windows Hello for Business is the modern, two-factor credential for Windows. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows deployments use Windows Hello for Business.
+ Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
- question: What URLs do I need to allow for a hybrid deployment?
answer: |
For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online).
@@ -235,7 +238,7 @@ sections:
- attempting to access on-premises resources secured by Active Directory
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |
- Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard][/windows/security/identity-protection/remote-credential-guard] or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
+ Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
- question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
answer: |
No, only the number necessary to handle the load from all cloud Kerberos trust devices.
@@ -247,4 +250,4 @@ sections:
In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
- Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
\ No newline at end of file
+ Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index adfbe58657..d6d35b189a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -76,5 +76,5 @@ The computer is ready for dual enrollment. Sign in as the privileged user first
* [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
* [Windows Hello and password changes](hello-and-password-changes.md)
* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 6bae92fc12..5fea59fc25 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,33 +1,38 @@
---
title: Dynamic lock
-description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 07/12/2022
+description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
+ms.date: 03/10/2023
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+ms.topic: how-to
---
# Dynamic lock
-Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
+Dynamic lock is a feature that automatically locks a Windows device when a Bluetooth paired phone signal falls below the maximum Received Signal Strength Indicator (RSSI) value. The feature makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
> [!IMPORTANT]
-> This feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system isn't idle (for example, an intruder gets access _before_ the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it.
+> The dynamic lock feature only locks the device if the Bluetooth signal falls **and** the system is idle. If the system isn't idle (for example, an intruder gets access *before* the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it.
-You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
+You can configure Windows devices to use the **dynamic lock** using a Group Policy Object (GPO).
+
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+1. Edit the Group Policy object from Step 1.
+1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
+1. Close the Group Policy Management Editor to save the Group Policy object.
The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
-```
+```xml
-
+
```
>[!IMPORTANT]
>Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
-For this policy setting, the **type** and **scenario** attribute values are static and cannot change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phones and uses the values from the following table:
+For this policy setting, the **type** and **scenario** attribute values are static and can't change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
|Description|Value|
|:-------------|:-------:|
@@ -43,17 +48,6 @@ For this policy setting, the **type** and **scenario** attribute values are stat
|Health|2304|
|Uncategorized|7936|
-The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
-
-## Related topics
-
-* [Windows Hello for Business](hello-identity-verification.md)
-* [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-* [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-* [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-* [Windows Hello and password changes](hello-and-password-changes.md)
-* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index e1aa2e7acb..ea7e72e5d4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -3,10 +3,11 @@ title: Pin Reset
description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
ms.collection:
- highpri
-ms.date: 07/29/2022
+ - tier1
+ms.date: 03/10/2023
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+ms.topic: how-to
---
# PIN reset
@@ -19,12 +20,10 @@ There are two forms of PIN reset:
- **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature.
## Using PIN reset
-
There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
-
>[!IMPORTANT]
>For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
@@ -34,7 +33,6 @@ Destructive and non-destructive PIN reset use the same steps for initiating a PI
1. Open **Settings**, select **Accounts** > **Sign-in options**.
1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions.
-
### Reset PIN above the Lock Screen
For Azure AD-joined devices:
@@ -45,7 +43,6 @@ For Azure AD-joined devices:
1. Follow the instructions provided by the provisioning process.
1. When finished, unlock your desktop using your newly created PIN.
-
For Hybrid Azure AD-joined devices:
1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
@@ -57,14 +54,14 @@ For Hybrid Azure AD-joined devices:
> [!NOTE]
> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
-You may find that PIN reset from settings only works post login. Also, the "lock screen" PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+You may find that PIN reset from settings only works post login. Also, the lock screen PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
## Non-Destructive PIN reset
**Requirements:**
- Azure Active Directory
-- Windows 10, version 1709 to 1809, Enterprise Edition. There's no licensing requirement for this feature since version 1903.
+- Windows Enterprise and Pro editions. There's no licensing requirement for this feature.
- Hybrid Windows Hello for Business deployment
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
@@ -82,7 +79,7 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
|Category|Destructive PIN Reset|Non-Destructive PIN Reset|
|--- |--- |--- |
|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
-|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There isn't any licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
+|**Windows editions and versions**| Windows Enterprise and Pro editions.|
|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
@@ -93,7 +90,6 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
> The **Microsoft PIN Reset Service** is not currently available in Azure Government.
-
### Enable the Microsoft PIN Reset Service in your Azure AD tenant
Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant:
@@ -128,7 +124,7 @@ Before you can remotely reset PINs, your devices must be configured to enable PI
You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**.
@@ -150,7 +146,7 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
>[!NOTE]
> You can also configure PIN recovery from the **Endpoint security** blade:
-> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
> 1. Select **Endpoint security** > **Account protection** > **Create Policy**.
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -231,7 +227,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
### Configure Web Sign-in Allowed URLs using Microsoft Intune
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. Select **Devices** > **Configuration profiles** > **Create profile**
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**
@@ -265,5 +261,5 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 2281821bdc..2f1c460668 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -5,6 +5,8 @@ ms.date: 02/24/2021
appliesto:
- ✅ Windows 10 and later
ms.topic: article
+ms.collection:
+ - tier1
---
# Remote Desktop
@@ -56,5 +58,5 @@ Users appreciate convenience of biometrics and administrators value the security
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 7bec9c2543..b3765851fa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -101,7 +101,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
### More information on cloud experience host
-[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md)
+[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works)
## Cloud Kerberos trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 9f3670151c..40e094e6c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -52,5 +52,5 @@ For more information read [how authentication works](hello-how-it-works-authenti
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 2cc6e81fff..fbed200f77 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -14,7 +14,7 @@ ms.topic: how-to
If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
> [!IMPORTANT]
-> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
+> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue.
Steps you'll perform include:
@@ -848,7 +848,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices**, and then select **Configuration Profiles**.
@@ -901,7 +901,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_.
-1. Sign-in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign-in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices**, and then select **Configuration Profiles**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 22d0a585f9..d0aa2590f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -242,7 +242,7 @@ The domain controllers have a certificate that includes the new CRL distribution
To configure devices with Microsoft Intune, use a custom policy:
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the Microsoft Intune admin center
1. Select **Devices > Configuration profiles > Create profile**
1. Select **Platform > Windows 8.1 and later** and **Profile type > Trusted certificate**
1. Select **Create**
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 205970b978..a1a88d6f2e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -119,12 +119,12 @@ There are different ways to enable and configure Windows Hello for Business in I
To check the Windows Hello for Business policy applied at enrollment time:
-1. Sign in to the Microsoft Endpoint Manager admin center
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
@@ -132,7 +132,7 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip
To configure Windows Hello for Business using an *account protection* policy:
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Endpoint security** > **Account protection**
1. Select **+ Create Policy**
1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
@@ -147,7 +147,7 @@ To configure Windows Hello for Business using an *account protection* policy:
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
-:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Endpoint Manager admin center using an account protection policy." border="true" lightbox="images/whfb-intune-account-protection-cert-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 80f86ef481..9d45b8bed7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -77,4 +77,4 @@ Before moving to the next section, ensure the following steps are complete:
> - Update group memberships for the AD FS service account
> [!div class="nextstepaction"]
-> [Next: configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)
\ No newline at end of file
+> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
new file mode 100644
index 0000000000..0f6b8ab112
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
@@ -0,0 +1,218 @@
+---
+title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment
+description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario.
+ms.date: 02/24/2023
+appliesto:
+- ✅ Windows 10, version 21H2 and later
+ms.topic: tutorial
+---
+# Configure and provision Windows Hello for Business - cloud Kerberos trust
+
+[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
+
+## Deployment steps
+
+Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
+
+1. Set up Azure AD Kerberos.
+1. Configure a Windows Hello for Business policy and deploy it to the devices.
+
+### Deploy Azure AD Kerberos
+
+If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
+
+If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
+
+### Configure Windows Hello for Business policy
+
+After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business.
+
+There are different ways to enable and configure Windows Hello for Business in Intune:
+
+- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group.
+- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
+ - [Settings catalog][MEM-7]
+ - [Security baselines][MEM-2]
+ - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
+ - [Account protection policy][MEM-5]
+ - [Identity protection policy template][MEM-6]
+
+### Verify the tenant-wide policy
+
+To check the Windows Hello for Business policy applied at enrollment time:
+
+1. Sign in to the Microsoft Intune admin center.
+1. Select **Devices** > **Windows** > **Windows Enrollment**.
+1. Select **Windows Hello for Business**.
+1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured.
+
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png":::
+
+If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
+
+### Enable Windows Hello for Business
+
+To configure Windows Hello for Business using an account protection policy:
+
+1. Sign in to the Microsoft Intune admin center.
+1. Select **Endpoint security** > **Account protection**.
+1. Select **+ Create Policy**.
+1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**.
+1. Select **Create**.
+1. Specify a **Name** and, optionally, a **Description** > **Next**.
+1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
+ - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
+ - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
+1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available.
+1. Select **Next**.
+1. Optionally, add **scope tags** and select **Next**.
+1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**.
+1. Review the policy configuration and select **Create**.
+
+> [!TIP]
+> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template.
+
+:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="This image shows the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+### Configure the cloud Kerberos trust policy
+
+The cloud Kerberos trust policy can be configured using a custom template, and it's configured separately from enabling Windows Hello for Business.
+
+To configure the cloud Kerberos trust policy:
+
+1. Sign in to the Microsoft Intune admin center.
+1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
+1. For Profile Type, select **Templates** and select the **Custom** Template.
+1. Name the profile with a familiar name, for example, "Windows Hello for Business cloud Kerberos trust".
+1. In Configuration Settings, add a new configuration with the following settings:
+
+ - Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
+ - Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
+ - OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`**
+ - Data type: **Boolean**
+ - Value: **True**
+
+ > [!IMPORTANT]
+ > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
+
+ :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="./images/hello-cloud-trust-intune.png" lightbox="./images/hello-cloud-trust-intune-large.png":::
+
+1. Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+
+Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
+
+The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
+
+You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+
+Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
+
+> [!NOTE]
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
+
+#### Update administrative templates
+
+You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
+
+You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
+
+#### Create the Windows Hello for Business group policy object
+
+You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
+
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory.
+1. Edit the Group Policy object from Step 1.
+1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
+1. Select **Use Windows Hello for Business** > **Enable** > **OK**.
+1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**.
+1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**.
+
+---
+
+> [!IMPORTANT]
+> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured** or **disabled**.
+
+## Provision Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
+
+You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
+This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
+
+:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png" lightbox="./images/cloud-trust-prereq-check.png":::
+
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
+
+> [!NOTE]
+> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
+
+### PIN Setup
+
+After a user signs in, this is the process that occurs to enroll in Windows Hello for Business:
+
+1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**.
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device.
+
+:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
+
+### Sign-in
+
+Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
+
+## Migrate from key trust deployment model to cloud Kerberos trust
+
+If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
+
+1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
+1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
+
+> [!NOTE]
+> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+>
+> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails.
+
+## Migrate from certificate trust deployment model to cloud Kerberos trust
+
+> [!IMPORTANT]
+> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
+
+If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
+
+1. Disable the certificate trust policy.
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
+1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context.
+1. Sign out and sign back in.
+1. Provision Windows Hello for Business using a method of your choice.
+
+> [!NOTE]
+> For hybrid Azure AD joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
+
+## Frequently Asked Questions
+
+For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust).
+
+
+
+[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
+[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
+
+[MEM-1]: /mem/intune/protect/identity-protection-windows-settings
+[MEM-2]: /mem/intune/protect/security-baselines
+[MEM-3]: /mem/intune/configuration/custom-settings-configure
+[MEM-4]: /windows/client-management/mdm/passportforwork-csp
+[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
+[MEM-6]: /mem/intune/protect/identity-protection-configure
+[MEM-7]: /mem/intune/configuration/settings-catalog
+
+[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index ce118ce681..d3f07a3668 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -1,16 +1,16 @@
---
title: Windows Hello for Business cloud Kerberos trust deployment
description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario.
-ms.date: 11/1/2022
+ms.date: 02/24/2023
appliesto:
- ✅ Windows 10, version 21H2 and later
-ms.topic: article
+ms.topic: tutorial
---
# Cloud Kerberos trust deployment
[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
-Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
+Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
## Introduction to cloud Kerberos trust
@@ -19,7 +19,7 @@ The goal of Windows Hello for Business cloud Kerberos trust is to bring the simp
Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which enables a simpler deployment when compared to the *key trust model*:
- No need to deploy a public key infrastructure (PKI) or to change an existing PKI
-- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. This means that there isn't delay between the user's WHFB provisioning and being able to authenticate to Active Directory
+- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
- [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup
> [!NOTE]
@@ -30,7 +30,7 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
-With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
+With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
@@ -69,187 +69,23 @@ The following scenarios aren't supported using Windows Hello for Business cloud
>
> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object `CN=AzureADKerberos,OU=Domain Controllers,`.
-## Deployment steps
+## Next steps
-Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
+Once the prerequisites are met, deploying Windows Hello for Business with a cloud Kerberos trust model consists of the following steps:
-1. Set up Azure AD Kerberos
-1. Configure a Windows Hello for Business policy and deploy it to the devices
+> [!div class="checklist"]
+> * Deploy Azure AD Kerberos
+> * Configure Windows Hello for Business settings
+> * Provision Windows Hello for Business on Windows clients
-### Deploy Azure AD Kerberos
-
-If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
-
-If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
-
-### Configure Windows Hello for Business policy
-
-After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-
-#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
-
-Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
-
-The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
-
-### Enable Windows Hello for Business
-
-If you already enabled Windows Hello for Business, you can skip to **configure the cloud Kerberos trust policy**. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
-
-You can also follow these steps to create a device configuration policy instead of using the device enrollment policy:
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
-1. For Platform, select **Windows 10 and later**.
-1. For Profile Type, select **Templates** and select the **Identity Protection** Template.
-1. Name the profile with a familiar name. For example, "Windows Hello for Business".
-1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**.
-1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**.
-
- [](./images/hello-intune-enable-large.png#lightbox)
-
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
-
-Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
-
-### Configure cloud Kerberos trust policy
-
-To configure the cloud Kerberos trust policy, follow the steps below:
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
-1. For Profile Type, select **Templates** and select the **Custom** Template.
-1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
-1. In Configuration Settings, add a new configuration with the following settings:
-
- | Setting |
- |--------|
- |
Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
|
-
- >[!IMPORTANT]
- >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
-
- [](./images/hello-cloud-trust-intune-large.png#lightbox)
-
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
-
-#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
-
-Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
-
-The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
-
-You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
-
-cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
-
-> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
-
-#### Update administrative templates
-
-You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
-
-You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
-
-#### Create the Windows Hello for Business group policy object
-
-You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
-
-1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory
-1. Edit the Group Policy object from Step 1
-1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**
-1. Select **Use Windows Hello for Business** > **Enable** > **OK**
-1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**
-1. *Optional, but recommended*: select **Use a hardware security device** > **Enable** > **OK**
-
----
-
-> [!IMPORTANT]
-> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*.
-
-## Provision Windows Hello for Business
-
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
-
-You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
-This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
-
- 
-
-The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
-
-> [!NOTE]
-> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
-
-### PIN Setup
-
-This is the process that occurs after a user signs in, to enroll in Windows Hello for Business:
-
-1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
-1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
-1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-
-:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
-
-### Sign-in
-
-Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
-
-## Migrate from key trust deployment model to cloud Kerberos trust
-
-If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
-
-1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
-1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
-1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business
-
-> [!NOTE]
-> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
->
-> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails.
-
-## Migrate from certificate trust deployment model to cloud Kerberos trust
-
-> [!IMPORTANT]
-> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
-
-If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
-
-1. Disable the certificate trust policy
-1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
-1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
-1. Sign out and sign back in
-1. Provision Windows Hello for Business using a method of your choice
-
-> [!NOTE]
-> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
-
-## Troubleshooting
-
-If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the *Windows Feedback Hub* app by following these steps:
-
-1. Open **Feedback Hub**, and make sure that you're signed in
-1. Submit feedback by selecting the following categories:
- - Category: Security and Privacy
- - Subcategory: Windows Hello PIN
-
-## Frequently Asked Questions
-
-For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust).
+> [!div class="nextstepaction"]
+> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md)
[AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises
-[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
-[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant
-[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
-
-[MEM-1]: /mem/intune/protect/identity-protection-windows-settings
[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e
-[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
-
-[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
+[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
index a165084a61..73c27e5835 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
@@ -35,12 +35,12 @@ There are different ways to enable and configure Windows Hello for Business in I
To check the Windows Hello for Business policy applied at enrollment time:
-1. Sign in to the Microsoft Endpoint Manager admin center
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
@@ -48,7 +48,7 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip
To configure Windows Hello for Business using an *account protection* policy:
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Endpoint security** > **Account protection**
1. Select **+ Create Policy**
1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
@@ -62,7 +62,7 @@ To configure Windows Hello for Business using an *account protection* policy:
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
-:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Endpoint Manager admin center using an account protection policy." border="true" lightbox="images/whfb-intune-account-protection-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index e1ed3396b6..518283865d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -3,6 +3,7 @@ title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.collection:
- highpri
+- tier1
ms.date: 12/13/2022
appliesto:
- ✅ Windows 10 and later
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 8c3bfe995d..e666aa4beb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -3,6 +3,7 @@ title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
ms.collection:
- highpri
+ - tier1
ms.date: 2/15/2022
appliesto:
- ✅ Windows 10 and later
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 48c16385f3..d6e6de308d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -3,6 +3,7 @@ title: Windows Hello for Business Overview (Windows)
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
appliesto:
- ✅ Windows 10 and later
@@ -110,5 +111,5 @@ Windows Hello for Business with a key, including cloud Kerberos trust, doesn't s
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index c3c5912b26..f3e0b27534 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -87,7 +87,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
-The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
+The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
> [!NOTE]
> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 69e4a380e5..1d36c9e14c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -16,6 +16,8 @@ Although the organization may require users to change their Active Directory or
People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
## On devices owned by the organization
When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
@@ -40,9 +42,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select
If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-
-
-
+:::image type="content" alt-text="This screenshot shows account sign-in options to windows, apps, and services using fingerprint or face." source="images/hellosettings.png":::
## Related topics
@@ -52,6 +52,6 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index bf6f5a4ea0..1afbc43168 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-ms.date: 07/26/2022
+ms.date: 03/09/2023
appliesto:
- ✅ Windows 10 and later
ms.topic: article
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 89fe8f84ce..6b65c109d3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -3,6 +3,7 @@ title: Why a PIN is better than an online password (Windows)
description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
ms.collection:
- highpri
+ - tier1
ms.date: 10/23/2017
appliesto:
- ✅ Windows 10 and later
@@ -81,5 +82,5 @@ If you only had a biometric sign-in configured and, for any reason, were unable
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png b/windows/security/identity-protection/hello-for-business/images/SetupAPin.png
deleted file mode 100644
index 50029cc00e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png
deleted file mode 100644
index 93085b03a8..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png
deleted file mode 100644
index 88aaf424f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png
deleted file mode 100644
index 3d547d05fc..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png
deleted file mode 100644
index d98d871f21..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png
deleted file mode 100644
index caacf8a566..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png
deleted file mode 100644
index 226f85eeb0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png
deleted file mode 100644
index 067c109808..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png
deleted file mode 100644
index f2c38239f3..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png
deleted file mode 100644
index 74cea5f0b5..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png
deleted file mode 100644
index e95fd1b9ba..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png
deleted file mode 100644
index c973e43aec..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png
deleted file mode 100644
index 70aaa2db9d..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png
deleted file mode 100644
index eadf1eb285..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png
deleted file mode 100644
index 56cced034f..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png
deleted file mode 100644
index e4e4555942..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png
deleted file mode 100644
index 390bfecafd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png
deleted file mode 100644
index a136973f04..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png
deleted file mode 100644
index c78baecd49..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png
deleted file mode 100644
index 96fe45bbcf..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png
deleted file mode 100644
index 004d3a3f25..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png
deleted file mode 100644
index 9d66d330fd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png
deleted file mode 100644
index dea61f116e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png
deleted file mode 100644
index 831e12fe59..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png
deleted file mode 100644
index 21f4159d80..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png
deleted file mode 100644
index 49c4dee983..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
deleted file mode 100644
index c2a4f36704..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png
deleted file mode 100644
index 0ec08ecbc0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png
deleted file mode 100644
index 46db47b6f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/createPin.png b/windows/security/identity-protection/hello-for-business/images/createPin.png
deleted file mode 100644
index 91e079feca..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/createPin.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/dsregcmd.png
deleted file mode 100644
index 85bc6491cf..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png
deleted file mode 100644
index 7f0be5249d..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png
deleted file mode 100644
index ef99144042..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png
deleted file mode 100644
index edcbe0ec34..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png
deleted file mode 100644
index 72c94fb321..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png
deleted file mode 100644
index 64f85b1f54..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png
deleted file mode 100644
index 6894047f98..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png
deleted file mode 100644
index 3167588d7b..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_filter.png b/windows/security/identity-protection/hello-for-business/images/hello_filter.png
deleted file mode 100644
index 611bbfad70..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_filter.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_gear.png b/windows/security/identity-protection/hello-for-business/images/hello_gear.png
deleted file mode 100644
index b74cf682ac..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_gear.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_lock.png b/windows/security/identity-protection/hello-for-business/images/hello_lock.png
deleted file mode 100644
index 5643cecec0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_lock.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_users.png b/windows/security/identity-protection/hello-for-business/images/hello_users.png
deleted file mode 100644
index c6750396dd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_users.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png
deleted file mode 100644
index 8b003013f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png
deleted file mode 100644
index 44bbc4a572..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png
deleted file mode 100644
index df7973e2ca..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png
deleted file mode 100644
index eb3458bf76..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png
deleted file mode 100644
index 6011b3c66e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png
deleted file mode 100644
index ac1752b75b..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png
deleted file mode 100644
index 2835e56049..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png
deleted file mode 100644
index 4874ca4516..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png
deleted file mode 100644
index c6572cbd5a..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png
deleted file mode 100644
index 3a72066a31..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png
deleted file mode 100644
index c3754b5389..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png
deleted file mode 100644
index 97db24c262..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png
deleted file mode 100644
index 80f9d53d2c..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png
deleted file mode 100644
index 97ad2a1bfb..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/mfa.png b/windows/security/identity-protection/hello-for-business/images/mfa.png
deleted file mode 100644
index b7086b9b79..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/mfa.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
deleted file mode 100644
index 174cf0a790..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
deleted file mode 100644
index 028f06544c..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png
deleted file mode 100644
index 322a4fcbdc..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png b/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png
deleted file mode 100644
index f86101b1e8..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg
deleted file mode 100644
index d9acfd8170..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg
deleted file mode 100644
index 21d37405a7..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md
deleted file mode 100644
index a5b340a3f8..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)]
-- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md
deleted file mode 100644
index b637be9beb..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 0c6b760604..4d8789f403 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -12,10 +12,10 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.reviewer: prsriva
- ms.date: 01/22/2021
+ ms.date: 03/09/2023
ms.collection:
- highpri
+ - tier1
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index ee40135695..77c3a38b65 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -26,31 +26,47 @@
- name: Hybrid deployments
items:
- name: Cloud Kerberos trust deployment
- href: hello-hybrid-cloud-kerberos-trust.md
+ items:
+ - name: Overview
+ href: hello-hybrid-cloud-kerberos-trust.md
+ displayName: cloud Kerberos trust
+ - name: Configure and provision Windows Hello for Business
+ href: hello-hybrid-cloud-kerberos-trust-provision.md
+ displayName: cloud Kerberos trust
- name: Key trust deployment
items:
- name: Overview
href: hello-hybrid-key-trust.md
+ displayName: key trust
- name: Configure and validate the PKI
href: hello-hybrid-key-trust-validate-pki.md
+ displayName: key trust
- name: Configure and provision Windows Hello for Business
href: hello-hybrid-key-trust-provision.md
+ displayName: key trust
- name: Configure SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
+ displayName: key trust
- name: Certificate trust deployment
items:
- name: Overview
href: hello-hybrid-cert-trust.md
+ displayName: certificate trust
- name: Configure and validate the PKI
href: hello-hybrid-cert-trust-validate-pki.md
+ displayName: certificate trust
- name: Configure AD FS
href: hello-hybrid-cert-whfb-settings-adfs.md
+ displayName: certificate trust
- name: Configure and provision Windows Hello for Business
href: hello-hybrid-cert-whfb-provision.md
+ displayName: certificate trust
- name: Configure SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
+ displayName: certificate trust
- name: Deploy certificates to Azure AD joined devices
href: hello-hybrid-aadj-sso-cert.md
+ displayName: certificate trust
- name: On-premises deployments
items:
- name: Key trust deployment
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index 42e5d338b1..654302f210 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -1,7 +1,7 @@
---
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
-ms.date: 09/15/2022
+ms.date: 03/09/2023
appliesto:
- ✅ Windows 10 and later
ms.topic: article
diff --git a/windows/security/identity-protection/images/application-guard-and-system-guard.png b/windows/security/identity-protection/images/application-guard-and-system-guard.png
deleted file mode 100644
index b4b883db90..0000000000
Binary files a/windows/security/identity-protection/images/application-guard-and-system-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard.png b/windows/security/identity-protection/images/remote-credential-guard.png
deleted file mode 100644
index d8e3598dc9..0000000000
Binary files a/windows/security/identity-protection/images/remote-credential-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/traditional-windows-software-stack.png b/windows/security/identity-protection/images/traditional-windows-software-stack.png
deleted file mode 100644
index 0da610c368..0000000000
Binary files a/windows/security/identity-protection/images/traditional-windows-software-stack.png and /dev/null differ
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index c42735cfe2..dc71f52903 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -16,7 +16,9 @@ ms.technology: itpro-security
# Identity and access management
-Learn more about identity and access management technologies in Windows 10 and Windows 11.
+Learn more about identity and access management technologies in Windows.
+
+[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)]
| Section | Description |
|-|-|
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 2876ab9e18..63c2e03d67 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -7,6 +7,7 @@ ms.author: paoloma
manager: aaroncz
ms.collection:
- highpri
+ - tier2
ms.topic: article
ms.localizationpriority: medium
ms.date: 01/12/2018
@@ -51,12 +52,12 @@ Use the following table to compare different Remote Desktop connection security
| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
+| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
| **Helps prevent** | N/A |
Pass-the-Hash
Use of a credential after disconnection
|
Pass-the-Hash
Use of domain identity during connection
|
| **Credentials supported from the remote desktop client device** |
Signed on credentials
Supplied credentials
Saved credentials
|
Signed on credentials only |
Signed on credentials
Supplied credentials
Saved credentials
|
| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
-| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. |
+| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
@@ -71,7 +72,7 @@ and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/c
## Remote Desktop connections and helpdesk support scenarios
-For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects.
+For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
@@ -90,7 +91,7 @@ The Remote Desktop client device:
- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
-- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
+- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host.
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
@@ -100,7 +101,7 @@ The Remote Desktop remote host:
- Must be running at least Windows 10, version 1607 or Windows Server 2016.
- Must allow Restricted Admin connections.
-- Must allow the client’s domain user to access Remote Desktop connections.
+- Must allow the client's domain user to access Remote Desktop connections.
- Must allow delegation of non-exportable credentials.
There are no hardware requirements for Windows Defender Remote Credential Guard.
@@ -182,7 +183,7 @@ mstsc.exe /remoteGuard
## Considerations when using Windows Defender Remote Credential Guard
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied.
- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 3c1b301625..10b6bda518 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -8,6 +8,7 @@ ms.reviewer: ardenw
manager: aaroncz
ms.collection:
- highpri
+ - tier2
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 9ba3ee5da6..d5912c3e8d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,20 +1,12 @@
---
title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.technology: itpro-security
---
@@ -44,7 +36,9 @@ Smart cards provide:
Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
-**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](../virtual-smart-cards/virtual-smart-card-overview.md).
+**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
+
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
## In this technical reference
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index a968914652..8037f68045 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -3,6 +3,7 @@ title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
ms.collection:
- highpri
+ - tier2
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index f3c8c14d4e..979a7ae1f1 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -3,6 +3,7 @@ title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.collection:
- highpri
+ - tier2
ms.topic: article
ms.date: 04/19/2017
appliesto:
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 35851d61af..93502be3e3 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -3,6 +3,7 @@ title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
ms.collection:
- highpri
+ - tier2
ms.topic: article
ms.date: 09/24/2011
appliesto:
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index a29f378683..63ac28b3e9 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -1,30 +1,24 @@
---
-title: Deploy Virtual Smart Cards (Windows 10)
-description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+title: Deploy Virtual Smart Cards
+description: Learn about what to consider when deploying a virtual smart card authentication solution
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Deploy Virtual Smart Cards
-Applies To: Windows 10, Windows Server 2016
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
-This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
+This article discusses the factors to consider when you deploy a virtual smart card authentication solution.
Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram.
-Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
+A device manufacturer creates physical devices, and then an organization purchase and deploy them. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the *administrator key*, *Personal Identification Number (PIN)*, *PIN Unlock Key (PUK)*, and its physical appearance. During the device provisioning phase, the required certificates are installed, such as a sign-in certificate. After you provision the device, it's ready for use. You'll maintain the device, for example you may replace cards when they're lost or stolen, or reset PINs when users forget them. Finally, you'll retire devices when they exceed their intended lifetime or when employees leave the company.
This topic contains information about the following phases in a virtual smart card lifecycle:
@@ -44,94 +38,90 @@ The TPM Provisioning Wizard, which is launched from the **TPM Management Console
When you create virtual smart cards, consider the following actions in the TPM:
-- **Enable and Activate**: TPMs are built in to many industry ready computers, but they often are not enabled and activated by default. In some cases, the TPM must be enabled and activated through the BIOS. For more information, see Initialize and Configure Ownership of the TPM.
+- **Enable and Activate**: TPMs are built into many devices. In some cases, the TPM must be enabled and activated through the BIOS
+- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the *storage root key*. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password. For corporate use of TPM virtual smart cards, the domain administrator should restrict access to the TPM owner password by storing it in Active Directory, and not in the local registry. When TPM ownership is set, you must clear and reinitialize the TPM
+- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time
-- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the storage root key. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password.
- For corporate use of TPM virtual smart cards, we recommend that the corporate domain administrator restrict access to the TPM owner password by storing it in Active Directory, not in the local registry. When TPM ownership is set in Windows Vista, the TPM needs to be cleared and reinitialized. For more information, see Trusted Platform Module Technology Overview.
-
-- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time. For more information, see Manage TPM Lockout.
-
-A TPM might operate in reduced functionality mode. This could occur, for example, if the operating system cannot determine if the owner password is available to the user. In those cases, the TPM can be used to create a virtual smart card, but it is strongly recommended to bring the TPM to a fully ready state so that any unexpected circumstances will not leave the user blocked from using the computer.
+A TPM might operate in reduced functionality mode, which may occur if the operating system can't determine if the owner password is available to the user. During reduce functionality mode, you can use the TPM to create a virtual smart card, but it's preferable to bring the TPM to a fully ready state so that any unexpected circumstances won't leave the user blocked from using the device.
Those smart card deployment management tools that require a status check of a TPM before attempting to create a TPM virtual smart card can do so using the TPM WMI interface.
-Depending on the setup of the computer that is designated for installing TPM virtual smart cards, it might be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md).
+Depending on the setup of the device designated for installing TPM virtual smart cards, it may be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md).
For more information about managing TPMs by using built-in tools, see Trusted Platform Module Services Group Policy Settings.
### Creation
-A TPM virtual smart card simulates a physical smart card, and it uses the TPM to provide the same functionality as physical smart card hardware. A virtual smart card appears within the operating system as a physical smart card that is always inserted. Supported versions of the Windows operating system present a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated to TPM commands. This process ensures the integrity of the virtual smart card through the three properties of smart card security:
+A TPM virtual smart card simulates a physical smart card, using the TPM to provide the same functionality as physical smart card hardware.\
+A virtual smart card appears within the operating system as a physical smart card that is always inserted. Windows presents a *virtual smart card reader* and a *virtual smart card* to applications using the same interface as physical smart cards. The messages to and from the virtual smart card are translated to TPM commands, ensuring the integrity of the virtual smart card through the three properties of smart card security:
-- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer.
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, which is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
-- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
- For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for some time instead of blocking the card. This is also known as lockout.
+ For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
+There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using `tpmvscmgr.exe` to create cards individually on users' computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee's possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
For information about the TPM Virtual Smart Card command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
### Personalization
-During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If a PUK is set, the administrator key can no longer be used to reset the PIN.)
+During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If you set a PUK, you can't use the administrator key to reset the PIN.)
-Because the administrator key is critical to the security of the card, it is important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
+Because the administrator key is critical to the security of the card, it's important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
-- **Uniform**: Administrator keys for all the virtual smart cards that are deployed in the organization are the same. Although this makes the maintenance infrastructure easy (only one key needs to be stored), it is highly insecure. This strategy might be sufficient for very small organizations, but if the administrator key is compromised, all virtual smart cards that use this key must be reissued.
+- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued.
-- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
+- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
-- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card’s security is independent of the others. This is secure on a large scale unless the administrator key database is compromised.
+- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised.
-- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it does not need to be stored. The security of this method relies on the security of the secret used.
+- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it doesn't need to be stored. The security of this method relies on the security of the secret used.
-Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is simply entered on the computer to enable a user PIN reset.
+Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is entered on the computer to enable a user PIN reset.
-The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it cannot be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process.
+The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it can't be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process.
-TPM virtual smart cards can be personalized on an individual basis when they are created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. An additional advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards.
+TPM virtual smart cards can be personalized on an individual basis when they're created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. Another advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards.
## Provision virtual smart cards
-Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security.
+Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign-in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security.
-A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver’s license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an “enroll-on-behalf-of” strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station.
+A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver's license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an "enroll-on-behalf-of" strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station.
-For deployments in which a high-assurance level is not a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost.
+For deployments in which a high-assurance level isn't a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost.
For information about using Certificate Manager to configure virtual smart cards, see [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md).
-High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user’s computer has been issued prior to the virtual smart card deployment, but this is not always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer.
+High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user's computer has been issued prior to the virtual smart card deployment, but this isn't always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer.
In this situation, provisioning becomes relatively simple, but identity checks must be put in place to ensure that the recipient of the computer is the individual who was expected during provisioning. This can be accomplished by requiring the employee to set the initial PIN under the supervision of the deployment administrator or manager.
-When you are provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they are also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack.
+When you're provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they're also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack.
-If a virtual smart card is compromised, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. This requires a record of which credentials match which user and computer, which is functionality that does not exist natively in Windows. Deployment administrators might want to consider add-on solutions to maintain such a record.
+For compromised virtual smart cards, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. Revoking credentials requires a record of which credentials match which user and device, but the functionality doesn't natively exist in Windows. Deployment administrators might want to consider add-on solutions to maintain a record.
### Virtual smart cards on consumer devices used for corporate access
-There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that are not joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Windows Store (for example, devices running Windows RT).
+There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that aren't joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Microsoft Store.
-You can use APIs that were introduced in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically).
+You can use APIs to build Microsoft Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically).
#### TPM ownerAuth in the registry
-When a device or computer is not joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that are not protected include:
+When a device or computer isn't joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that aren't protected include:
- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets.
- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised.
-The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. Policies for automatic lockout can be set while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
+The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. You can set policies for automatic lockout while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
-For configuration information about the TPM ownerAuth registry key, see the Group Policy setting Configure the level of TPM owner authorization information available to the operating system.
-
-
+For configuration information about the TPM ownerAuth registry key, see the Group Policy setting **Configure the level of TPM owner authorization information** available to the operating system.
For information about EAS policies, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
@@ -139,12 +129,10 @@ For information about EAS policies, see [Exchange ActiveSync Policy Engine Overv
The following table describes the important differences between managed and unmanaged virtual smart cards that exist on consumer devices:
-
-
-| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) |
-|-----------------------------------------|--------------|----|
-| Reset PIN when the user forgets the PIN | Yes | No, the card has to be deleted and created again. |
-| Allow user to change the PIN | Yes | No, the card has to be deleted and created again. |
+| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) |
+|---|---|---|
+| Reset PIN when the user forgets the PIN | Yes | No. Delete and recreate the card. |
+| Allow user to change the PIN | Yes | No. Delete and recreate the card. |
## Managed cards
@@ -152,7 +140,7 @@ A managed virtual smart card can be serviced by the IT administrator or another
### Managed card creation
-A user can create blank virtual smart card by using the Tpmvscmgr command-line tool, which is a built-in tool that is run with administrative credentials through an elevated command prompt. This virtual smart card needs to be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option should not be specified).
+A user can create blank virtual smart card by using the *Tpmvscmgr* command-line tool, which is a built-in tool executed with administrative credentials through an elevated command prompt. The virtual smart card must be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option shouldn't be specified).
The following command creates a virtual smart card that can later be managed by a smart card management tool launched from another computer (as explained in the next section):
@@ -162,7 +150,7 @@ Alternatively, instead of using a default administrator key, a user can enter an
`tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT`
-In either case, the card management system needs to be aware of the initial administrator key that is used so that it can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when the default value is used, the administrator key is set to:
+In either case, the card management system needs to be aware of the initial administrator key. The requirement is so that the card management system can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when you use the default, the administrator key is set to:
`10203040506070801020304050607080102030405060708`
@@ -180,7 +168,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm
#### Certificate issuance
-Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card does not need to be installed on the client computer if it is installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
+Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
@@ -188,11 +176,11 @@ Alternatively, without establishing a remote desktop connection, users can enrol
You can renew certificates through remote desktop connections, certificate enrollment policies, or certificate enrollment services. Renewal requirements could be different from the initial issuance requirements, based on the renewal policy.
-Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available.
+Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available.
## Unmanaged cards
-Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable if an organzation does not have an elaborate smart card deployment management tool and using remote desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user’s credentials and he or she must re-enroll.
+Unmanaged virtual smart cards aren't serviceable by an IT administrator. Unmanaged cards might be suitable if an organization doesn't have an elaborate smart card deployment management tool and using remote desktop connections to manage the card isn't desirable. Because unmanaged cards aren't serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user's credentials and he or she must re-enroll.
### Unmanaged card creation
@@ -220,9 +208,9 @@ Another option is to have the user access an enrollment portal that is available
#### Signing the request with another certificate
-You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. Additional policy constraints can be enforced on the .pfx file to assert the identity of the user.
+You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. You can enforce other policy constraints on the .pfx file to assert the identity of the user.
-The user can import the certificate into the **MY** store (which is the user’s certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card.
+The user can import the certificate into the **MY** store (which is the user's certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card.
For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure:
@@ -234,50 +222,38 @@ For deployments that require users to use a physical smart card to sign the cert
#### Using one-time password for enrollment
-Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
+Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
#### Certificate lifecycle management
Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
-Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available.
+Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available.
## Maintain virtual smart cards
Maintenance is a significant portion of the virtual smart card lifecycle and one of the most important considerations from a management perspective. After virtual smart cards are created, personalized, and provisioned, they can be used for convenient two-factor authentication. Deployment administrators must be aware of several common administrative scenarios, which can be approached by using a purchased virtual smart card solution or on a case-by-case basis with in-house methods.
-**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user’s choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair.
+**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user's choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair.
When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards.
-**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user’s identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
+**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
**Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific.
-**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they are no longer needed. When an employee leaves the company, it is desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
+**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
-The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it is only necessary to revoke the certificates that are stored on the virtual smart card.
+The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it's only necessary to revoke the certificates that are stored on the virtual smart card.
### Emergency preparedness
#### Card reissuance
-The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card’s privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled.
+The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card's privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled.
#### Blocked virtual smart card
-The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card doesn't reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](../smart-cards/smart-card-group-policy-and-registry-settings.md#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
-
-## See also
-
-[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
-
-[Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
-
-[Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-
-[Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
-
-[Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index c2913cb244..b2afb7673e 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -1,65 +1,55 @@
---
-title: Evaluate Virtual Smart Card Security (Windows 10)
-description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+title: Evaluate Virtual Smart Card Security
+description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards.
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Evaluate Virtual Smart Card Security
-This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
+In this article, you'll learn about security characteristics and considerations when deploying TPM virtual smart cards.
## Virtual smart card non-exportability details
-A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data, specifically that the secured data is non-exportable. Data can be accessed and used within the virtual smart card system, but it is meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. This originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data.
+A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data. Specifically, that the secured data is non-exportable.\
+Data can be accessed and used within the virtual smart card system, but it's meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. The chain originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN so that changing the PIN doesn't require re-encryption of the data.
The following diagram illustrates the secure key hierarchy and the process of accessing the user key.
-
+:::image type="content" alt-text="Diagram of the process of accessing the user key." source="images/vsc-process-of-accessing-user-key.png" lightbox="images/vsc-process-of-accessing-user-key.png":::
The following keys are stored on the hard disk:
-- User key
+- User key
+- Smart card key, which is encrypted by the storage root key
+- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key
-- Smart card key, which is encrypted by the storage root key
+When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user's key that is stored on the virtual smart card.
-- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key
-
-When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user’s key that is stored on the virtual smart card.
-
-The auth key is the only sensitive data that is used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it is encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is completely isolated from external access.
+The auth key is the only sensitive data used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it's encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is isolated from external access.
## Virtual smart card anti-hammering details
-The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide very flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism.
+The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism.
-The Trusted Computing Group also specifies that if the response to attacks involves suspending proper function of the TPM for some period of time or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. Whatever methodology is chosen by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include:
+The Trusted Computing Group specifies that if the response to attacks involves suspending proper function of the TPM for some period of time, or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. The methodology used by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include:
-1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
+1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
- > **Note** Introduced in Windows Server 2012 R2 and Windows 8.1, if the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it has to be unblocked by using the administrative key or the PUK.
+ > [!NOTE]
+ >
+ > If the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it must be unblocked by using the administrative key or the PUK.
-1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
+1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
+1. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN.
-2. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN.
+For example, it will take 14 years to guess an eight character PIN for a TPM that implements the following protection:
-As an example, it will take 14 years to guess an 8-character PIN for a TPM that implements the following protection:
-
-1. Number of wrong PINs allowed before entering lockout (threshold): 9
-
-2. Time the TPM is in lockout after the threshold is reached: 10 seconds
-
-3. Timed delay doubles for each wrong PIN after the threshold is reached
-
-## See also
-
-[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+1. Number of wrong PINs allowed before entering lockout (threshold): 9
+1. Time the TPM is in lockout after the threshold is reached: 10 seconds
+1. Timed delay doubles for each wrong PIN after the threshold is reached
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index d29782a291..ab3569f8ab 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -1,24 +1,20 @@
---
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Get Started with Virtual Smart Cards: Walkthrough Guide
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
-Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
+Virtual smart cards are a technology from Microsoft that offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 22c293e635..05598bf6ee 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -1,130 +1,66 @@
---
-title: Virtual Smart Card Overview (Windows 10)
-description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
+title: Virtual Smart Card Overview
+description: Learn about virtual smart card technology for Windows.
ms.topic: conceptual
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Virtual Smart Card Overview
-This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
-**Did you mean…**
-
-- [Smart Cards](../smart-cards/smart-card-windows-smart-card-technical-reference.md)
-
-> [!NOTE]
-> [Windows Hello for Business](../hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date has been set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8.
+This article provides an overview of the virtual smart card technology.
## Feature description
-Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware.
+Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices. Virtual smart cards don't require the use of a separate physical smart card and reader. You create virtual smart cards in the TPM, where the keys used for authentication are stored in cryptographically-secured hardware.
By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
## Practical applications
-Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They are easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+Virtual smart cards are functionally similar to physical smart cards, appearing in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by encryption, and integrity through signing. You can deploy virtual smart cards by using in-house methods or a purchased solution, and they can be a replacement for other methods of strong authentication in a corporate setting of any scale.
### Authentication use cases
**Two-factor authentication‒based remote access**
-After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain strongly authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
+After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
-In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request could not have possibly originated from a system other than the system certified by the domain for this user’s access, and the user could not have initiated the request without knowing the PIN, a strong two-factor authentication is established.
+In practice, this is as easy as entering a password to access the system. Technically, it's far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request couldn't have possibly originated from a system other than the system certified by the domain for this user's access, and the user couldn't have initiated the request without knowing the PIN, a strong two-factor authentication is established.
**Client authentication**
-Virtual smart cards can also be used for client authentication by using Secure Socket Layer (SSL) or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
+Virtual smart cards can also be used for client authentication by using TLS/SSL or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
**Virtual smart card redirection for remote desktop connections**
-The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer’s TPM. This extends a user’s privileges to the remote computer, while maintaining the principles of two-factor authentication.
-
-**Windows To Go and virtual smart cards**
-
-Virtual smart cards work well with Windows To Go, where a user can boot into a supported version of Windows from a compatible removable storage device. A virtual smart card can be created for the user, and it is tied to the TPM on the physical host computer to which the removable storage device is connected. When the user boots the operating system from a different physical computer, the virtual smart card will not be available. This can be used for scenarios when a single physical computer is shared by many users. Each user can be given a removable storage device for Windows To Go, which has a virtual smart card provisioned for the user. This way, users are only able to access their personal virtual smart card.
+The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication.
### Confidentiality use cases
**S/MIME email encryption**
-Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user’s public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
+Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
**BitLocker for data volumes**
-sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user’s hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be very difficult.
+BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult.
-BitLocker can also be used to encrypt portable drives, which involves storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it is connected to the host for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this computer. However, this method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive.
+You can use BitLocker to encrypt portable drives, storing keys in virtual smart cards. In this scenario, unlike using BitLocker with a physical smart card, the encrypted drive can be used only when it's connected to device for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from the device. This method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive, too.
### Data integrity use case
**Signing data**
-To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner’s identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft). This makes digital signatures far more secure than other methods for private key storage.
+To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data.
-## New and changed functionality as of Windows 8.1
-
-Enhancements in Windows 8.1 enabled developers to build Microsoft Store apps to create and manage virtual smart cards.
-
-The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device management protocol provides a Distributed Component Object Model (DCOM) Remote Protocol interface used for creating and destroying virtual smart cards. A virtual smart card is a device that presents a device interface complying with the PC/SC specification for PC-connected interface devices to its host operating system (OS) platform. This protocol does not assume anything about the underlying implementation of virtual smart card devices. In particular, while it is primarily intended for the management of virtual smart cards based on TPMs, it can also be used to manage other types of virtual smart cards.
-
-**What value does this change add?**
-
-Starting with Windows 8.1, application developers can build into their apps the following virtual smart card maintenance capabilities to relieve some of your administrative burdens.
-
-- Create a new virtual smart card or select a virtual smart card from the list of available virtual smart cards on the system. Identify the one that the application is supposed to work with.
-
-- Personalize the virtual smart card.
-
-- Change the admin key.
-
-- Diversify the admin key which allows the user to unblock the PIN in a PIN-blocked scenario.
-
-- Change the PIN.
-
-- Reset or Unblock the PIN.
-
-- Destroy the virtual smart card.
-
-**What works differently?**
-
-Starting with Windows 8.1, Microsoft Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
-
-For more information about developing Microsoft Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](/openspecs/windows_protocols/ms-tpmvsc/10bd67d7-4580-4e38-a6e9-ec3be00033b6).
-
-For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md).
+- Storing the key in an operating system that is accessible, malicious users could access it and use it to modify already signed data or to spoof the key owner's identity
+- Storing the key in a virtual smart card, means that you can only use it to sign data on the host device. You can't export the key to other systems (intentionally or unintentionally, such as with malware theft), making digital signatures more secure than other methods for private key storage
## Hardware requirements
-To use the virtual smart card technology, TPM 1.2 is the minimum required for computers running Windows 10 or Windows Server 2016.
-
-## Software requirements
-
-To use the virtual smart card technology, computers must be running one of the following operating systems:
-
-- Windows Server 2016
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows 10
-- Windows 8.1
-- Windows 8
-
-## See also
-
-- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
-- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
-- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
-- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
-- [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
\ No newline at end of file
+To use the virtual smart card technology, TPM 1.2 is the minimum required for devices running a supported operating system.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 521d0afec7..5f39e38b48 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -1,21 +1,17 @@
---
-title: Tpmvscmgr (Windows 10)
-description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+title: Tpmvscmgr
+description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Tpmvscmgr
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples).
## Syntax
@@ -26,7 +22,7 @@ The Tpmvscmgr command-line tool allows users with Administrative credentials to
### Parameters for Create command
-The Create command sets up new virtual smart cards on the user’s system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card.
+The Create command sets up new virtual smart cards on the user's system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format `ROOT\SMARTCARDREADER\000n` where n starts from 0 and is increased by 1 each time you create a new virtual smart card.
| Parameter | Description |
|-----------|-------------|
@@ -34,10 +30,10 @@ The Create command sets up new virtual smart cards on the user’s system. It re
| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN. **DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708. **PROMPT** Prompts the user to enter a value for the administrator key. **RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. |
| /PIN | Indicates desired user PIN value. **DEFAULT** Specifies the default PIN of 12345678. **PROMPT** Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK. **DEFAULT** Specifies the default PUK of 12345678. **PROMPT** Prompts the user to enter a PUK at the command line. |
-| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. |
+| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it's equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. |
| /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options: **minlen** <minimum PIN length> If not specified, defaults to 8. The lower bound is 4. **maxlen** <maximum PIN length> If not specified, defaults to 127. The upper bound is 127. **uppercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **lowercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **digits** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **specialchars** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
-| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are: **AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail. **AIK_ONLY** Creates an AIK but does not obtain an AIK certificate. |
+| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are: **AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there's no network connectivity, it's possible that creation of the virtual smart card will fail. **AIK_ONLY** Creates an AIK but doesn't obtain an AIK certificate. |
| /? | Displays Help for this command. |
### Parameters for Destroy command
@@ -91,8 +87,4 @@ The following command will create a TPM virtual smart card with the default valu
```console
tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate
-```
-
-## Additional references
-
-- [Virtual Smart Card Overview](virtual-smart-card-overview.md)
+```
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 0475663ff5..dfde051a1a 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -1,22 +1,19 @@
---
-title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
-description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
+title: Understanding and Evaluating Virtual Smart Cards
+description: Learn how smart card technology can fit into your authentication design.
ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
-# Understanding and Evaluating Virtual Smart Cards
+# Understand and Evaluate Virtual Smart Cards
-This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
+This article describes the virtual smart card technology and how it can fit into your authentication design.
Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
@@ -30,20 +27,17 @@ This topic contains the following sections:
- [Authentication design options](#authentication-design-options):
Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
-- [See also](#see-also):
- Links to other topics that can help you design, deploy, and troubleshoot virtual smart cards.
-
## Comparing virtual smart cards with physical smart cards
Virtual smart cards function much like physical smart cards, but they differ in that they protect private keys by using the TPM of the computer instead of smart card media.
A virtual smart card appears to applications as a conventional smart card. Private keys in the virtual smart card are protected, not by isolation of physical memory, but by the cryptographic capabilities of the TPM. All sensitive information is encrypted by using the TPM and then stored on the hard drive in its encrypted form.
-All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user will not be able to access keys that are stored in the virtual smart card because they are securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption.
+All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user won't be able to access keys that are stored in the virtual smart card because they're securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption.
Virtual smart cards maintain the three key properties of physical smart cards:
-- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer.
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
@@ -55,7 +49,7 @@ The following subsections compare the functionality, security, and cost of virtu
**Functionality**
-The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There is no method to export the user’s virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
+The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card.
@@ -65,7 +59,7 @@ Additionally, although the anti-hammering functionality of the virtual smart car
Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
-TPM virtual smart cards, however, reside on a user’s computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
+TPM virtual smart cards, however, reside on a user's computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
@@ -73,7 +67,7 @@ However, there are several advantages provided by virtual smart cards to mitigat
If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
-Additionally, the maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
+The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
**Comparison summary**
@@ -82,16 +76,16 @@ Additionally, the maintenance cost of virtual smart cards is less than that for
| Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. |
| Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. |
| Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. |
-| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user’s computer or device. |
+| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. |
| Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
-| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without additional equipment. |
+| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment. |
| Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. |
| Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. |
-| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user’s computer, which may be left unattended and allow a greater risk window for hammering attempts. |
+| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts. |
| Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. |
-| Alerts users that their card is lost or stolen only when they need to sign in and notice it is missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
+| Alerts users that their card is lost or stolen only when they need to sign in and notice it's missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
| Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. |
-| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user’s sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and cannot be removed from the computer. |
+| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and can't be removed from the computer. |
## Authentication design options
@@ -99,42 +93,30 @@ The following section presents several commonly used options and their respectiv
**Passwords**
-A password is a secret string of characters that is tied to the identification credentials for a user’s account. This establishes the user’s identity. Although passwords are the most commonly used form of authentication, they are also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
+A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they're also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
-Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they cannot be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user’s password and impersonate that person’s identity. A user often will not realize that the password is compromised, which makes it is easy for a malicious user to maintain access to a system if a valid password has been obtained.
+Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they can't be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often won't realize that the password is compromised, which makes it's easy for a malicious user to maintain access to a system if a valid password has been obtained.
**One-time passwords**
-A one-time password (OTP) is similar to a traditional password, but it is more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor cannot use it for any future transactions. Similarly, if a malicious user obtains a valid user’s OTP, the interceptor will have limited access to the system (only one session).
+A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session).
**Smart cards**
Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
-- **Non-exportability**: Information stored on the card, such as the user’s private keys, cannot be extracted from one device and used in another medium.
+- **Non-exportability**: Information stored on the card, such as the user's private keys, can't be extracted from one device and used in another medium
+- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer can't observe the transactions
+- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken
-- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer cannot observe the transactions.
-
-- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken.
-
-Smart cards provide greatly enhanced security over passwords alone, because it is much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN.
+Smart cards provide greatly enhanced security over passwords alone, because it's much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It's difficult for a thief to acquire the card and the PIN.
Additional security is achieved by the singular nature of the card because only one copy of the card exists, only one individual can use the sign-in credentials, and users will quickly notice if the card has been lost or stolen. This greatly reduces the risk window of credential theft when compared to using a password alone.
-Unfortunately, this additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and they also can be easily misplaced or stolen.
+The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them.
**Virtual smart cards**
-To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers.
+Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
-Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They are also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there is no cost associated with purchasing new hardware. The user’s possession of a computer or device is equivalent to the possession of a smart card, and a user’s identity cannot be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
-
-## See also
-
-- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
-
-- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-
-- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
-
-- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: non-exportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index beb70ccddd..eb4d234c61 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -1,22 +1,18 @@
---
-title: Use Virtual Smart Cards (Windows 10)
-description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+title: Use Virtual Smart Cards
+description: Learn about the requirements for virtual smart cards, how to use and manage them.
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Use Virtual Smart Cards
-This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
+Learn about the requirements for virtual smart cards, how to use and manage them.
## Requirements, restrictions, and limitations
@@ -24,9 +20,9 @@ This topic for the IT professional describes requirements for virtual smart card
|-------------|---------------------------|
| Supported operating systems | Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows 10 Windows 8.1 Windows 8 |
| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
-| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note** You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they are always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them. |
-| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key is not generated. |
-| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters. The Administrative key must be entered as 48 hexadecimal characters. It is a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
+| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note** You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them. |
+| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
+| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters. The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
## Using Tpmvscmgr.exe
@@ -68,7 +64,7 @@ For more information about these Windows APIs, see:
## Distinguishing TPM-based virtual smart cards from physical smart cards
-To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
+To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card.
@@ -86,17 +82,17 @@ The PIN for a virtual smart card can be changed by following these steps:
### TPM not provisioned
-For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it is not provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
+For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created.
-If the TPM ownership was established on a Windows Vista installation, the TPM will not be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
+If the TPM ownership was established on a Windows Vista installation, the TPM won't be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system.
### TPM in lockout state
-Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner’s password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool.
+Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it's necessary to reset the lockout on the TPM by using the owner's password or to wait for the lockout to expire. Unblocking the user PIN doesn't reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it's blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool.
## See also
diff --git a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png b/windows/security/identity-protection/vpn/images/custom-vpn-profile.png
deleted file mode 100644
index b229c96b68..0000000000
Binary files a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png b/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png
deleted file mode 100644
index 9f4efabc3f..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png b/windows/security/identity-protection/vpn/images/vpn-intune-policy.png
deleted file mode 100644
index 4224979bbd..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png b/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png
deleted file mode 100644
index 7277b7a598..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index d5725508e4..a6330f4ad8 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -295,9 +295,9 @@ The following sample is a sample plug-in VPN profile. This blob would fall under
## Apply ProfileXML using Intune
-After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices.
+After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
diff --git a/windows/security/images/fall-creators-update-next-gen-security.png b/windows/security/images/fall-creators-update-next-gen-security.png
deleted file mode 100644
index 62aaa46f8d..0000000000
Binary files a/windows/security/images/fall-creators-update-next-gen-security.png and /dev/null differ
diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg
deleted file mode 100644
index 21a6b4f235..0000000000
--- a/windows/security/images/icons/accessibility.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-
\ No newline at end of file
diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg
deleted file mode 100644
index ab2d5152ca..0000000000
--- a/windows/security/images/icons/powershell.svg
+++ /dev/null
@@ -1,20 +0,0 @@
-
\ No newline at end of file
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
deleted file mode 100644
index dbbad7d780..0000000000
--- a/windows/security/images/icons/provisioning-package.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-
\ No newline at end of file
diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg
deleted file mode 100644
index 06ab4c09d7..0000000000
--- a/windows/security/images/icons/registry.svg
+++ /dev/null
@@ -1,22 +0,0 @@
-
\ No newline at end of file
diff --git a/windows/security/images/next-generation-windows-security-vision.png b/windows/security/images/next-generation-windows-security-vision.png
deleted file mode 100644
index a598365cb7..0000000000
Binary files a/windows/security/images/next-generation-windows-security-vision.png and /dev/null differ
diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png
deleted file mode 100644
index e062b0d292..0000000000
Binary files a/windows/security/images/windows-security-app-w11.png and /dev/null differ
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
deleted file mode 100644
index f928705138..0000000000
--- a/windows/security/includes/improve-request-performance.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!TIP]
->For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.microsoft.com
-> - api-eu.securitycenter.microsoft.com
-> - api-uk.securitycenter.microsoft.com
diff --git a/windows/security/includes/intune-custom-settings-info.md b/windows/security/includes/intune-custom-settings-info.md
deleted file mode 100644
index 9509d5b13d..0000000000
--- a/windows/security/includes/intune-custom-settings-info.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-1.md b/windows/security/includes/intune-settings-catalog-1.md
deleted file mode 100644
index 2ddfc8d6b6..0000000000
--- a/windows/security/includes/intune-settings-catalog-1.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-To configure devices with Microsoft Intune, use the settings catalog:
-
- > [!TIP]
- > If you're browsing with an account that can create Intune policies, you can skip to step 5 by using this direct link to create a Settings catalog policy (opens in a new tab).
-
-1. Go to the Microsoft Endpoint Manager admin center
-2. Select **Devices > Configuration profiles > Create profile**
-3. Select **Platform > Windows 10 and later** and **Profile type > Settings catalog**
-4. Select **Create**
-5. Specify a **Name** and, optionally, a **Description** > **Next**
-6. In the settings picker, add the following settings:
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-2.md b/windows/security/includes/intune-settings-catalog-2.md
deleted file mode 100644
index 9558ed41a7..0000000000
--- a/windows/security/includes/intune-settings-catalog-2.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-7. Select **Next**
-8. Optionally, add *scope tags* > **Next**
-9. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-info.md b/windows/security/includes/intune-settings-catalog-info.md
deleted file mode 100644
index 8387d702ff..0000000000
--- a/windows/security/includes/intune-settings-catalog-info.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-For more information about how to create policies with the Intune settings catalog, see [Use the settings catalog to configure settings](/mem/intune/configuration/settings-catalog).
\ No newline at end of file
diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md
deleted file mode 100644
index d4b4560d8f..0000000000
--- a/windows/security/includes/machineactionsnote.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!Note]
-> This page focuses on performing a machine action via API. See [take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) for more information about response actions functionality via Microsoft Defender for Endpoint.
\ No newline at end of file
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
deleted file mode 100644
index 0b0b2be701..0000000000
--- a/windows/security/includes/microsoft-defender-api-usgov.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!NOTE]
->If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov#api).
\ No newline at end of file
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
deleted file mode 100644
index bd9a8d2c0d..0000000000
--- a/windows/security/includes/microsoft-defender.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
-> [!IMPORTANT]
-> The improved [Microsoft 365 Defender portal](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. [Learn what's new](/microsoft-365/security/mtp/overview-security-center).
diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md
deleted file mode 100644
index c0212561bd..0000000000
--- a/windows/security/includes/prerelease.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/includes/virtual-smart-card-deprecation-notice.md b/windows/security/includes/virtual-smart-card-deprecation-notice.md
new file mode 100644
index 0000000000..dea207534a
--- /dev/null
+++ b/windows/security/includes/virtual-smart-card-deprecation-notice.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 02/22/2023
+ms.topic: include
+---
+
+> [!WARNING]
+> [Windows Hello for Business](../identity-protection/hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
\ No newline at end of file
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 2aa8f670fe..ce7aece4b4 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -11,6 +11,7 @@ metadata:
ms.technology: itpro-security
ms.collection:
- highpri
+ - tier1
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/19/2022
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
index b917a468f8..daa9cba013 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -10,6 +10,7 @@ metadata:
audience: ITPro
ms.collection:
- highpri
+ - tier1
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 32a6c0816b..bc4ad1b106 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -90,17 +90,17 @@ To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-ne
### Protecting Thunderbolt and other DMA ports
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
+There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
-If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
+If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
1. Require a password for BIOS changes
-2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
+2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
@@ -141,7 +141,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo
### Tricking BitLocker to pass the key to a rogue operating system
-An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
+An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index bb9df0cf68..e922e90f32 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -34,7 +34,7 @@ This article depicts the BitLocker deployment comparison chart.
|*Cloud or on premises* | Cloud | On premises | On premises |
|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
-|*Administrative plane* | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
+|*Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
|*Administrative portal installation required* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Compliance reporting capabilities* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Force encryption* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 811287a4d3..c0f495b8a6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -8,6 +8,7 @@ ms.author: frankroj
manager: aaroncz
ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index 24016c5ca6..4f7256eadb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -10,6 +10,7 @@ metadata:
audience: ITPro
ms.collection:
- highpri
+ - tier1
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 38d6bcb2f9..8b776366c3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -9,6 +9,7 @@ ms.author: frankroj
manager: aaroncz
ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 8398ff5cb5..3243fdb178 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -10,6 +10,7 @@ metadata:
audience: ITPro
ms.collection:
- highpri
+ - tier1
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 5cc2a4ae6c..a3b7a72ca1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -8,6 +8,7 @@ author: frankroj
manager: aaroncz
ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 495549c66c..39eb80e0aa 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -10,6 +10,7 @@ ms.reviewer: rafals
manager: aaroncz
ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
deleted file mode 100644
index 11ce21de12..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Breaking out of a BitLocker recovery loop
-description: This article for IT professionals describes how to break out of a BitLocker recovery loop.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection:
- - highpri
-ms.topic: conceptual
-ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
----
-
-# Breaking out of a BitLocker recovery loop
-
-Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating.
-
-If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop:
-
-> [!NOTE]
-> Try these steps only after the device has been restarted at least once.
-
-1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**.
-
-2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**.
-
-3. From the WinRE command prompt, manually unlock the drive with the following command:
-
-```cmd
-manage-bde.exe -unlock C: -rp
-```
-
-4. Suspend the protection on the operating system with the following command:
-
-```cmd
-manage-bde.exe -protectors -disable C:
-```
-
-5. Once the command is run, exit the command prompt and continue to boot into the operating system.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index ea25cc99da..ba44582914 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -9,6 +9,7 @@ ms.author: frankroj
manager: aaroncz
ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index fe24fac2a4..1592e527a6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -9,6 +9,7 @@ ms.author: frankroj
manager: aaroncz
ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/images/4509186-en-1.png b/windows/security/information-protection/bitlocker/images/4509186-en-1.png
deleted file mode 100644
index 11f986fb68..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509186-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509188-en-1.png b/windows/security/information-protection/bitlocker/images/4509188-en-1.png
deleted file mode 100644
index 5b5b7b1b4a..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509188-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509189-en-1.png b/windows/security/information-protection/bitlocker/images/4509189-en-1.png
deleted file mode 100644
index 8d243a1899..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509189-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509190-en-1.png b/windows/security/information-protection/bitlocker/images/4509190-en-1.png
deleted file mode 100644
index bd37969b5d..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509190-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509191-en-1.png b/windows/security/information-protection/bitlocker/images/4509191-en-1.png
deleted file mode 100644
index 00ef607ab3..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509191-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509193-en-1.png b/windows/security/information-protection/bitlocker/images/4509193-en-1.png
deleted file mode 100644
index 2085613b3d..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509193-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509194-en-1.png b/windows/security/information-protection/bitlocker/images/4509194-en-1.png
deleted file mode 100644
index f4506c399b..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509194-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509195-en-1.png b/windows/security/information-protection/bitlocker/images/4509195-en-1.png
deleted file mode 100644
index cbecb03c4e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509195-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509196-en-1.png b/windows/security/information-protection/bitlocker/images/4509196-en-1.png
deleted file mode 100644
index 01e94b1243..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509196-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509198-en-1.png b/windows/security/information-protection/bitlocker/images/4509198-en-1.png
deleted file mode 100644
index 9056658662..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509198-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509199-en-1.png b/windows/security/information-protection/bitlocker/images/4509199-en-1.png
deleted file mode 100644
index d68a22eef7..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509199-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509200-en-1.png b/windows/security/information-protection/bitlocker/images/4509200-en-1.png
deleted file mode 100644
index 689bb19299..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509200-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509201-en-1.png b/windows/security/information-protection/bitlocker/images/4509201-en-1.png
deleted file mode 100644
index d521e86eed..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509201-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509202-en-1.png b/windows/security/information-protection/bitlocker/images/4509202-en-1.png
deleted file mode 100644
index bfcd2326b6..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509202-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509203-en-1.png b/windows/security/information-protection/bitlocker/images/4509203-en-1.png
deleted file mode 100644
index 05acc571fe..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509203-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509204-en-1.png b/windows/security/information-protection/bitlocker/images/4509204-en-1.png
deleted file mode 100644
index fa13f38ba9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509204-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509205-en-1.png b/windows/security/information-protection/bitlocker/images/4509205-en-1.png
deleted file mode 100644
index a4f5cc15d2..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509205-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509206-en-1.png b/windows/security/information-protection/bitlocker/images/4509206-en-1.png
deleted file mode 100644
index 7b7e449443..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509206-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg
deleted file mode 100644
index 95afbf2ccc..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg
deleted file mode 100644
index d2caa05b03..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg
deleted file mode 100644
index 14a30db7c4..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg
deleted file mode 100644
index e691dcbc53..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
deleted file mode 100644
index 40ddf183f6..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png b/windows/security/information-protection/bitlocker/images/feedback-app-icon.png
deleted file mode 100644
index c600883c0e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg b/windows/security/information-protection/bitlocker/images/pcptool-output.jpg
deleted file mode 100644
index 91d10e6c66..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png b/windows/security/information-protection/bitlocker/images/psget-winevent-1.png
deleted file mode 100644
index 21adc928de..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png b/windows/security/information-protection/bitlocker/images/psget-winevent-2.png
deleted file mode 100644
index 2941452109..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png
deleted file mode 100644
index 53b374d26e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png
deleted file mode 100644
index bc299cc0e9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png b/windows/security/information-protection/bitlocker/images/ts-tpm-1.png
deleted file mode 100644
index 1bef01d587..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png b/windows/security/information-protection/bitlocker/images/ts-tpm-2.png
deleted file mode 100644
index d4d825029c..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png b/windows/security/information-protection/bitlocker/images/ts-tpm-3.png
deleted file mode 100644
index 2acac0f3ea..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png b/windows/security/information-protection/bitlocker/images/ts-tpm-4.png
deleted file mode 100644
index cb5b84d6b9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png b/windows/security/information-protection/bitlocker/images/ts-tpm-5.png
deleted file mode 100644
index 3b3cd2b961..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png b/windows/security/information-protection/bitlocker/images/ts-tpm-6.png
deleted file mode 100644
index 4e82b9b76e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png b/windows/security/information-protection/bitlocker/images/ts-tpm-7.png
deleted file mode 100644
index 8fb9446d93..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png and /dev/null differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg
deleted file mode 100644
index f1c25c116c..0000000000
Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg and /dev/null differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png
deleted file mode 100644
index dfd30ba2a2..0000000000
Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.png and /dev/null differ
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
index 7126b41530..f84702dd1c 100644
--- a/windows/security/information-protection/index.md
+++ b/windows/security/information-protection/index.md
@@ -2,11 +2,11 @@
title: Information protection (Windows 10)
description: Learn more about how to protect sensitive data across your organization.
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 10/10/2018
+ms.date: 03/09/2023
ms.technology: itpro-security
---
@@ -18,7 +18,7 @@ Learn more about how to secure documents and other data across your organization
|-|-|
| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
-| [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to PCI accessible ports, such as Thunderbolt™ 3 ports. |
+| [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to PCI accessible ports, such as Thunderbolt™ 3 ports. |
| [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
| [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |
| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 234c8a6eba..49d276838c 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -1,12 +1,13 @@
---
title: Kernel DMA Protection (Windows)
-description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
+description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
ms.date: 01/05/2023
ms.technology: itpro-security
@@ -18,7 +19,7 @@ ms.technology: itpro-security
- Windows 10
- Windows 11
-In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
+In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
@@ -32,9 +33,9 @@ The DMA capability is what makes PCI devices the highest performing devices avai
These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard.
Access to these devices required the user to turn off power to the system and disassemble the chassis.
-Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress).
+Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress).
-Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs.
+Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs.
It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB.
Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
@@ -102,15 +103,15 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
- For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+ For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
## Frequently asked questions
-### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
-In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
+In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
-No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
+No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
### How can I check if a certain driver supports DMA-remapping?
DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping).
@@ -122,7 +123,7 @@ Check the driver instance for the device you are testing. Some drivers may have
-### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
+### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 0aed4ad1d1..3aa684f0c2 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -9,7 +9,7 @@ ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 12/13/2022
+ms.date: 03/13/2023
---
@@ -17,245 +17,23 @@ ms.date: 12/13/2022
# Configure Personal Data Encryption (PDE) policies in Intune
+The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
+
## Required prerequisites
-### Enable Personal Data Encryption (PDE)
+1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md)
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Navigate to **Devices** > **Configuration Profiles**
-
-3. Select **Create profile**
-
-4. Under **Platform**, select **Windows 10 and later**
-
-5. Under **Profile type**, select **Templates**
-
-6. Under **Template name**, select **Custom**, and then select **Create**
-
-7. In **Basics**:
-
- 1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
-
-8. Select **Next**
-
-9. In **Configuration settings**, select **Add**
-
-10. In **Add Row**:
-
- 1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
- 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- 4. Next to **Data type**, select **Integer**
- 5. Next to **Value**, enter in **1**
-
-11. Select **Save**, and then select **Next**
-
-12. In **Assignments**:
-
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the PDE policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-
-13. In **Applicability Rules**, configure if necessary and then select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Disable Winlogon automatic restart sign-on (ARSO)
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Navigate to **Devices** > **Configuration Profiles**
-
-3. Select **Create profile**
-
-4. Under **Platform**, select **Windows 10 and later**
-
-5. Under **Profile type**, select **Templates**
-
-6. Under **Template name**, select **Administrative templates**, and then select **Create**
-
-7. In **Basics**:
-
- 1. Next to **Name**, enter **Disable ARSO**
- 2. Next to **Description**, enter a description
-
-8. Select **Next**
-
-9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
-
-10. Select **Sign-in and lock last interactive user automatically after a restart**
-
-11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
-
-12. Select **Next**
-
-13. In **Scope tags**, configure if necessary and then select **Next**
-
-14. In **Assignments**:
-
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the ARSO policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-
-15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md)
## Security hardening recommendations
-### Disable kernel-mode crash dumps and live dumps
+1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md)
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md)
-2. Navigate to **Devices** > **Configuration Profiles**
+1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md)
-3. Select **Create profile**
-
-4. Under **Platform**, select **Windows 10 and later**
-
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-
-6. In **Basics**:
-
- 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
- 2. Next to **Description**, enter a description
-
-7. Select **Next**
-
-8. In **Configuration settings**, select **Add settings**
-
-9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump**
-
-10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-
-11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
-
-12. In **Scope tags**, configure if necessary and then select **Next**
-
-13. In **Assignments**:
-
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable crash dumps policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Navigate to **Devices** > **Configuration Profiles**
-
-3. Select **Create profile**
-
-4. Under **Platform**, select **Windows 10 and later**
-
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-
-6. In **Basics**:
-
- 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
- 2. Next to **Description**, enter a description
-
-7. Select **Next**
-
-8. In **Configuration settings**, select **Add settings**
-
-9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
-
-10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-
-11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
-
-12. In **Scope tags**, configure if necessary and then select **Next**
-
-13. In **Assignments**:
-
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable WER dumps policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Disable hibernation
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Navigate to **Devices** > **Configuration Profiles**
-
-3. Select **Create profile**
-
-4. Under **Platform**, select **Windows 10 and later**
-
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-
-6. In **Basics**:
-
- 1. Next to **Name**, enter **Disable Hibernation**
- 2. Next to **Description**, enter a description
-
-7. Select **Next**
-
-8. In **Configuration settings**, select **Add settings**
-
-9. In the **Settings picker** window, under **Browse by category**, select **Power**
-
-10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-
-11. Change **Allow Hibernate** to **Block**, and then select **Next**
-
-12. In **Scope tags**, configure if necessary and then select **Next**
-
-13. In **Assignments**:
-
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable hibernation policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Disable allowing users to select when a password is required when resuming from connected standby
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Navigate to **Devices** > **Configuration Profiles**
-
-3. Select **Create profile**
-
-4. Under **Platform**, select **Windows 10 and later**
-
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-
-6. In **Basics**:
-
- 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
- 2. Next to **Description**, enter a description
-
-7. Select **Next**
-
-8. In **Configuration settings**, select **Add settings**
-
-9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon**
-
-10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-
-11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next**
-
-12. In **Scope tags**, configure if necessary and then select **Next**
-
-13. In **Assignments**:
-
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md)
## See also
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index c56effe008..01ba4b7b8e 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -11,7 +11,7 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
- ms.date: 12/13/2022
+ ms.date: 03/13/2023
# Max 5963468 OS 32516487
# Max 6946251
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
index 2eb0fa2a66..1d6d83ff6c 100644
--- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
+++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
@@ -6,11 +6,11 @@ author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
-ms.topic: how-to
+ms.topic: include
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 12/13/2022
+ms.date: 03/13/2023
---
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index 12709e8d35..1d9f7d5bd5 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -9,7 +9,7 @@ ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 12/13/2022
+ms.date: 03/13/2023
---
@@ -35,7 +35,7 @@ ms.date: 12/13/2022
- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
+ - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md).
- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
@@ -44,19 +44,19 @@ ms.date: 12/13/2022
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
- Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps).
+ Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
- Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
+ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+ Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
- When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different:
+ When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
@@ -66,15 +66,15 @@ ms.date: 12/13/2022
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
- - Workgroup devices, including native Azure AD joined devices:
+ - Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
- Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured.
+ Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
- For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
+ For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md).
### Highly recommended
@@ -135,7 +135,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
+For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md).
## Differences between PDE and BitLocker
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
new file mode 100644
index 0000000000..9781fb82d7
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
@@ -0,0 +1,100 @@
+---
+title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
+description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rhonnegowda
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 03/13/2023
+---
+
+# Disable Winlogon automatic restart sign-on (ARSO) for PDE
+
+Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
+
+## Disable Winlogon automatic restart sign-on (ARSO) in Intune
+
+To disable ARSO using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+1. In the **Home** screen, select **Devices** in the left pane.
+
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
+
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
+
+1. In the **Create profile** window that opens:
+
+ 1. Under **Platform**, select **Windows 10 and later**.
+
+ 1. Under **Profile type**, select **Templates**.
+
+ 1. When the templates appear, under **Template name**, select **Administrative templates**.
+
+ 1. Select **Create** to close the **Create profile** window.
+
+1. The **Create profile** screen will open. In the **Basics** page:
+
+ 1. Next to **Name**, enter **Disable ARSO**.
+
+ 1. Next to **Description**, enter a description.
+
+ 1. Select **Next**.
+
+1. In the **Configuration settings** page:
+
+ 1. On the left pane of the page, make sure **Computer Configuration** is selected.
+
+ 1. Under **Setting name**, scroll down and select **Windows Components**.
+
+ 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option.
+
+ 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**.
+
+ 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**.
+
+ 1. Select **Next**.
+
+1. In the **Scope tags** page, configure if necessary and then select **Next**.
+
+1. In the **Assignments** page:
+
+ 1. Under **Included groups**, select **Add groups**.
+
+ > [!NOTE]
+ >
+ > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
+
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
+
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+
+## Additional PDE configurations in Intune
+
+The following PDE configurations can also be configured using Intune:
+
+### Required prerequisites
+
+- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
+
+### Security hardening recommendations
+
+- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
+
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
+
+- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
+
+- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+
+## More information
+
+- [Personal Data Encryption (PDE)](../overview-pde.md)
+- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
new file mode 100644
index 0000000000..19a5b9498e
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
@@ -0,0 +1,98 @@
+---
+title: Disable hibernation for PDE in Intune
+description: Disable hibernation for PDE in Intune
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rhonnegowda
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 03/13/2023
+---
+
+# Disable hibernation for PDE
+
+Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
+
+## Disable hibernation in Intune
+
+To disable hibernation using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+1. In the **Home** screen, select **Devices** in the left pane.
+
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
+
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
+
+1. In the **Create profile** window that opens:
+
+ 1. Under **Platform**, select **Windows 10 and later**.
+
+ 1. Under **Profile type**, select **Settings catalog**.
+
+ 1. Select **Create** to close the **Create profile** window.
+
+1. The **Create profile** screen will open. In the **Basics** page:
+
+ 1. Next to **Name**, enter **Disable Hibernation**.
+
+ 1. Next to **Description**, enter a description.
+
+ 1. Select **Next**.
+
+1. In the **Configuration settings** page:
+
+ 1. select **Add settings**.
+
+ 1. In the **Settings picker** window that opens:
+
+ 1. Under **Browse by category**, scroll down and select **Power**.
+
+ 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
+
+ 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option.
+
+ 1. Select **Next**.
+
+1. In the **Scope tags** page, configure if necessary and then select **Next**.
+
+1. In the **Assignments** page:
+
+ 1. Under **Included groups**, select **Add groups**.
+
+ > [!NOTE]
+ >
+ > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
+
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
+
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+
+## Additional PDE configurations in Intune
+
+The following PDE configurations can also be configured using Intune:
+
+### Required prerequisites
+
+- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
+
+- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+
+### Security hardening recommendations
+
+- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
+
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
+
+- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+
+## More information
+
+- [Personal Data Encryption (PDE)](../overview-pde.md)
+- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
new file mode 100644
index 0000000000..b9ab18802e
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
@@ -0,0 +1,96 @@
+---
+title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
+description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rhonnegowda
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 03/13/2023
+---
+
+# Disable kernel-mode crash dumps and live dumps for PDE
+
+Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
+
+## Disable kernel-mode crash dumps and live dumps in Intune
+
+To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+1. In the **Home** screen, select **Devices** in the left pane.
+
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
+
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
+
+1. In the **Create profile** window that opens:
+
+ 1. Under **Platform**, select **Windows 10 and later**.
+
+ 1. Under **Profile type**, select **Settings catalog**.
+
+ 1. Select **Create** to close the **Create profile** window.
+
+1. The **Create profile** screen will open. In the **Basics** page:
+
+ 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**.
+
+ 1. Next to **Description**, enter a description.
+
+ 1. Select **Next**.
+
+1. In the **Configuration settings** page:
+
+ 1. Select **Add settings**.
+
+ 1. In the **Settings picker** window that opens:
+
+ 1. Under **Browse by category**, scroll down and select **Memory Dump**.
+
+ 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
+
+ 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**.
+
+1. In the **Scope tags** page, configure if necessary and then select **Next**.
+
+1. In the **Assignments** page:
+
+ 1. Under **Included groups**, select **Add groups**.
+
+ > [!NOTE]
+ >
+ > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
+
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
+
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+
+## Additional PDE configurations in Intune
+
+The following PDE configurations can also be configured using Intune:
+
+### Required prerequisites
+
+- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
+
+- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+
+### Security hardening recommendations
+
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
+
+- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
+
+- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+
+## More information
+
+- [Personal Data Encryption (PDE)](../overview-pde.md)
+- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
new file mode 100644
index 0000000000..d61d11a19c
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
@@ -0,0 +1,118 @@
+---
+title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
+description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rhonnegowda
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 03/13/2023
+---
+
+# Disable allowing users to select when a password is required when resuming from connected standby for PDE
+
+When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
+
+- On-premises Active Directory joined devices:
+
+ - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
+
+ - A password is required immediately after the screen turns off.
+
+ The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
+
+- Workgroup devices, including Azure AD joined devices:
+
+ - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
+
+ - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
+
+Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
+
+## Disable allowing users to select when a password is required when resuming from connected standby in Intune
+
+To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+1. In the **Home** screen, select **Devices** in the left pane.
+
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
+
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
+
+1. In the **Create profile** window that opens:
+
+ 1. Under **Platform**, select **Windows 10 and later**.
+
+ 1. Under **Profile type**, select **Settings catalog**.
+
+ 1. Select **Create** to close the **Create profile** window.
+
+1. The **Create profile** screen will open. In the **Basics** page:
+
+ 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**.
+
+ 1. Next to **Description**, enter a description.
+
+ 1. Select **Next**.
+
+1. In the **Configuration settings** page:
+
+ 1. Select **Add settings**.
+
+ 1. In the **Settings picker** window that opens:
+
+ 1. Under **Browse by category**, expand **Administrative Templates**.
+
+ 1. Under **Administrative Templates**, scroll down and expand **System**.
+
+ 1. Under **System**, scroll down and select **Logon**.
+
+ 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
+
+ 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**.
+
+ 1. select **Next**.
+
+1. In the **Scope tags** page, configure if necessary and then select **Next**.
+
+1. In the **Assignments** page:
+
+ 1. Under **Included groups**, select **Add groups**.
+
+ > [!NOTE]
+ >
+ > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
+
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
+
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+
+## Additional PDE configurations in Intune
+
+The following PDE configurations can also be configured using Intune:
+
+### Required prerequisites
+
+- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
+
+- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+
+### Security hardening recommendations
+
+- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
+
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
+
+- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
+
+## More information
+
+- [Personal Data Encryption (PDE)](../overview-pde.md)
+- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
new file mode 100644
index 0000000000..f4a795887a
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
@@ -0,0 +1,102 @@
+---
+title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
+description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rhonnegowda
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 03/13/2023
+---
+
+# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
+
+Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
+
+## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune
+
+To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+1. In the **Home** screen, select **Devices** in the left pane.
+
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
+
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
+
+1. In the **Create profile** window that opens:
+
+ 1. Under **Platform**, select **Windows 10 and later**.
+
+ 1. Under **Profile type**, select **Settings catalog**.
+
+ 1. Select **Create** to close the **Create profile** window.
+
+1. The **Create profile** screen will open. In the **Basics** page:
+
+ 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**.
+
+ 1. Next to **Description**, enter a description.
+
+ 1. Select **Next**.
+
+1. In the **Configuration settings** page:
+
+ 1. Select **Add settings**.
+
+ 1. In the **Settings picker** window that opens:
+
+ 1. Under **Browse by category**, expand **Administrative Templates**.
+
+ 1. Under **Administrative Templates**, scroll down and expand **Windows Components**.
+
+ 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it.
+
+ 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
+
+ 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option.
+
+ 1. Select **Next**.
+
+1. In the **Scope tags** page, configure if necessary and then select **Next**.
+
+1. In the **Assignments** page:
+
+ 1. Under **Included groups**, select **Add groups**.
+
+ > [!NOTE]
+ >
+ > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
+
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
+
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+
+## Additional PDE configurations in Intune
+
+The following PDE configurations can also be configured using Intune:
+
+### Required prerequisites
+
+- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
+
+- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+
+### Security hardening recommendations
+
+- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
+
+- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
+
+- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+
+## More information
+
+- [Personal Data Encryption (PDE)](../overview-pde.md)
+- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
new file mode 100644
index 0000000000..0052247b0b
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
@@ -0,0 +1,110 @@
+---
+title: Enable Personal Data Encryption (PDE) in Intune
+description: Enable Personal Data Encryption (PDE) in Intune
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rhonnegowda
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 03/13/2023
+---
+
+# Enable Personal Data Encryption (PDE)
+
+By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device.
+
+> [!NOTE]
+> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+
+## Enable Personal Data Encryption (PDE) in Intune
+
+To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+1. In the **Home** screen, select **Devices** in the left pane.
+
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
+
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
+
+1. In the **Create profile** window that opens:
+
+ 1. Under **Platform**, select **Windows 10 and later**.
+
+ 1. Under **Profile type**, select **Templates**.
+
+ 1. When the templates appears, under **Template name**, select **Custom**.
+
+ 1. Select **Create** to close the **Create profile** window.
+
+1. The **Custom** screen will open. In the **Basics** page:
+
+ 1. Next to **Name**, enter **Personal Data Encryption**.
+
+ 1. Next to **Description**, enter a description.
+
+ 1. Select **Next**.
+
+1. In **Configuration settings** page:
+
+ 1. Next to **OMA-URI Settings**, select **Add**.
+
+ 1. In the **Add Row** window that opens:
+
+ 1. Next to **Name**, enter **Personal Data Encryption**.
+
+ 1. Next to **Description**, enter a description.
+
+ 1. Next to **OMA-URI**, enter in **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**.
+
+ 1. Next to **Data type**, select **Integer**.
+
+ 1. Next to **Value**, enter in **1**.
+
+ 1. Select **Save** to close the **Add Row** window.
+
+ 1. Select **Next**
+
+1. In the **Assignments** page:
+
+ 1. Under **Included groups**, select **Add groups**.
+
+ > [!NOTE]
+ >
+ > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
+
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
+
+1. In **Applicability Rules**, configure if necessary and then select **Next**.
+
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+
+## Additional PDE configurations in Intune
+
+The following PDE configurations can also be configured using Intune:
+
+### Required prerequisites
+
+- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+
+### Security hardening recommendations
+
+- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
+
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
+
+- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
+
+- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+
+## More information
+
+- [Personal Data Encryption (PDE)](../overview-pde.md)
+- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index edec923f61..be0c4f800d 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -2,24 +2,21 @@
title: Secure the Windows boot process
description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
ms.prod: windows-client
-ms.localizationpriority: medium
-author: dansimp
+ms.author: paoloma
+author: paolomatarazzo
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
+ - tier1
ms.topic: conceptual
-ms.date: 05/12/2022
-ms.author: dansimp
+ms.date: 03/09/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
---
# Secure the Windows boot process
-*Applies to:*
-
-- Windows 11
-- Windows 10
-- Windows 8.1
The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
@@ -91,13 +88,13 @@ To trust and boot operating systems, like Linux, and components signed by the UE
1. Open the firmware menu, either:
- - Boot the PC, and press the manufacturer’s key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there’s often a screen that mentions the key. If there’s not one, or if the screen goes by too fast to see it, check your manufacturer’s site.
+ - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
- Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
-2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the “3rd Party CA”.
+2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
-3. Save changes and exit.
+3. Save changes and exit.
Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
@@ -132,6 +129,8 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process.
+
+
.png)
*Figure 2. Measured Boot proves the PC's health to a remote server*
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 5545248585..2779296ea9 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -1,30 +1,20 @@
---
-title: Back up the TPM recovery information to AD DS (Windows)
-description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information.
-ms.reviewer:
+title: Back up TPM recovery information to Active Directory
+description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 09/03/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 11
+- ✅ Windows Server 2016 and later
---
# Back up the TPM recovery information to AD DS
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+In Windows 11, you can back up a device's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS), enabling remote management of the TPM.
-**Does not apply to**
-
-- Windows 10, version 1607 or later
-
-With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
\ No newline at end of file
+For more information, see [Back up the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
deleted file mode 100644
index 5fabd8a69f..0000000000
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Change the TPM owner password (Windows)
-description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-ms.reviewer:
-ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 01/18/2022
-ms.technology: itpro-security
----
-
-# Change the TPM owner password
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-
-## About the TPM owner password
-
-Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.
-
-> [!IMPORTANT]
-> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. For Windows 10 versions newer than 1703 the default value for this key is 5. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. Unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.
-
-Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
-
-Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI.
-
-### Other TPM management options
-
-Instead of changing your owner password, you can also use the following options to manage your TPM:
-
-- **Clear the TPM** If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
-
-- **Turn off the TPM** With TPM 1.2 and Windows 10, versions 1507 and 1511, or Windows 11, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm).
-
-## Change the TPM owner password
-
-With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
-
-To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout.
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index df275cf0b3..be0cadec4a 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -1,48 +1,39 @@
---
title: How Windows uses the TPM
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
-ms.reviewer:
+description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
ms.prod: windows-client
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 09/03/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# How Windows uses the Trusted Platform Module
-The Windows operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a PC that contains a TPM.
-
-
-**See also:**
-- [Windows 11 Specifications](https://www.microsoft.com/windows/windows-11-specifications)
-
-- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
-
-- [TPM Fundamentals](tpm-fundamentals.md)
-
-- [TPM Recommendations](tpm-recommendations.md)
+The Windows operating system places hardware-based security deeper inside many features, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a device with a TPM.
## TPM Overview
The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more.
-Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+Historically, TPMs have been discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the operating system is reinstalled, the TPM may be required to be explicitly reprovisioned before it can use all the TPM's features.
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
-The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't.
-Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
-## TPM in Windows
+## TPM in Windows
The security features of Windows combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows and go on to describe how key technologies use the TPM to enable or increase security.
@@ -52,25 +43,27 @@ Windows includes a cryptography framework called *Cryptographic API: Next Genera
Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
-The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:
+The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
-- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
+- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they're vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they aren't removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM isn't a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
-- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
+- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they can't provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
-These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
+These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and can't be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically.
## Virtual Smart Card
-Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
-In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses.
+Smart cards are physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). However, smart cards can be expensive because they require purchase and deployment of both smart cards and smart card readers.
-For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+In Windows, the *Virtual Smart Card* feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
+
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
## Windows Hello for Business
-Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name – password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
+Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, username/password solutions for authentication often reuse the same credential combinations on multiple devices and services. If those credentials are compromised, they are compromised in multiple places. Windows Hello for Business combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889).
@@ -87,21 +80,21 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
## BitLocker Drive Encryption
-BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data.
+BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
-In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
-- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
-- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
+- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process can't proceed normally because the data on the operating system can't be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
-Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
+Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
-Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
+Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the "TPM-only" configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
## Device Encryption
-Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
+Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the "TPM-only" configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
@@ -111,7 +104,7 @@ Windows 8 introduced Measured Boot as a way for the operating system to record t
The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
-Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted.
+Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system's starting state to determine whether the running operating system should be trusted.
TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
@@ -124,7 +117,6 @@ When new security features are added to Windows, Measured Boot adds security-rel
:::image type="content" alt-text="Process to Create Evidence of Boot Software and Configuration Using TPM." source="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png" lightbox="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png":::
*Figure 2: Process used to create evidence of boot software and configuration using a TPM*
-
## Health Attestation
Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
@@ -133,25 +125,25 @@ Mobile device management (MDM) solutions can receive simple security assertions
## Credential Guard
-Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization.
+Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization.
-Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
+Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel can't access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment can't tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
-The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows.
+The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it can't access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows.
## Conclusion
-The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
+The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM's major features.
|Feature | Benefits when used on a system with a TPM|
|---|---|
-| Platform Crypto Provider |
If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
|
+| Platform Crypto Provider |
If the machine is compromised, the private key associated with the certificate can't be copied off the device.
The TPM's dictionary attack mechanism protects PIN values to use a certificate.
|
| Virtual Smart Card |
Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
|
-| Windows Hello for Business |
Credentials provisioned on a device cannot be copied elsewhere.
Confirm a device’s TPM before credentials are provisioned.
|
+| Windows Hello for Business |
Credentials provisioned on a device can't be copied elsewhere.
Confirm a device's TPM before credentials are provisioned.
|
| BitLocker Drive Encryption |
Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
|
-|Device Encryption |
With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
|
+|Device Encryption |
With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.
|
| Measured Boot |
A hardware root of trust contains boot measurements that help detect malware during remote attestation.
|
| Health Attestation |
MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
|
| Credential Guard |
Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
|
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index dc54432a56..530666774a 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -1,66 +1,58 @@
---
-title: Troubleshoot the TPM (Windows)
-description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
-ms.reviewer:
+title: Troubleshoot the TPM
+description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
-ms.collection:
- - highpri
ms.topic: conceptual
-ms.date: 09/06/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.collection:
+- highpri
+- tier1
---
# Troubleshoot the TPM
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+This article provides information how to troubleshoot the Trusted Platform Module (TPM):
-This article provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM):
+- [Troubleshoot TPM initialization](#tpm-initialization)
+- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
-- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization)
-
-- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
-
-With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also take the following actions:
-
-- [Turn on or turn off the TPM](#turn-on-or-turn-off)
+With TPM 1.2 and Windows 11, you can also take the following actions:
+- [Turn on or turn off the TPM](#turn-on-or-turn-off)
For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
## About TPM initialization and ownership
-Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password.
+Windows automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you had to initialize the TPM and create an owner password.
-## Troubleshoot TPM initialization
+### TPM initialization
If you find that Windows isn't able to initialize the TPM automatically, review the following information:
-- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
+- You can try clearing the TPM to the factory default values, allowing Windows to reinitialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
+- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system
+- If you have TPM 1.2 with Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will reinitialize it
+- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it, and then allow the operating system to initialize the TPM
-- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system.
+### Network connection issues for domain-joined Windows 11 devices
-- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it.
+If you have Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist:
-- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.
+- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through group policy
+- A domain controller can't be reached. This scenario may occur on a device that is currently disconnected from the internal network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter)
-### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11
+If these issues occur, an error message appears, and you can't complete the initialization process. To avoid the issue, allow Windows to initialize the TPM while you're connected to the corporate network, and you can contact a domain controller.
-If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist:
+### Systems with multiple TPMs
-- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy.
-
-- A domain controller can't be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
-
-If these issues occur, an error message appears, and you can't complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you're connected to the corporate network and you can contact a domain controller.
-
-### Troubleshoot systems with multiple TPMs
-
-Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
+Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows doesn't support this configuration. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs, you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm).
For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection isn't changed.
@@ -68,83 +60,58 @@ For example, toggling TPMs will cause BitLocker to enter recovery mode. We stron
You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM isn't cleared before a new operating system is installed, most TPM functionality will probably work correctly.
-Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again.
+Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically reinitialize it and take ownership again.
> [!WARNING]
-> Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.”
+> Clearing the TPM can result in data loss. For more information, see the next section, "Precautions to take before clearing the TPM."
### Precautions to take before clearing the TPM
Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
-- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
-
-- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator.
-
-- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article.
-
-- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI.
-
-- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website.
+- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM
+- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator
+- If you want to temporarily suspend TPM operations on Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm)
+- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI
+- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
**To clear the TPM**
1. Open the Windows Defender Security Center app.
+1. Select **Device security**.
+1. Select **Security processor details**.
+1. Select **Security processor troubleshooting**.
+1. Select **Clear TPM**.
+ - You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
+ - After the device restarts, your TPM will be automatically prepared for use by Windows.
-2. Select **Device security**.
-
-3. Select **Security processor details**.
-
-4. Select **Security processor troubleshooting**.
-
-5. Select **Clear TPM**.
-
-6. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
-
-7. After the PC restarts, your TPM will be automatically prepared for use by Windows.
-
-## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher)
+## Turn on or turn off the TPM
Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
### Turn on the TPM
-If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.
+If you want to use the TPM after you've turned it off, you can use the following procedure to turn on the TPM.
-**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 and higher)**
+1. Open the TPM MMC (tpm.msc).
+1. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
+1. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
-1. Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
-
-3. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
-
- After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM.
+After the device restarts, but before you sign in to Windows, you'll be prompted to accept the reconfiguration of the TPM. The acceptance ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM.
### Turn off the TPM
If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM.
-**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 and higher)**
-
-1. Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
-
-3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
-
- - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
-
- - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
-
- - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
+1. Open the TPM MMC (`tpm.msc`).
+1. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
+1. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
+ - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
+ - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
+ - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
## Use the TPM cmdlets
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
-
-## Related articles
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of articles)
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
deleted file mode 100644
index 1ec4c72de8..0000000000
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Manage TPM commands (Windows)
-description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-ms.author: dansimp
-ms.prod: windows-client
-author: dulcemontemayor
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
----
-
-# Manage TPM commands
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-
-After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
-
-The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group.
-
-**To block TPM commands by using the Local Group Policy Editor**
-
-1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
- > [!NOTE]
- > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
-
-2. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**.
-
-3. Under **System**, click **Trusted Platform Module Services**.
-
-4. In the details pane, double-click **Configure the list of blocked TPM commands**.
-
-5. Click **Enabled**, and then click **Show**.
-
-6. For each command that you want to block, click **Add**, enter the command number, and then click **OK**.
-
- > [!NOTE]
- > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/).
-
-7. After you have added numbers for each command that you want to block, click **OK** twice.
-
-8. Close the Local Group Policy Editor.
-
-**To block or allow TPM commands by using the TPM MMC**
-
-1. Open the TPM MMC (tpm.msc)
-
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-3. In the console tree, click **Command Management**. A list of TPM commands is displayed.
-
-4. In the list, select a command that you want to block or allow.
-
-5. Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy.
-
-**To block new commands**
-
-1. Open the TPM MMC (tpm.msc).
-
- If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-2. In the console tree, click **Command Management**. A list of TPM commands is displayed.
-
-3. In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed.
-
-4. In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list.
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
deleted file mode 100644
index b348034a8d..0000000000
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Manage TPM lockout (Windows)
-description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-ms.reviewer:
-ms.author: dansimp
-ms.prod: windows-client
-author: dulcemontemayor
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
----
-# Manage TPM lockout
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-
-## About TPM lockout
-
-The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode.
-
-TPM ownership is taken upon first boot by Windows. By default, Windows does not retain the TPM owner password.
-
-In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
-
-**TPM 1.2**
-
-The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time.
-
-**TPM 2.0**
-
-TPM 2.0 devices have standardized lockout behavior, which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event, which increases the counter will cause the counter to decrease by 1.
-
-If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
-
-## Reset the TPM lockout by using the TPM MMC
-
-> [!NOTE]
-> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 and higher.
-
-The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
-
-**To reset the TPM lockout**
-
-1. Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
-
-3. Choose one of the following methods to enter the TPM owner password:
-
- - If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
-
- - If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
-
- > [!NOTE]
- > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
-
-## Use Group Policy to manage TPM lockout settings
-
-The TPM Group Policy settings in the following list are located at:
-
-**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-
-- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration)
-
- This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization.
-
-- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold)
-
- This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization.
-
-- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold)
-
- This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization.
-
-For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering).
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index ef5a4ad22d..de49d856c6 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -1,70 +1,63 @@
---
-title: Understanding PCR banks on TPM 2.0 devices (Windows)
-description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-ms.reviewer:
+title: UnderstandPCR banks on TPM 2.0 devices
+description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 09/06/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
-# Understanding PCR banks on TPM 2.0 devices
+# PCR banks on TPM 2.0 devices
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This article provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices.
+A *Platform Configuration Register (PCR)* is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*.
-A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes – the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a PCR bank.
+To store a new value in a PCR, the existing value is extended with a new value as follows: `PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend)`
-To store a new value in a PCR, the existing value is extended with a new value as follows:
-PCR\[N\] = HASHalg( PCR\[N\] || ArgumentOfExtend )
+The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. The computed digest becomes the new value of the PCR.
-The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed digest becomes the new value of the PCR.
+The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps to ensure that the value of those PCRs can only be modified via the TPM Extend operation.
-The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation.
-
-Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
+Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs can't be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
## How does Windows use PCRs?
-To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
+To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values.\
+For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
-It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match.
+It's important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the `SHA-1 PCR[12]`, if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values won't match.
## What happens when PCR banks are switched?
When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
## What can I do to switch PCRs when BitLocker is already active?
-Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor.
+Before switching PCR banks, you should suspend or disable BitLocker or have the recovery key ready. For steps on how to switch PCR banks on your PC, contact your OEM or UEFI vendor.
## How can I identify which PCR bank is being used?
-A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
+You can configure a TPM to have multiple PCR banks active. When BIOS performs measurements, it does so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it doesn't support or *cap* PCR banks that it doesn't support by extending a separator. The following registry value identifies which PCR banks are active:
-- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-- DWORD: TPMActivePCRBanks
-- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
+- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
+- DWORD: `TPMActivePCRBanks`
+- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
-Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met.
+Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions isn't met.
-You can identify which PCR bank is currently used by Windows by looking at the registry.
+You can identify which PCR bank is currently used by Windows by looking at the registry:
-- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-- DWORD: TPMDigestAlgID
-- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
+- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
+- DWORD: `TPMDigestAlgID`
+- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
-Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted.
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
+Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted.
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index 60e31fc6af..efa0bfa418 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -1,71 +1,62 @@
---
-title: Trusted Platform Module (TPM) fundamentals (Windows)
-description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
-ms.reviewer:
+title: Trusted Platform Module (TPM) fundamentals
+description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 12/27/2021
+ms.date: 03/09/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# TPM fundamentals
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and later
+This article provides a description of the *Trusted Platform Module* (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks.
-This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
+A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.
-A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.
+Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called *wrapping* or *binding a key*, can help protect the key from disclosure. Each TPM has a *master wrapping key*, called the *storage root key*, which is stored within the TPM itself. The private portion of a storage root key, or *endorsement key*, that is created in a TPM is never exposed to any other component, software, process, or user.
-Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.
+You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM.
-You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
-
-Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
+Devices that incorporate a TPM can also create a key wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as *sealing the key to the TPM*. Decrypting the key is called *unsealing*. The TPM can also seal and unseal data that is generated outside the TPM. With sealed key and software, such as BitLocker Drive Encryption, data can be locked until specific hardware or software conditions are met.
With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
-For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
+For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
The following sections provide an overview of the technologies that support the TPM:
-- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation)
+- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation)
+- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card)
+- [TPM-based certificate storage](#tpm-based-certificate-storage)
+- [TPM Cmdlets](#tpm-cmdlets)
+- [Physical presence interface](#physical-presence-interface)
+- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization)
+- [Endorsement keys](#endorsement-keys)
+- [TPM Key Attestation](#key-attestation)
+- [Anti-hammering](#anti-hammering)
-- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card)
-
-- [TPM-based certificate storage](#tpm-based-certificate-storage)
-
-- [TPM Cmdlets](#tpm-cmdlets)
-
-- [Physical presence interface](#physical-presence-interface)
-
-- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization)
-
-- [Endorsement keys](#endorsement-keys)
-
-- [TPM Key Attestation](#key-attestation)
-
-- [Anti-hammering](#anti-hammering)
-
-The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
+The following article describes the TPM services that can be controlled centrally by using Group Policy settings:
[TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
## Measured Boot with support for attestation
-The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+The *Measured Boot* feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
## TPM-based Virtual Smart Card
-The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
+The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the device. If a user needs to use more than one device, a Virtual Smart Card must be issued to the user for each device. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
## TPM-based certificate storage
-The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The KSP is managed by templates in the UI. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
+The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
## TPM Cmdlets
@@ -73,7 +64,7 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
## Physical presence interface
-For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them.
+For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically can't be automated with scripts or other automation tools unless the individual OEM supplies them.
## TPM 1.2 states and initialization
@@ -81,59 +72,53 @@ TPM 1.2 has multiple possible states. Windows automatically initializes the TPM,
## Endorsement keys
-A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it is never revealed or accessible outside the TPM.
+A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it's never revealed or accessible outside the TPM.
## Key attestation
-TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+*TPM key attestation* allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by non-exportability, anti-hammering, and isolation of keys provided by a TPM.
## Anti-hammering
-When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that is not disclosed outside the TPM. It is used in the TPM after the correct authorization value is provided.
+When a TPM processes a command, it does so in a protected environment. For example a dedicated micro controller on a discrete chip, or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that isn't disclosed outside the TPM. It's used in the TPM after the correct authorization value is provided.
-TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
+TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys isn't technically practical, so TPMs have a global lockout when too many authorization failures occur.
-Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
+Because many entities can use the TPM, a single authorization success can't reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM doesn't enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic.
-### TPM 2.0 anti-hammering
+### TPM 2.0 anti-hammering
-TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry.
+TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry.
-For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
+For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
-Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
+Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked.\
+After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation.\
+With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again.
-Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
+Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated.\
+Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
-The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
+The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM, and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
-In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours.
+In some implementations, the TPM owner authorization value is stored centrally in Active Directory, and not on the local system. An administrator can execute `tpm.msc` and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it's used to reset the lockout time. If the TPM owner password isn't available on the local system, the administrator must provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM doesn't allow another attempt to reset the lockout state for 24 hours.
-TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
+TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
### Rationale behind the defaults
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
-Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
-Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
+Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
### TPM-based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
-
-- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
-
-- Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
-
-- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait 10 minutes or use some other credential to sign in, such as a user name and password.
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/)
-- [TPM WMI providers](/windows/win32/secprov/security-wmi-providers-reference)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations)
+- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
+ With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
+- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index aab2d0711e..49ae107749 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -1,36 +1,32 @@
---
title: TPM recommendations (Windows)
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
-ms.reviewer:
ms.prod: windows-client
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
+ms.topic: conceptual
+ms.date: 02/02/2023
+ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.collection:
- highpri
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
+ - tier1
---
# TPM recommendations
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md).
## TPM design and implementation
-Traditionally, TPMs are discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+Traditionally, TPMs are discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index f768669a7c..2c2f23d5cb 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -1,46 +1,38 @@
---
-title: Trusted Platform Module Technology Overview (Windows)
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-ms.reviewer:
+title: Trusted Platform Module Technology Overview
+description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: windows-client
-ms.localizationpriority: high
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
+ms.topic: conceptual
+ms.date: 02/22/2023
+ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.collection:
- highpri
-ms.topic: conceptual
-adobe-target: true
-ms.technology: itpro-security
-ms.date: 12/31/2017
+ - tier1
---
# Trusted Platform Module Technology Overview
-**Applies to**
-- Windows 11
-- Windows 10
-- Windows Server 2022
-- Windows Server 2019
-- Windows Server 2016
-
-This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
+This article describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
## Feature description
-[Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+The [*Trusted Platform Module (TPM)*](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
-- Generate, store, and limit the use of cryptographic keys.
-
-- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it.
-
-- Help ensure platform integrity by taking and storing security measurements.
+- Generate, store, and limit the use of cryptographic keys
+- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip
+- Help ensure platform integrity by taking and storing security measurements of the boot process
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
-Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
+Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
### Automatic initialization of the TPM with Windows
@@ -50,11 +42,11 @@ In certain specific enterprise scenarios limited to Windows 10, versions 1507 an
## Practical applications
-Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
+Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and can't be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
-Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
@@ -66,16 +58,14 @@ For more info on new and changed functionality for Trusted Platform Module in Wi
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
-Some things that you can check on the device are:
+Some security issues that you can check on the device include the following:
-- Is Data Execution Prevention supported and enabled?
-
-- Is BitLocker Drive Encryption supported and enabled?
-
-- Is SecureBoot supported and enabled?
+- Is Data Execution Prevention supported and enabled?
+- Is BitLocker Drive Encryption supported and enabled?
+- Is SecureBoot supported and enabled?
> [!NOTE]
-> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
+> Windows supports Device Health Attestation with TPM 2.0. TPM 2.0 requires UEFI firmware. A device with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation
@@ -83,16 +73,3 @@ Some things that you can check on the device are:
|-------------|-------------|-------------|---------------------|---------------------|---------------------|
| TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 |
| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [Details on the TPM standard](https://www.microsoft.com/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
-- [TPM Base Services Portal](/windows/desktop/TBS/tpm-base-services-portal)
-- [TPM Base Services API](/windows/desktop/api/_tbs/)
-- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)
-- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
-- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
-- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
-- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index b6ff1df198..beefbdf4be 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,22 +1,20 @@
---
title: TPM Group Policy settings (Windows)
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
-ms.reviewer:
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 09/06/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# TPM Group Policy settings
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index 300fe10913..fb8113bcd3 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -2,24 +2,22 @@
title: Trusted Platform Module (Windows)
description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: windows-client
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
+ms.topic: conceptual
+ms.date: 02/02/2023
+ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.collection:
- highpri
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
+ - tier1
---
# Trusted Platform Module
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details.
@@ -29,7 +27,7 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
| [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. |
| [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
| [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
-| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. |
+| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer's TPM information to Active Directory Domain Services. |
| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. |
| [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. |
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 7f88cdd683..9c6f0e7bf8 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -3,9 +3,9 @@ title: Unenlightened and enlightened app behavior while using Windows Informatio
description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
@@ -21,8 +21,8 @@ Windows Information Protection (WIP) classifies apps into two categories: enligh
To avoid the automatic encryption of data, developers can enlighten apps by adding and compiling code using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
-- Don’t use common controls for saving files.
-- Don’t use common controls for text boxes.
+- Don't use common controls for saving files.
+- Don't use common controls for text boxes.
- Simultaneously work on personal and corporate data (for example, contact apps that display personal and corporate data in a single view or a browser that displays personal and corporate web pages on tabs within a single instance).
We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
@@ -35,8 +35,8 @@ This table includes info about how unenlightened apps might behave, based on you
|App rule setting|Networking policy configuration|
|--- |--- |
-|**Not required.** App connects to enterprise cloud resources directly, using an IP address.| **Name-based policies, without the `/*AppCompat*/` string:**
App is entirely blocked from both personal and enterprise cloud resources.
No encryption is applied.
App can’t access local Work files.
**Name-based policies, using the `/*AppCompat*/` string or proxy-based policies:**
App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.
No encryption is applied.
App can’t access local Work files.|
-|**Not required.** App connects to enterprise cloud resources, using a hostname.|
App is blocked from accessing enterprise cloud resources, but can access other network resources.
No encryption is applied.
App can’t access local Work files.|
+|**Not required.** App connects to enterprise cloud resources directly, using an IP address.| **Name-based policies, without the `/*AppCompat*/` string:**
App is entirely blocked from both personal and enterprise cloud resources.
No encryption is applied.
App can't access local Work files.
**Name-based policies, using the `/*AppCompat*/` string or proxy-based policies:**
App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.
No encryption is applied.
App can't access local Work files.|
+|**Not required.** App connects to enterprise cloud resources, using a hostname.|
App is blocked from accessing enterprise cloud resources, but can access other network resources.
No encryption is applied.
App can't access local Work files.|
|**Allow.** App connects to enterprise cloud resources, using an IP address or a hostname.|
App can access both personal and enterprise cloud resources.
Auto-encryption is applied.
App can access local Work files.|
|**Exempt.** App connects to enterprise cloud resources, using an IP address or a hostname.|
App can access both personal and enterprise cloud resources.
No encryption is applied.
App can access local Work files.|
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 191ef91d6d..57ae3bc952 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -3,9 +3,9 @@ title: How to collect Windows Information Protection (WIP) audit event logs (Win
description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
@@ -27,7 +27,7 @@ Windows Information Protection (WIP) creates audit events in the following situa
- If an app has custom audit events.
## Collect WIP audit logs by using the Reporting configuration service provider (CSP)
-Collect the WIP audit logs from your employee’s devices by following the guidance provided by the [Reporting configuration service provider (CSP)](/windows/client-management/mdm/reporting-csp) documentation. This topic provides info about the actual audit events.
+Collect the WIP audit logs from your employee's devices by following the guidance provided by the [Reporting configuration service provider (CSP)](/windows/client-management/mdm/reporting-csp) documentation. This topic provides info about the actual audit events.
>[!Note]
>The **Data** element in the response includes the requested audit logs in an XML-encoded format.
@@ -53,12 +53,12 @@ This table includes all available attributes/elements for the **Log** element. T
|Object |String |A description of the shared work data. For example, if an employee opens a work file by using a personal app, this would be the file path. |
|DataInfo |String |Any additional info about how the work file changed:
**A file path.** If an employee uploads a work file to a personal website by using Microsoft Edge or Internet Explorer, the file path is included here.
**Clipboard data types.** If an employee pastes work data into a personal app, the list of clipboard data types provided by the work app are included here. For more info, see the [Examples](#examples) section of this topic.
|
|Action |Int |Provides info about what happened when the work data was shared to personal, including:
**1.** File decrypt.
**2.** Copy to location.
**3.** Send to recipient.
**4.** Other.
|
-|FilePath |String |The file path to the file specified in the audit event. For example, the location of a file that’s been decrypted by an employee or uploaded to a personal website. |
+|FilePath |String |The file path to the file specified in the audit event. For example, the location of a file that's been decrypted by an employee or uploaded to a personal website. |
|SourceApplicationName |String |The source app or website. For the source app, this is the AppLocker identity. For the source website, this is the hostname. |
-|SourceName |String |A string provided by the app that’s logging the event. It’s intended to describe the source of the work data. |
-|DestinationEnterpriseID |String |The enterprise ID value for the app or website where the employee is sharing the data.
**NULL**, **Personal**, or **blank** means there’s no enterprise ID because the work data was shared to a personal location. Because we don’t currently support multiple enrollments, you’ll always see one of these values. |
+|SourceName |String |A string provided by the app that's logging the event. It's intended to describe the source of the work data. |
+|DestinationEnterpriseID |String |The enterprise ID value for the app or website where the employee is sharing the data.
**NULL**, **Personal**, or **blank** means there's no enterprise ID because the work data was shared to a personal location. Because we don't currently support multiple enrollments, you'll always see one of these values. |
|DestinationApplicationName |String |The destination app or website. For the destination app, this is the AppLocker identity. For the destination website, this is the hostname. |
-|DestinationName |String |A string provided by the app that’s logging the event. It’s intended to describe the destination of the work data. |
+|DestinationName |String |A string provided by the app that's logging the event. It's intended to describe the destination of the work data. |
|Application |String |The AppLocker identity for the app where the audit event happened. |
### Examples
@@ -127,10 +127,10 @@ Here are a few examples of responses from the Reporting CSP.
1
- O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2
+ O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2Personal
- O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2
- O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2
+ O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2
+ O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2
@@ -185,22 +185,22 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour
4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: `MMASetup-.exe /c /t:`
- Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
+ Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
5. To deploy MSI via Intune, in installation parameters add: `/q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1`
- >[!NOTE]
- >Replace & received from step 5. In installation parameters, don't place & in quotes ("" or '').
+ >[!NOTE]
+ >Replace & received from step 5. In installation parameters, don't place & in quotes ("" or '').
6. After the agent is deployed, data will be received within approximately 10 minutes.
7. To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search.
- ***Example***
+ ***Example***
- ```console
- Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
- ```
+ ```console
+ Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
+ ```
## Additional resources
- [How to deploy app via Intune](/intune/apps-add)
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 12fd396283..f615270cec 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -3,9 +3,9 @@ title: Associate and deploy a VPN policy for Windows Information Protection (WIP
description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
@@ -24,7 +24,7 @@ After you've created and deployed your Windows Information Protection (WIP) poli
To associate your WIP policy with your organization's existing VPN policy, use the following steps:
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
@@ -43,7 +43,7 @@ To associate your WIP policy with your organization's existing VPN policy, use t
- **Name**: Enter a name for your setting. For example, enter `EDPModeID`.
- **OMA-URI**: Enter `./Vendor/MSFT/VPNv2/YourVPNProfileName/EDPModeId`.
- **Data type**: Select `String`.
- - **Value**: Type your fully-qualified domain that should be used by the OMA-URI setting. For example, enter `corp.contoso.com`.
+ - **Value**: Type your fully qualified domain that should be used by the OMA-URI setting. For example, enter `corp.contoso.com`.
For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
@@ -51,9 +51,9 @@ To associate your WIP policy with your organization's existing VPN policy, use t
## Deploy your VPN policy using Microsoft Intune
-After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
+After you've created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
-1. On the **App policy** blade, select your newly-created policy, select **User groups** from the menu that appears, and then select **Add user group**.
+1. On the **App policy** blade, select your newly created policy, select **User groups** from the menu that appears, and then select **Add user group**.
A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade.
@@ -64,4 +64,4 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro
>[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index d60c78b01f..7b9a855583 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -1,6 +1,6 @@
---
title: Create a WIP policy in Intune
-description: Learn how to use the Microsoft Endpoint Manager admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
+description: Learn how to use the Microsoft Intune admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
ms.prod: windows-client
author: aczechowski
ms.author: aaroncz
@@ -53,7 +53,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
## Create a WIP policy
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**.
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 81feca58e9..763518df61 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -1,11 +1,11 @@
---
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
-description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
+description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 03/05/2019
ms.reviewer:
@@ -18,11 +18,11 @@ ms.technology: itpro-security
- Windows 10, version 1607 and later
-After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
+After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
## To deploy your WIP policy
-1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy.
+1. On the **App protection policies** pane, click your newly created policy, click **Assignments**, and then select groups to include or exclude from the policy.
2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 6aed7ca98e..e33efd5a86 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -4,9 +4,9 @@ description: Learn the difference between enlightened and unenlightened apps. Fi
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 05/02/2019
ms.technology: itpro-security
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 52fa03b931..d7e91a25ce 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -1,12 +1,11 @@
---
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
-ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.technology: itpro-security
diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
index 8356183a84..cef1666430 100644
--- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
+++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
@@ -34,7 +34,7 @@ When you unassign an existing policy, it removes the intent to deploy WIP from t
If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Open Microsoft Intune and select **Apps** > **App protection policies**.
1. Select the existing policy to turn off, and then select the **Properties**.
1. Edit **Required settings**.
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png
deleted file mode 100644
index 5ce10dd81f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png
deleted file mode 100644
index 6bc8237f7f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png
deleted file mode 100644
index 7d67692ff3..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png b/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png
deleted file mode 100644
index 3ffbcce88c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png
deleted file mode 100644
index 0148a800b2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png b/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png
deleted file mode 100644
index 3ceabfd15a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png
deleted file mode 100644
index 09bbda3a06..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png
deleted file mode 100644
index 17a97b8d3a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png
deleted file mode 100644
index 7b226b7edd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-addapps.png
deleted file mode 100644
index 52e3983adf..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png b/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png
deleted file mode 100644
index 808de2db0e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png
deleted file mode 100644
index 3f7b7af6b6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png b/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png
deleted file mode 100644
index f889dbca48..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png b/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png
deleted file mode 100644
index de066d3a8b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png
deleted file mode 100644
index 7987e91454..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png b/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png
deleted file mode 100644
index 70e726d379..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png
deleted file mode 100644
index e48b59aa4b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png
deleted file mode 100644
index 6aa8f89355..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png b/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png
deleted file mode 100644
index 6786a93416..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png b/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png
deleted file mode 100644
index bc801a8521..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png b/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png
deleted file mode 100644
index 64d9ebda26..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png b/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png
deleted file mode 100644
index 3ec8bec32d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png
deleted file mode 100644
index b3340d6e4f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png
deleted file mode 100644
index 49c41b313d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png
deleted file mode 100644
index 51abff3771..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png
deleted file mode 100644
index cf9f85181a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png
deleted file mode 100644
index 66415d57fd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png
deleted file mode 100644
index a1d9bc70d9..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png
deleted file mode 100644
index b09cb58508..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png
deleted file mode 100644
index 19892b3a7c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png
deleted file mode 100644
index cfeee8a45f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png
deleted file mode 100644
index 57c40a85d0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png
deleted file mode 100644
index 58f675399a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png
deleted file mode 100644
index dd6450af37..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png
deleted file mode 100644
index 3dbbb4e09b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png
deleted file mode 100644
index 89a133bcbe..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png
deleted file mode 100644
index f069f140dd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png
deleted file mode 100644
index e02310282d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png
deleted file mode 100644
index ae14d18238..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png
deleted file mode 100644
index 91109c29c9..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png
deleted file mode 100644
index 0aeb04bf0a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png
deleted file mode 100644
index 7090e29ff1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png
deleted file mode 100644
index 313b0e4b73..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png
deleted file mode 100644
index e759e45f28..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png
deleted file mode 100644
index 8b81622c1a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png
deleted file mode 100644
index 8bc8a4d845..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png
deleted file mode 100644
index b31efa417c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png
deleted file mode 100644
index d12500349a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png
deleted file mode 100644
index e2b9b2ccae..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png
deleted file mode 100644
index b549db5548..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
deleted file mode 100644
index 5c0dd50bb0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png
deleted file mode 100644
index eef6b1efd0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png
deleted file mode 100644
index 5ed595983a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png
deleted file mode 100644
index 59291bf62e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png
deleted file mode 100644
index 3142b31f51..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png
deleted file mode 100644
index aa0184a2c6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png
deleted file mode 100644
index f282ff5e6b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png
deleted file mode 100644
index 2ecd78f1ca..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png
deleted file mode 100644
index f397cd6797..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png
deleted file mode 100644
index 30dde125e1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
deleted file mode 100644
index 0fff54b6d2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png
deleted file mode 100644
index fdbc950c9e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png
deleted file mode 100644
index af36a7cc4e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index ac3cd3b1cc..2670396304 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -3,12 +3,11 @@ title: Mandatory tasks and settings required to turn on Windows Information Prot
description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 05/25/2022
-ms.reviewer:
ms.technology: itpro-security
---
@@ -23,11 +22,11 @@ This list provides all of the tasks and settings that are required for the opera
|----|-----------|
|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
-|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
-|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
+|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it's incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
+|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](./create-and-verify-an-efs-dra-certificate.md) topic.|
>[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index 2f0636e228..1ee0d46093 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -1,12 +1,11 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager (Windows 10)
description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.technology: itpro-security
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index a1b100e968..7d74fb57ea 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -4,9 +4,9 @@ description: Microsoft Intune helps you create and deploy your enterprise data p
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 03/11/2019
ms.technology: itpro-security
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index a27c24da1d..903e701613 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -3,12 +3,11 @@ title: Recommended URLs for Windows Information Protection (Windows 10)
description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 03/25/2019
-ms.reviewer:
ms.technology: itpro-security
---
@@ -41,10 +40,10 @@ You can add other work-only apps to the Cloud Resource list, or you can create a
For Office 365 endpoints, see [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges).
Office 365 endpoints are updated monthly.
-Allow the domains listed in section number 46 Allow Required and add also add the apps.
+Allow the domains listed in section number 46 "Allow Required" and add also add the apps.
Note that apps from officeapps.live.com can also store personal data.
-When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can change. In this case, add a entry for a second-level domain and use a wildcard such as .svc.ms.
+When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can change. In this case, add an entry for a second-level domain and use a wildcard such as .svc.ms.
## Recommended Neutral Resources
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 6efe96a30e..ea2cab423d 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -4,9 +4,9 @@ description: A list of suggested testing scenarios that you can use to test Wind
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 03/05/2019
ms.technology: itpro-security
@@ -59,7 +59,7 @@ You can try any of the processes included in these scenarios, but you should foc
You should see a WIP-related warning box, asking you to click either **Change to personal** or **Keep at work**.
2. Click **Keep at work**. The content isn't pasted into the non-enterprise app.
- 3. Repeat Step 1, but this time click **Change to personal**, and try to paste the content again.
+ 3. Repeat Step 1, but this time select **Change to personal** and try to paste the content again.
The content is pasted into the non-enterprise app.
@@ -72,7 +72,7 @@ You can try any of the processes included in these scenarios, but you should foc
You should see a WIP-related warning box, asking you to click either **Keep at work** or **Change to personal**.
2. Click **Keep at work**. The content isn't dropped into the non-enterprise app.
- 3. Repeat Step 1, but this time click **Change to personal**, and try to drop the content again.
+ 3. Repeat Step 1, but this time select **Change to personal** and try to drop the content again.
The content is dropped into the non-enterprise app.
@@ -85,7 +85,7 @@ You can try any of the processes included in these scenarios, but you should foc
You should see a WIP-related warning box, asking you to click either **Keep at work** or **Change to personal**.
2. Click **Keep at work**. The content isn't shared into Facebook.
- 3. Repeat Step 1, but this time click **Change to personal**, and try to share the content again.
+ 3. Repeat Step 1, but this time select **Change to personal** and try to share the content again.
The content is shared into Facebook.
@@ -107,7 +107,7 @@ You can try any of the processes included in these scenarios, but you should foc
- **Use WIP on NTFS, FAT, and exFAT systems**:
- 1. Start an app that uses the FAT or exFAT file system (for example a SD card or USB flash drive), and appears on your allowed apps list.
+ 1. Start an app that uses the FAT or exFAT file system (for example an SD card or USB flash drive), and appears on your allowed apps list.
2. Create, edit, write, save, copy, and move files. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.
- **Verify your shared files can use WIP**:
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index 1be650dda0..ff1df3609e 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -3,9 +3,9 @@ title: Using Outlook on the web with WIP (Windows 10)
description: Options for using Outlook on the web with Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
@@ -28,4 +28,4 @@ Because Outlook on the web can be used both personally and as part of your organ
|Add outlook.office.com and outlook.office365.com to the Cloud resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
>[!NOTE]
->These limitations don’t apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings.
+>These limitations don't apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employee's mailbox as corporate data, regardless of how you've configured outlook.office.com in your network settings.
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index 670283c970..7404e870dc 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -3,9 +3,9 @@ title: Determine the Enterprise Context of an app running in Windows Information
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 6b8c5f1841..4bcc628d6a 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -25,7 +25,7 @@ In the **Website learning report**, you can view a summary of the devices that h
## Access the WIP Learning reports
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Apps** > **Monitor** > **App protection status** > **Reports**.
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index af39d39146..1ab3f3f08e 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -14,6 +14,7 @@ manager: aaroncz
audience: ITPro
ms.collection:
- highpri
+ - tier3
ms.topic: conceptual
ms.date: 09/06/2021
ms.technology: itpro-security
@@ -65,7 +66,7 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
## More considerations
-- After you turn on object access auditing, view the security login Event Viewer to review the results of your changes.
+- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
- You can set up file and folder auditing only on NTFS drives.
- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 319301f86f..45ec095169 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -14,6 +14,7 @@ manager: aaroncz
audience: ITPro
ms.collection:
- highpri
+ - tier3
ms.topic: conceptual
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index d505b5d9ef..e081fcb3f0 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -14,6 +14,7 @@ ms.author: vinpa
ms.technology: itpro-security
ms.collection:
- highpri
+ - tier3
ms.topic: reference
---
@@ -120,14 +121,16 @@ This event generates when a logon session is created (on destination machine). I
**Subject:**
-- **Security ID** [Type = SID]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+- **Security ID** [Type = SID]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you will see the source data in the event.
+
+ This field may also contain no subject user information, but the NULL Sid "S-1-0-0" and no user or domain information.
> [!NOTE]
- > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+ > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon.
-- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
@@ -191,7 +194,7 @@ This event generates when a logon session is created (on destination machine). I
- **Account Name** [Type = UnicodeString]**:** the name of the account for which logon was performed.
-- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
@@ -289,7 +292,7 @@ For 4624(S): An account was successfully logged on.
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don’t comply with naming conventions. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions. |
- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** is not SYSTEM.
@@ -315,6 +318,6 @@ For 4624(S): An account was successfully logged on.
- If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
-- If you monitor for potentially malicious software, or software that is not authorized to request logon actions, monitor this event for **Process Name**.
+- If you monitor for potentially malicious software, or software that isn't authorized to request logon actions, monitor this event for **Process Name**.
-- If you have a trusted logon processes list, monitor for a **Logon Process** that is not from the list.
+- If you have a trusted logon processes list, monitor for a **Logon Process** that isn't from the list.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 81657a6361..45f8a019b0 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -14,6 +14,7 @@ ms.author: vinpa
ms.technology: itpro-security
ms.collection:
- highpri
+ - tier3
ms.topic: reference
---
@@ -28,7 +29,7 @@ ms.topic: reference
This event is logged for any logon failure.
-It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
+It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation.
This event generates on domain controllers, member servers, and workstations.
@@ -107,11 +108,11 @@ This event generates on domain controllers, member servers, and workstations.
- Uppercase full domain name: CONTOSO.LOCAL
- - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+ - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. "Table 11. Windows Logon Types" contains the list of possible values for this field.
**Table 11: Windows Logon Types**
@@ -146,50 +147,22 @@ This event generates on domain controllers, member servers, and workstations.
- Uppercase full domain name: CONTOSO.LOCAL
- - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+ - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
**Failure Information:**
-- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value.
+- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has "**Account locked out**" value.
-- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
+- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has "**0xC0000234**" value.
- **Table 12: Windows logon status codes.**
-
- | Status\\Sub-Status Code | Description |
- |-------------------------|------------------------------------------------------------------------------------------------------|
- | 0XC000005E | There are currently no logon servers available to service the logon request. |
- | 0xC0000064 | User logon with misspelled or bad user account |
- | 0xC000006A | User logon with misspelled or bad password |
- | 0XC000006D | The cause is either a bad username or authentication information |
- | 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
- | 0xC000006F | User logon outside authorized hours |
- | 0xC0000070 | User logon from unauthorized workstation |
- | 0xC0000071 | User logon with expired password |
- | 0xC0000072 | User logon to account disabled by administrator |
- | 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
- | 0XC0000133 | Clocks between DC and other computer too far out of sync |
- | 0XC000015B | The user has not been granted the requested logon type (also called the *logon right*) at this machine |
- | 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
- | 0XC0000192 | An attempt was made to logon, but the **Netlogon** service was not started. |
- | 0xC0000193 | User logon with expired account |
- | 0XC0000224 | User is required to change password at next logon |
- | 0XC0000225 | Evidently a bug in Windows and not a risk |
- | 0xC0000234 | User logon with account locked |
- | 0XC00002EE | Failure Reason: An Error occurred during Logon |
- | 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
- | 0x0 | Status OK. |
+- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure.
> [!NOTE]
-> To see the meaning of other status or substatus codes, you might also check for status code in the Windows header file ntstatus.h in Windows SDK.
-
-More information:
-
-- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”.
+> For more information about various Status or Sub Status codes, see [NTSTATUS Values](/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55).
**Process Information:**
@@ -199,7 +172,7 @@ More information:
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+ You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
@@ -219,9 +192,9 @@ More information:
**Detailed Authentication Information:**
-- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
-- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- **NTLM** – NTLM-family Authentication
@@ -233,15 +206,15 @@ More information:
- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during the logon attempt. Possible values are:
- - “NTLM V1”
+ - "NTLM V1"
- - “NTLM V2”
+ - "NTLM V2"
- - “LM”
+ - "LM"
- Only populated if “**Authentication Package” = “NTLM”**.
+ Only populated if "**Authentication Package" = "NTLM"**.
-- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
+- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have "0" value if Kerberos was negotiated using **Negotiate** authentication package.
## Security Monitoring Recommendations
@@ -250,19 +223,19 @@ For 4625(F): An account failed to log on.
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+- If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
-- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+- You can monitor to see if "**Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+- If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
- If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**.
- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
-- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
+- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **"Subject\\Security ID"** that corresponds to the account.
- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
@@ -270,7 +243,7 @@ For 4625(F): An account failed to log on.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
- - If the **“Account For Which Logon Failed \\Security ID”** should never be used to log on from the specific **Network Information\\Workstation Name**.
+ - If the **"Account For Which Logon Failed \\Security ID"** should never be used to log on from the specific **Network Information\\Workstation Name**.
- If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
@@ -286,14 +259,14 @@ For 4625(F): An account failed to log on.
| Field | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. This issue is typically not a security issue but it can be an infrastructure or availability issue. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
- | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000005E – "There are currently no logon servers available to service the logon request." This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000064 – "User logon with misspelled or bad user account". Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006A – "User logon with misspelled or bad password" for critical accounts or service accounts. Especially watch for a number of such events in a row. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000006D – "This is either due to a bad username or authentication information" for critical accounts or service accounts. Especially watch for a number of such events in a row. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006F – "User logon outside authorized hours". |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000070 – "User logon from unauthorized workstation". |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000072 – "User logon to account disabled by administrator". |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000015B – "The user has not been granted the requested logon type (aka logon right) at this machine". |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000192 – "An attempt was made to logon, but the Netlogon service was not started". This issue is typically not a security issue but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000193 – "User logon with expired account". |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000413 – "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine". |
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 64f3140ad0..3d1ec5f975 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -175,7 +175,32 @@ Subject:
Logon ID: 0x3E6
```
-After the event, one more event ID is generated:
+After event 4716, you may see either event 4724 or event 4742 or both:
+
+```
+Log Name: Security
+Source: Microsoft-Windows-Security-Auditing
+Date:
-
-If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-### Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows:
-
-- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) isn't activated.
-- The Windows 10 Pro Education change has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-**Figure 10** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education change is active.
-
-
-
-
-### Review requirements on devices
-
-Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements.
-
-**To determine if a device is Azure AD joined**
-
-1. Open a command prompt and type the following command:
-
- ```
- dsregcmd /status
- ```
-
-2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined.
-
-**To determine the version of Windows 10**
-
-- At a command prompt, type:
-
- ```
- winver
- ```
-
- A popup window will display the Windows 10 version number and detailed OS build information.
-
- > [!NOTE]
- > If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be changed to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
-
-### Roll back Windows 10 Pro Education to Windows 10 Pro
-
-If your organization has the Windows 10 Pro to Windows 10 Pro Education change enabled, and you decide to roll back to Windows 10 Pro or to cancel the change, perform the following task:
-
-- Log into Microsoft Store for Education page and turning off the automatic change.
-- Selecting the link to turn off the automatic change from the notification email sent to all global administrators.
-
-Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. Therefore, users whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro.
-
-> [!NOTE]
-> Devices that were changed from mode to Windows 10 Pro Education can't roll back to Windows 10 Pro Education S mode.
-
-**To roll back Windows 10 Pro Education to Windows 10 Pro**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change.
-2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
-3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.
-
- **Figure 12** - Revert to Windows 10 Pro
-
- 
-
-4. You'll be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**.
-5. Click **Close** in the **Success** page.
-
- All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changes again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education.
-
-
-## Preparing for deployment of Windows 10 Pro Education licenses
-
-If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
-
-You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-
-(Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
-
-For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
-- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
-- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
-
-## Related topics
-
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 subscription activation](/windows/deployment/windows-10-subscription-activation)
\ No newline at end of file
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 05c7db8963..969f81b3be 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -346,7 +346,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
|--- |--- |--- |--- |
|Use Office 365||✔️|✔️|
|Use Intune for management||✔️|✔️|
-|Use Microsoft Endpoint Manager for management|✔️||✔️|
+|Use Microsoft Configuration Manager for management|✔️||✔️|
|Use Group Policy for management|✔️||✔️|
|Have devices that are domain-joined|✔️||✔️|
|Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️|
@@ -359,7 +359,7 @@ You may ask the question, “Why plan for device, user, and app management befor
Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
-Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Endpoint Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
+Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
Table 6. Device, user, and app management products and technologies
@@ -464,7 +464,7 @@ Use the following Microsoft management systems and the deployment resources to p
- [Windows Autopilot](/mem/autopilot/windows-autopilot)
-- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
+- Microsoft Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
- Provisioning packages:
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 60ad9dce9e..2afa86f4c1 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
-ms.date: 02/10/2023
+ms.date: 02/24/2023
ms.topic: how-to
---
@@ -24,7 +24,8 @@ To test federation, the following prerequisites must be met:
1. A Google Workspace environment, with users already created
> [!IMPORTANT]
- > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD
+ > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD.
+ > For more information about identity matching, see [Identity matching in Azure AD](federated-sign-in.md#identity-matching-in-azure-ad).
1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
- School Data Sync (SDS)
- Azure AD Connect sync for environment with on-premises AD DS
@@ -38,14 +39,14 @@ To test federation, the following prerequisites must be met:
1. Select **Add app > Search for apps** and search for *microsoft*
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
-1. On the *Google Identity Provider details* page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
-1. On the *Service provider details* page
+1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
+1. On the **Service provider detail*s** page
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
If using Google auto-provisioning, select **Basic Information > Primary email**
- Select **Continue**
-1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes
+1. On the **Attribute mapping** page, map the Google attributes to the Azure AD attributes
|Google Directory attributes|Azure AD attributes|
|-|-|
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 587d279c84..f736b5adc6 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -10,7 +10,7 @@ appliesto:
Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
+We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
@@ -45,7 +45,7 @@ It's easy to be education ready when using Microsoft products. We recommend the
3. Enroll the PCs in MDM.
* If you've activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
4. Ensure that needed assistive technology apps can be used.
- * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
+ * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
4. Distribute the PCs to students.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 4935d37ed7..25b23567fd 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1,6 +1,6 @@
---
title: Deploy Windows 10 in a school district (Windows 10)
-description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices.
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
ms.topic: how-to
ms.date: 08/10/2022
appliesto:
@@ -9,7 +9,7 @@ appliesto:
# Deploy Windows 10 in a school district
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for district deployment
@@ -125,7 +125,7 @@ Now that you've the plan (blueprint) for your district and individual schools an
The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
-You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md).
@@ -163,7 +163,7 @@ The high-level process for deploying and configuring devices within individual c
6. On the reference devices, deploy Windows 10 and the Windows desktop apps on the device, and then capture the reference image from the devices.
-7. Import the captured reference images into MDT or Microsoft Endpoint Configuration Manager.
+7. Import the captured reference images into MDT or Microsoft Configuration Manager.
8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
@@ -191,9 +191,9 @@ Before you select the deployment and management methods, you need to review the
|Scenario feature |Cloud-centric|On-premises and cloud|
|---|---|---|
|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD |
-|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT |
+|Windows 10 deployment | MDT only | Microsoft Configuration Manager with MDT |
|Configuration setting management | Intune | Group Policy