deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update articles in PR 2026

Browse Source
This commit is contained in:
1justingilmore 2020-06-22 13:48:35 -06:00
parent 9237f69046
commit 2a1e8c6a51
4 changed files with 42 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
windows/client-management/mdm/certificate-renewal-windows-mdm.md
View File

@ -17,16 +17,13 @@ ms.date: 06/26/2017
# Certificate Renewal # Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. > [!Note]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
 
## In this topic ## In this topic
- [Automatic certificate renewal request](#automatic-certificate-renewal-request) - [Automatic certificate renewal request](#automatic-certificate-renewal-request)
- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration) - [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
- [Certificate renewal response](#certificate-renewal-response) - [Certificate renewal response](#certificate-renewal-response)
@ -35,12 +32,10 @@ The enrolled client certificate expires after a period of use. The expiration da
<a href="" id="automatic-certificate-renewal"></a> <a href="" id="automatic-certificate-renewal"></a>
## Automatic certificate renewal request ## Automatic certificate renewal request
In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal. In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. > [!Note]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate. Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
@ -54,7 +49,7 @@ During the automatic certificate renew process, the device will deny HTTP redire
The following example shows the details of an automatic renewal request. The following example shows the details of an automatic renewal request.
``` ``` xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u= xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
@ -106,7 +101,6 @@ The following example shows the details of an automatic renewal request.
</s:Envelope> </s:Envelope>
``` ```
<a href="" id="certificate-renewal-schedule"></a> <a href="" id="certificate-renewal-schedule"></a>
## Certificate renewal schedule configuration ## Certificate renewal schedule configuration
@ -116,11 +110,10 @@ For more information about the parameters, see the CertificateStore configuratio
Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week. Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. > [!Note]
> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design. > For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
 
## Certificate renewal response ## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
@ -133,12 +126,12 @@ When RequestType is set to Renew, the web service verifies the following (in add
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message. > [!Note]
> The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of an certificate renewal response. The following example shows the details of an certificate renewal response.
``` ``` xml
<wap-provisioningdoc version="1.1"> <wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore"> <characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root"> <!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
@ -163,25 +156,15 @@ The following example shows the details of an certificate renewal response.
</wap-provisioningdoc> </wap-provisioningdoc>
``` ```
> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. > [!Note]
The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
 
<a href="" id="csp-support-during-enrollment-and-renewal"></a> <a href="" id="csp-support-during-enrollment-and-renewal"></a>
## Configuration service providers supported during MDM enrollment and certificate renewal ## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider. The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
- CertificateStore - CertificateStore
- w7 APPLICATION - w7 APPLICATION
- DMClient - DMClient
- EnterpriseAppManagement - EnterpriseAppManagement
 

47
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -14,17 +14,15 @@ ms.date: 02/28/2020
# ClientCertificateInstall CSP # ClientCertificateInstall CSP
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block. For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> **Note**   > [!Note]
Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. > Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following image shows the ClientCertificateInstall configuration service provider in tree format. The following image shows the ClientCertificateInstall configuration service provider in tree format.
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png) ![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
@ -63,7 +61,6 @@ The data type is an integer corresponding to one of the following values:
| 3 | Install to software. | | 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | | 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** <a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
@ -107,8 +104,8 @@ Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** <a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. > [!Note]
> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The data type bool. The data type bool.
@ -138,20 +135,19 @@ Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP** <a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
Node for SCEP. Node for SCEP.
> **Note**  An alert is sent after the SCEP certificate is installed. > [!Note]
> An alert is sent after the SCEP certificate is installed.
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/**<strong>*UniqueID*</strong> <a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/**<strong>*UniqueID*</strong>
A unique ID to differentiate different certificate installation requests. A unique ID to differentiate different certificate installation requests.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install** <a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
Supported operations are Get, Add, Replace, and Delete. Supported operations are Get, Add, Replace, and Delete.
> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. > [!Note]
> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** <a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
@ -191,8 +187,8 @@ Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** <a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies where to keep the private key. Optional. Specifies where to keep the private key.
> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN. > [!Note]
> Even if the private key is protected by TPM, it is not protected with a TPM PIN.
The data type is an integer corresponding to one of the following values: The data type is an integer corresponding to one of the following values:
@ -203,7 +199,6 @@ The data type is an integer corresponding to one of the following values:
| 3 | (Default) Private key saved in software KSP. | | 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | | 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** <a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
@ -238,8 +233,8 @@ Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** <a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name. Optional. OID of certificate template name.
> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it. > [!Note]
> This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
Data type is string. Data type is string.
@ -294,7 +289,6 @@ Valid values are:
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. > **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** <a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
@ -302,8 +296,8 @@ Optional. Specifies the desired number of units used in the validity period. Thi
Data type is string. Data type is string.
>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. > [!Note]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -358,7 +352,6 @@ The only supported operation is Get.
| 16 | Action failed | | 16 | Action failed |
| 32 | Unknown | | 32 | Unknown |
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** <a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
Optional. An integer value that indicates the HRESULT of the last enrollment error code. Optional. An integer value that indicates the HRESULT of the last enrollment error code.
@ -373,7 +366,6 @@ The only supported operation is Get.
## Example ## Example
Enroll a client certificate through SCEP. Enroll a client certificate through SCEP.
```xml ```xml
@ -669,15 +661,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
## Related topics ## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)

25
windows/client-management/mdm/defender-csp.md
View File

@ -120,8 +120,6 @@ The following table describes the supported values:
| 50 | Ransomware | | 50 | Ransomware |
| 51 | ASR Rule | | 51 | ASR Rule |
Supported operation is Get. Supported operation is Get.
<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus** <a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
@ -248,60 +246,60 @@ Supported operation is Get.
<a href="" id="health-defenderenabled"></a>**Health/DefenderEnabled** <a href="" id="health-defenderenabled"></a>**Health/DefenderEnabled**
Indicates whether the Windows Defender service is running. Indicates whether the Windows Defender service is running.
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
<a href="" id="health-rtpenabled"></a>**Health/RtpEnabled** <a href="" id="health-rtpenabled"></a>**Health/RtpEnabled**
Indicates whether real-time protection is running. Indicates whether real-time protection is running.
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
<a href="" id="health-nisenabled"></a>**Health/NisEnabled** <a href="" id="health-nisenabled"></a>**Health/NisEnabled**
Indicates whether network protection is running. Indicates whether network protection is running.
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
<a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue** <a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device. Indicates whether a Windows Defender quick scan is overdue for the device.
A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default) A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default).
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
<a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue** <a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device. Indicates whether a Windows Defender full scan is overdue for the device.
A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default) A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default).
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
<a href="" id="health-signatureoutofdate"></a>**Health/SignatureOutOfDate** <a href="" id="health-signatureoutofdate"></a>**Health/SignatureOutOfDate**
Indicates whether the Windows Defender signature is outdated. Indicates whether the Windows Defender signature is outdated.
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
<a href="" id="health-rebootrequired"></a>**Health/RebootRequired** <a href="" id="health-rebootrequired"></a>**Health/RebootRequired**
Indicates whether a device reboot is needed. Indicates whether a device reboot is needed.
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
<a href="" id="health-fullscanrequired"></a>**Health/FullScanRequired** <a href="" id="health-fullscanrequired"></a>**Health/FullScanRequired**
Indicates whether a Windows Defender full scan is required. Indicates whether a Windows Defender full scan is required.
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
@ -357,7 +355,7 @@ Supported operation is Get.
<a href="" id="health-tamperprotectionenabled"></a>**Health/TamperProtectionEnabled** <a href="" id="health-tamperprotectionenabled"></a>**Health/TamperProtectionEnabled**
Indicates whether the Windows Defender tamper protection feature is enabled. Indicates whether the Windows Defender tamper protection feature is enabled.
The data type is a boolean. The data type is a Boolean.
Supported operation is Get. Supported operation is Get.
@ -422,5 +420,4 @@ Supported operations are Get and Execute.
## Related topics ## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)

22
windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
View File

@ -23,7 +23,6 @@ User Experience Virtualization (UE-V) supports Microsoft Application Virtualizat
## UE-V settings synchronization for App-V applications ## UE-V settings synchronization for App-V applications
UE-V monitors when an application opens by the program name and, optionally, by file version numbers and product version numbers, whether the application is installed locally or virtually by using App-V. When the application starts, UE-V monitors the App-V process, applies any settings that are stored in the user's settings storage path, and then enables the application to start normally. UE-V monitors App-V applications and automatically translates the relevant file and registry paths to the virtualized location as opposed to the physical location outside the App-V computing environment. UE-V monitors when an application opens by the program name and, optionally, by file version numbers and product version numbers, whether the application is installed locally or virtually by using App-V. When the application starts, UE-V monitors the App-V process, applies any settings that are stored in the user's settings storage path, and then enables the application to start normally. UE-V monitors App-V applications and automatically translates the relevant file and registry paths to the virtualized location as opposed to the physical location outside the App-V computing environment.
**To implement settings synchronization for a virtualized application** **To implement settings synchronization for a virtualized application**
@ -34,28 +33,11 @@ UE-V monitors when an application opens by the program name and, optionally, by
3. Publish the template to the location of your settings template catalog or manually install the template by using the `Register-UEVTemplate` Windows PowerShell cmdlet. 3. Publish the template to the location of your settings template catalog or manually install the template by using the `Register-UEVTemplate` Windows PowerShell cmdlet.
**Note**   > [!NOTE]
If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**. > If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**.
4. Start the App-V package. 4. Start the App-V package.
## Related topics ## Related topics
[Administering UE-V](uev-administering-uev.md) [Administering UE-V](uev-administering-uev.md)