From 1593eba092f7c2fe4b0408129da6c007d8c8cdf2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 22 Sep 2017 11:33:44 -0700 Subject: [PATCH 1/4] revised table --- .../tpm/tpm-recommendations.md | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md index 8dcde29788..21314c3f0b 100644 --- a/windows/device-security/tpm/tpm-recommendations.md +++ b/windows/device-security/tpm/tpm-recommendations.md @@ -98,20 +98,19 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u The following table defines which Windows features require TPM support. -| Windows Features | Windows 10 TPM 1.2 | Windows 10 TPM 2.0 | Details | -|-------------------------|----------------------|----------------------|----------| -| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. | -| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. Please note that TPM 2.0 requires UEFI Secure Boot in order for BitLocker to work properly. | -| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. | -| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. | -| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. | -| Credential Guard | Required | Required | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. | -| Device Health Attestation | Required | Required | | -| Windows Hello / Windows Hello for Business | Not Required | Recommended | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected) | -| UEFI Secure Boot | Not Required | Recommended | | -| Platform Key Storage provider | Required | Required | | -| Virtual Smart Card | Required | Required | | -| Certificate storage (TPM bound) | Required | Required | | +| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | +|-------------------------|--------------|--------------------|--------------------|----------| +| Measured Boot | Yes | Yes | Yes | | +| Bitlocker | No | Yes | Yes | A removable USB memory device such as a flash drive can also be used instead of a TPM. | +| Device Encryption | Yes | N/A | Yes | Device Encryption requires InstantGo/Connected Standby certification. All systems certified for InstantGo/Connected Standby shipped with TPM 2.0, so TPM 1.3 support is Not Applicable. | +| Device Guard | No | Yes | Yes | | +| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 is supported. | +| Device Health Attestation| Yes | Yes | Yes | | +| Windows Hello/Windows Hello for Business| No | Yes | Yes | | +| UEFI Secure Boot | No | Yes | Yes | | +| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | | +| Virtual Smart Card | Yes | Yes | Yes | | +| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. | ## OEM Status on TPM 2.0 system availability and certified parts From 9a8fe83e27fa71f669d74a207cf0f568aaff46e2 Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Fri, 22 Sep 2017 19:28:49 +0000 Subject: [PATCH 2/4] Merged PR 3356: converting 2 tables to lists --- .../mdm/policy-csp-system.md | 23 ++++++++++--- .../mdm/policy-csp-update.md | 33 +++++++++++++++++-- 2 files changed, 48 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index d077ea3454..a6ffde5756 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/20/2017 --- # Policy CSP - System @@ -303,7 +303,13 @@ ms.date: 08/30/2017

The following tables describe the supported values: - +Windows 8.1 Values: + +- 0 - Not allowed. +- 1 – Allowed, except for Secondary Data Requests. +- 2 (default) – Allowed. + + +Windows 10 Values: -
+- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. +- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. +- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. + + > [!IMPORTANT] diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 1bf1c34365..acd676eecb 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/20/2017 --- # Policy CSP - Update @@ -595,7 +595,34 @@ This policy is accessible through the Update setting in the user interface or Gr

If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

+OS upgrade: +- Maximum deferral: 8 months +- Deferral increment: 1 month +- Update type/notes: + - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 + +Update: +- Maximum deferral: 1 month +- Deferral increment: 1 week +- Update type/notes: + If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 + +Other/cannot defer: +- Maximum deferral: No deferral +- Deferral increment: No deferral +- Update type/notes: + Any update category not specifically enumerated above falls into this category. + - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B + + From 333bd1975900c7c5784a7bacb55ff601c4c303d9 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 22 Sep 2017 20:41:32 +0000 Subject: [PATCH 3/4] Merged PR 3290: EnterpriseAPN CSP added sample --- .../mdm/enterpriseapn-csp.md | 145 +++++++++++++++++- ...ew-in-windows-mdm-enrollment-management.md | 5 +- 2 files changed, 148 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index e92ab5e8bc..9b64ff0fb4 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 09/19/2017 --- # EnterpriseAPN CSP @@ -128,6 +128,149 @@ The following image shows the EnterpriseAPN configuration service provider in tr

Supported operations are Get and Replace.

+## Examples + +``` syntax + + + + + + + 8000 + + + 8001 + + + ./Vendor/MSFT/EnterpriseAPN/E_APN1/APNName + + + chr + + enterprise_apn1 + + + + 8002 + + + ./Vendor/MSFT/EnterpriseAPN/E_APN1/IPType + + + chr + + IPv4 + + + + 8003 + + + ./Vendor/MSFT/EnterpriseAPN/E_APN1/IsAttachAPN + + + bool + + false + + + + 8004 + + + ./Vendor/MSFT/EnterpriseAPN/E_APN1/ClassId + + + chr + + AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA + + + + 8005 + + + ./Vendor/MSFT/EnterpriseAPN/E_APN1/AuthType + + + chr + + CHAP + + + + 8006 + + + ./Vendor/MSFT/EnterpriseAPN/E_APN1/UserName + + + chr + + myusername + + + + 8007 + + + ./Vendor/MSFT/EnterpriseAPN/E_APN1/Password + + + chr + + mypassword + + + + 8008 + + + ./Vendor/MSFT/EnterpriseAPN/E_APN1/IccId + + + chr + + FFFFFFFFFFFFFFFFFFFF + + + + + + + + + + +``` + ## Related topics diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 50d3253a38..85bf380b78 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/12/2017 +ms.date: 09/19/2017 --- # What's new in MDM enrollment and management @@ -1393,6 +1393,9 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

 + + From b8b9d0477d57374405ec73674eded6313399e351 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 22 Sep 2017 20:45:36 +0000 Subject: [PATCH 4/4] Merged PR 3372: AssignedAccess CSP update --- windows/client-management/mdm/assignedaccess-csp.md | 4 ++-- .../mdm/configuration-service-provider-reference.md | 4 ++-- .../mdm/new-in-windows-mdm-enrollment-management.md | 6 ++++++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 59f79b2a6c..2e6580c656 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/27/2017 +ms.date: 09/19/2017 --- # AssignedAccess CSP @@ -19,7 +19,7 @@ The AssignedAccess configuration service provider (CSP) is used set the device t For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) -> **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education. +> **Note**  The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro. The following diagram shows the AssignedAccess configuration service provider in tree format diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index f619993de2..ff8c33aa7e 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/27/2017 +ms.date: 09/19/2017 --- # Configuration service provider reference @@ -164,7 +164,7 @@ Footnotes: - + diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 85bf380b78..18854315f9 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -974,6 +974,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Configuration
+

Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.

@@ -1378,6 +1379,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

+ + +
[EntepriseAPN CSP](enterpriseapn-csp.md)

Added a SyncML example.

+
[VPNv2 CSP](vpnv2-csp.md)

Added RegisterDNS setting in Windows 10, version 1709.

cross markcross markcheck mark3 check mark check mark
[DeviceManageability CSP](devicemanageability-csp.md)
[AssignedAccess CSP](assignedaccess-csp.md)

Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

+
Microsoft Store for Business

Windows Store for Business name changed to Microsoft Store for Business.

@@ -1620,6 +1625,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Added Configuration node
+

Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.

[SurfaceHub CSP](surfacehub-csp.md)