diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 2ff80e5d9e..5fd9429012 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -272,11 +272,11 @@ Supported operations are Get, Add, Delete, and Replace. ![device portal app manager](images/applocker-screenshot3.png) -10. If you do not see the app that you want, look under **Installed apps**. Using the drop down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. +10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. ![app manager](images/applocker-screenshot2.png) -The following table show the mapping of information to the AppLocker publisher rule field. +The following table shows the mapping of information to the AppLocker publisher rule field. @@ -303,7 +303,7 @@ The following table show the mapping of information to the AppLocker publisher r +

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.

Version

Version

This can be used either in the HighSection or LowSection of the BinaryVersionRange.

-

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.
@@ -545,7 +545,7 @@ The following list shows the apps that may be included in the inbox. Microsoft.AccountsControl -Enterprise install app +Enterprise installs app da52fa01-ac0f-479d-957f-bfe4595941cb @@ -790,7 +790,7 @@ The following list shows the apps that may be included in the inbox. -Sign-in for Windows 10 Holographic +Sign in for Windows 10 Holographic WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn @@ -1450,7 +1450,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business -The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings. +The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings. ```xml diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 56ac3bcbc2..f19bba4d59 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -23,7 +23,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin. -For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). +For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). The following shows the BitLocker configuration service provider in tree format. ``` @@ -482,7 +482,7 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. +This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked. If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index bde6366de4..3c93ca8c71 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -19,13 +19,13 @@ ms.date: 11/15/2017 >[!TIP] >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). -In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft updates. +In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. In particular, Windows 10 provides APIs to enable MDMs to: -- Ensure machines stay up-to-date by configuring Automatic Update policies. +- Ensure machines stay up to date by configuring Automatic Update policies. - Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device. -- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up-to-date is a particular machine. +- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up to date is a particular machine. This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10. @@ -34,7 +34,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to - Configure automatic update policies to ensure devices stay up-to-date. - Get device compliance information (the list of updates that are needed but not yet installed). - Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested. -- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs. +- Approve EULAs on behalf of the end user so update deployment can be automated even for updates with EULAs. The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). @@ -79,7 +79,7 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData - **UpdateID** – The unique identifier for an update - **RevisionNumber** – Revision number for the update in case the update was modified. - **CreationDate** – the date on which this update was created. -- **UpdateType** – The type of update which could include the following: +- **UpdateType** – The type of update, which could include the following: - **Detectoid** – if this update identity represents a compatibility logic - **Category** – This could represent either of the following: - A Product category the update belongs to. For example, Windows, MS office etc. @@ -106,7 +106,7 @@ First some background: The following procedure describes a basic algorithm for a metadata sync service: - Initialization, composed of the following: - 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative). + 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about four new definition updates per day, each of which is cumulative). - Sync periodically (we recommend once every 2 hours - no more than once/hour). 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and: @@ -129,7 +129,7 @@ The following list describes a suggested model for applying updates. 1. Have a "Test Group" and an "All Group". 2. In the Test group, just let all updates flow. -3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are availible. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues. +3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are available. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues. Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates. @@ -220,7 +220,7 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. -

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. +

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.

Supported operations are Get and Replace. @@ -229,7 +229,7 @@ The following diagram shows the Update policies in a tree format. - 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. - 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. -

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. +

This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. **Update/AllowUpdateService** > [!NOTE] @@ -267,7 +267,7 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. +

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.

The following list shows the supported values: @@ -310,7 +310,7 @@ The following diagram shows the Update policies in a tree format. > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. -

Allows IT Admins to specify update delays for up to 4 weeks. +

Allows IT Admins to specify update delays for up to four weeks.

Supported values are 0-4, which refers to the number of weeks to defer updates. @@ -363,7 +363,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

Other/cannot defer

No deferral

No deferral

-

Any update category not specifically enumerated above falls into this category.

+

Any update category not enumerated above falls into this category.

Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

@@ -379,7 +379,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. -

Allows IT Admins to specify additional upgrade delays for up to 8 months. +

Allows IT Admins to specify additional upgrade delays for up to eight months.

Supported values are 0-8, which refers to the number of months to defer upgrades. @@ -407,7 +407,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

Supported values are 1-3 days. -

The default value is 3 days. +

The default value is three days. **Update/EngagedRestartTransitionSchedule** > [!NOTE] @@ -418,7 +418,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

Supported values are 2-30 days. -

The default value is 7 days. +

The default value is seven days. **Update/ExcludeWUDriversInQualityUpdate** > [!NOTE] @@ -481,7 +481,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. -

Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. +

Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.

The following list shows the supported values: @@ -602,7 +602,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.

Supported values are 2, 4, 8, 12, or 24 (hours). @@ -613,7 +613,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. +

Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.

The following list shows the supported values: @@ -689,7 +689,7 @@ Node for update approvals and EULA acceptance on behalf of the end-user. The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added. @@ -886,7 +886,7 @@ Here is the list of older policies that are still supported for backward compati ## Update management user experience screenshot -The following screenshots of the administrator console shows the list of update titles, approval status, and additional metadata fields. +The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. ![mdm update management screenshot](images/deviceupdatescreenshot1.png) diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 9d37cb5ab2..3bd7186d4f 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -40,12 +40,12 @@ mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -cab - In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. ### Understanding cab structure -The cab file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment,DeviceProvisioning and Autopilot areas. It applies to the cab files collected via command line or Feedback Hub +The cab file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the cab files collected via command line or Feedback Hub - DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) -- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device id, certificates, policies. -- MdmDiagLogMetadata,json: mdmdiagnosticstool metadata file, contains command line arguments used to run the tool +- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies. +- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool - MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables - MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 6aa09acc07..ce79fdb702 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -248,7 +248,7 @@ When the mobile device is configured to use a proxy that requires authentication ### Server-initiated unenrollment failure -Server-initiated unenrollment for a device enrolled by adding a work account silently fails leaving the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. +Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. @@ -282,7 +282,7 @@ The software version information from **DevDetail/SwV** does not match the versi ### Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218 -Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework Id to your list of allowed apps. +Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework ID to your list of allowed apps. ```xml