diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 0a8814e8f1..be06a10c27 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -15,7 +15,9 @@ ms.date: 11/01/2017
The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
-For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
+For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
+
+ In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
@@ -30,6 +32,9 @@ Root node for the CSP.
**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
+> [!Note]
+> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.
+
In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
Here's an example:
@@ -38,10 +43,15 @@ Here's an example:
{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
+> [!Tip]
+> In this example the double \\\ is only required because it's in json and json escapes \ into \\\\. If MDM server uses json parser\composer, they should only ask customer to type one \\, which will be \\\ in the json. If user types \\\\, it'll be \\\\\\\ in json, which is wrong. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (require) escape \\.
+>
+> This comment applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in json string.
+
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
-> **Note** The domain name can be optional if the user name is unique across the system.
-
+> [!Note]
+> The domain name can be optional if the user name is unique across the system.
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
@@ -49,7 +59,10 @@ For a local account, the domain name should be the device name. When Get is exec
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
**./Device/Vendor/MSFT/AssignedAccess/Configuration**
-Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+
+> [!Note]
+> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.
Enterprises can use this to easily configure and manage the curated lockdown experience.
@@ -57,7 +70,7 @@ Supported operations are Add, Get, Delete, and Replace.
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
-## Examples
+## KioskModeApp examples
KioskModeApp Add
@@ -240,170 +253,7 @@ KioskModeApp Replace
```
-## Overview of the AssignedAccessConfiguration XML
-
-Let's start by looking at the basic structure of the XML file.
-
-- A configuration xml can define multiple profiles, each profile has a unique Id and defines a curated set of applications that are allowed to run.
-- A configuration xml can have multiple configs, each config associates a non-admin user account to a default profile Id.
-- A profile has no effect if it’s not associated to a user account.
-
-A profile node has below information:
-
-- Id: a GUID attribute to uniquely identify the Profile.
-- AllowedApps: a node with a list of allowed to run applications, could be UWP apps or desktop apps.
-- StartLayout: a node for startlayout policy xml.
-- Taskbar: a node with a Boolean attribute ShowTaskbar to indicate whether to show taskbar.
-
-You can start your file by pasting the following XML (or any other examples in this doc) into a XML editor, and saving the file as filename.xml.
-
-``` syntax
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-### Allowed apps
-
-Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps, which is used to generate the assigned access AppLocker rules.
-
-- For Windows apps, you need to provide the App User Model ID (AUMID).
- - [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or
- - Get the AUMID via the [Start Layout XML](#start-layout).
-- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
-
-Here are the predefined assigned access AppLocker rules:
-
-**For UWP apps**
-
-1. Default rule is to allow all users to launch the signed package apps.
-2. The package app deny list is generated at run time when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed package apps enterprises defined in the assigned access configuration. This deny list will be used to prevent the user from accessing the apps which are available for the user but not in the allowed list.
-
-> [!Note]
-> Assigned access multi-app mode doesn’t block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise deployed LoB app and you want to allow it running, make sure update the assigned access configuration to include it in the allowed app list.
-
-**For Win32 apps**
-
-1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. Also the rule allows admin user group to launch all desktop programs.
-2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list you defined in the multi-app configuration.
-3. Enterprise defined allowed desktop apps are added in the AppLocker allow list.
-
-The following example makes Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps allowed to run on the device.
-
-``` syntax
-
-
-
-
-
-
-
-
-
-
-
-```
-
-### Start layout
-
-Once you have defined the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset depending on whether you want the end user to directly access them on the Start.
-
-The easiest way for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout.
-
-A few things to note here:
-
-- The test device on which you customize the Start layout should have the same OS version that is installed on the device you plan to deploy the multi-app assigned access configuration.
-- Since the multi-app assigned access experience is intended for fixed purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout.
-- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the CustomTaskbarLayoutCollection tag in a layout modification XML as part of the assigned access configuration.
-
-The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps on Start.
-
-```syntax
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
-
-```
-
-For additional information, see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout)
-
-### Taskbar
-
-Define whether you want to have the taskbar present in the kiosk device. For tablet based or touch enabled All-In-One kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
-The following example exposes the taskbar to the end user:
-
-``` syntax
-
-```
-The following example hides the taskbar:
-
-``` syntax
-
-```
-
-> [!Note]
-> This is different with the “Automatically hide the taskbar” option in tablet mode which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting “ShowTaskbar” as “false” will always hide the taskbar.
-
-### Profiles and configs
-
-In the XML file, you define each profile with a GUID. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
-
-``` syntax
-
- …
-
-```
-
-Under Configs, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, start layout, taskbar configuration as well as other local group policies/MDM policies set as part of the multi-app experience.
-
-``` syntax
-
-
- MultiAppKioskUser
-
-
-
-```
-
-> [!Note]
-> - The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile, doing this in the XML file will result unexpected/unsupported experiences when this admin user signs in.
-> - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
-
-### Example AssignedAccessConfiguration XML
+## Example AssignedAccessConfiguration XML
``` syntax
@@ -455,3 +305,258 @@ Under Configs, define which user account will be associated with the profile. Wh
```
+
+## Configuration examples
+
+XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
+
+Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you’ll have nested CDATA so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
+
+Escape and CDATA are mechanisms when handling xml in xml. Consider it’s a transportation channel to send the configuration xml as payload from server to client. It’s transparent to both end user who configures the CSP and transparent to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
+
+This example shows escaped XML of the Data node.
+
+```
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
+
+
+ chr
+
+
+ <?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+ <Profiles>
+ <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+ <AllAppsList>
+ <AllowedApps>
+ <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ <App DesktopAppPath="%windir%\system32\mspaint.exe" />
+ <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+ </AllowedApps>
+ </AllAppsList>
+ <StartLayout>
+ <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <LayoutOptions StartTileGroupCellWidth="6" />
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6">
+ <start:Group Name="Group1">
+ <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ </start:Group>
+ <start:Group Name="Group2">
+ <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
+ <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>
+ ]]>
+ </StartLayout>
+ <Taskbar ShowTaskbar="true"/>
+ </Profile>
+ </Profiles>
+ <Configs>
+ <Config>
+ <Account>MultiAppKioskUser</Account>
+ <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+ </Config>
+ </Configs>
+</AssignedAccessConfiguration>
+
+
+
+
+
+
+
+```
+This example shows escaped XML of the Data node.
+```
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
+
+
+ chr
+
+
+ <?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+ <Profiles>
+ <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+ <AllAppsList>
+ <AllowedApps>
+ <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ <App DesktopAppPath="%windir%\system32\mspaint.exe" />
+ <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+ </AllowedApps>
+ </AllAppsList>
+ <StartLayout>
+ <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <LayoutOptions StartTileGroupCellWidth="6" />
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6">
+ <start:Group Name="Group1">
+ <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ </start:Group>
+ <start:Group Name="Group2">
+ <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
+ <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>
+ ]]>
+ </StartLayout>
+ <Taskbar ShowTaskbar="true"/>
+ </Profile>
+ </Profiles>
+ <Configs>
+ <Config>
+ <Account>MultiAppKioskUser</Account>
+ <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+ </Config>
+ </Configs>
+</AssignedAccessConfiguration>
+
+
+
+
+
+
+
+```
+
+This example uses CData for the XML.
+```
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]]]>
+
+
+
+
+
+
+ MultiAppKioskUser
+
+
+
+
+]]>
+
+
+
+
+
+
+```
+
+Example of Get command that returns the configuration in the device.
+```
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
+
+
+
+
+
+
+```
+
+Example of the Delete command.
+```
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/AssignedAccess/Configuration
+
+
+
+
+
+
+```
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 587a1318fc..31a0842f21 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -43,7 +43,7 @@ The following image shows the ClientCertificateInstall configuration service pro
The data type format is node.
-
Supported operations are Get, Add, and Delete .
+
Supported operations are Get, Add, and Replace.
Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
@@ -67,7 +67,7 @@ The following image shows the ClientCertificateInstall configuration service pro
Date type is string.
-
Supported operations are Get, Add, and Replace.
+
Supported operations are Get, Add, Delete, and Replace.
**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
@@ -142,7 +142,6 @@ The following image shows the ClientCertificateInstall configuration service pro
**ClientCertificateInstall/SCEP/****_UniqueID_**
A unique ID to differentiate different certificate installation requests.
-
Supported operations are Get, Add, Replace, and Delete.
**ClientCertificateInstall/SCEP/*UniqueID*/Install**
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
@@ -157,14 +156,14 @@ The following image shows the ClientCertificateInstall configuration service pro
Data type is string.
-
Supported operations are Get, Add, and Replace.
+
Supported operations are Get, Add, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
Data type is string.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*.
@@ -174,7 +173,7 @@ Data type is string.
Data type is int.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name.
@@ -199,7 +198,12 @@ Data type is string.
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
+
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
+
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
+
+
Supported operations are Add, Get, Delete, and Replace. Value type is integer.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
@@ -210,7 +214,7 @@ Data type is string.
The minimum value is 1.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
@@ -223,7 +227,7 @@ Data type is string.
Minimum value is 0, which indicates no retry.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name.
@@ -233,7 +237,7 @@ Data type is string.
Data type is string.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
Required for enrollment. Specify private key length (RSA).
@@ -244,7 +248,7 @@ Data type is string.
For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**.
@@ -253,14 +257,14 @@ Data type is string.
Data type is string.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
Data type is string.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
@@ -269,7 +273,7 @@ Data type is string.
Data type is string.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
Optional. Specifies the units for the valid certificate period.
@@ -285,7 +289,7 @@ Data type is string.
> **Note** The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
@@ -295,21 +299,21 @@ Data type is string.
>**Note** The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
Data type is string.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
Data type is string.
-
Supported operations are Add, Get, and Replace.
+
Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index ac247a2a86..1a756e0dbe 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1395,6 +1395,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
+| [AssignedAccess CSP](assignedaccess-csp.md) |
+Added SyncML examples for the new Configuration node.
+ |
+
| [DMClient CSP](dmclient-csp.md) |
Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
|
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index cacb27c774..c688af26cd 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -764,7 +764,7 @@ ADMX Info:
Set Allow Telemetry to level 2 (Enhanced)
-When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594).
+
When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594).
Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.