deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #8063 from vinaypamnani-msft/vp-mdm2

Browse Source 
MDM Refresh
This commit is contained in:
Thomas Raya 2023-04-21 15:26:51 -07:00 committed by GitHub
commit 358a734d37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
156 changed files with 2763 additions and 5782 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
.openpublishing.redirection.json
View File

@ -6635,6 +6635,86 @@
"redirect_url": "/education/windows/switch-to-pro-education",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/administrative-tools-in-windows-10.md",
"redirect_url": "/windows/client-management/client-tools/administrative-tools-in-windows",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/change-default-removal-policy-external-storage-media.md",
"redirect_url": "/windows/client-management/client-tools/change-default-removal-policy-external-storage-media",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/connect-to-remote-aadj-pc.md",
"redirect_url": "/windows/client-management/client-tools/connect-to-remote-aadj-pc",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/group-policies-for-enterprise-and-education-editions.md",
"redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/manage-device-installation-with-group-policy.md",
"redirect_url": "/windows/client-management/client-tools/manage-device-installation-with-group-policy",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/manage-settings-app-with-group-policy.md",
"redirect_url": "/windows/client-management/client-tools/manage-settings-app-with-group-policy",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mandatory-user-profile.md",
"redirect_url": "/windows/client-management/client-tools/mandatory-user-profile",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/new-policies-for-windows-10.md",
"redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/quick-assist.md",
"redirect_url": "/windows/client-management/client-tools/quick-assist",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/windows-libraries.md",
"redirect_url": "/windows/client-management/client-tools/windows-libraries",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/windows-version-search.md",
"redirect_url": "/windows/client-management/client-tools/windows-version-search",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/manage-corporate-devices.md",
"redirect_url": "/windows/client-management/manage-windows-10-in-your-organization-modern-management",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md",
"redirect_url": "/azure/active-directory/fundamentals/active-directory-access-create-new-tenant",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/register-your-free-azure-active-directory-subscription.md",
"redirect_url": "/microsoft-365/compliance/use-your-free-azure-ad-subscription-in-office-365",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/appv-deploy-and-config.md",
"redirect_url": "/windows/application-management/app-v/appv-for-windows",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/diagnose-mdm-failures-in-windows-10.md",
"redirect_url": "/windows/client-management/mdm-collect-logs",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/policy-admx-backed.md",
"redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider",
@ -19772,7 +19852,7 @@
},
{
"source_path": "windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md",
"redirect_url": "/windows/client-management/diagnose-mdm-failures-in-windows-10",
"redirect_url": "/windows/client-management/mdm-collect-logs",
"redirect_document_id": false
},
{

99
windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md
View File

@ -1,99 +0,0 @@
---
title: Add an Azure AD tenant and Azure AD subscription
description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# Add an Azure AD tenant and Azure AD subscription
Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription)
1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png)
2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available.
![sign up for azure ad.](images/azure-ad-add-tenant2.png)
3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**.
![create azure account.](images/azure-ad-add-tenant3.png)
4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**.
![add aad tenant.](images/azure-ad-add-tenant3-b.png)
5. After you finish creating your Azure account, you can add an Azure AD subscription.
If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
![login to office 365](images/azure-ad-add-tenant4.png)
6. Select **Install software**.
![login to office 365 portal](images/azure-ad-add-tenant5.png)
7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation.
![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png)
8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase.
![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png)
9. Continue with your purchase.
![azure active directory premium payment page.](images/azure-ad-add-tenant8.png)
10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange).
![admin center left navigation menu.](images/azure-ad-add-tenant9.png)
When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
## Register your free Azure Active Directory subscription
If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription.
1. Sign in to the Microsoft 365 admin center at <https://portal.office.com> using your organization's account.
![register in azuread.](images/azure-ad-add-tenant10.png)
2. On the **Home** page, select on the Admin tools icon.
![register in azure-ad.](images/azure-ad-add-tenant11.png)
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
![register azuread](images/azure-ad-add-tenant12.png)
4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
![registration in azure-ad](images/azure-ad-add-tenant13.png)
5. It may take a few minutes to process the request.
![registration in azuread.](images/azure-ad-add-tenant14.png)
6. You'll see a welcome page when the process completes.
![register screen of azuread](images/azure-ad-add-tenant15.png)

485
windows/client-management/appv-deploy-and-config.md
View File

@ -1,485 +0,0 @@
---
title: Deploy and configure App-V apps using MDM
description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Intune or App-V server.
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
ms.reviewer:
manager: aaroncz
---
# Deploy and configure App-V apps using MDM
## Executive summary
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
### EnterpriseAppVManagement CSP node structure
[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md)
The following example shows the EnterpriseAppVManagement configuration service provider in tree format.
```console
./Vendor/MSFT
EnterpriseAppVManagement
----AppVPackageManagement
--------EnterpriseID
------------PackageFamilyName
---------------PackageFullName
------------------Name
------------------Version
------------------Publisher
------------------InstallLocation
------------------InstallDate
------------------Users
------------------AppVPackageID
------------------AppVVersionId
------------------AppVPackageUri
----AppVPublishing
--------LastSync
------------LastError
------------LastErrorDescription
------------SyncStatusDescription
------------SyncProgress
--------Sync
------------PublishXML
----AppVDynamicPolicy
--------ConfigurationId
------------Policy
```
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.</p>
<p><b>AppVPublishing</b> - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- **AppVPublishing**
- LastSync
- LastError
- LastErrorDescription
- SyncStatusDescription
- SyncProgress
- Sync
- PublishXML
- AppVDynamicPolicy
<p>Sync command:</p>
[App-V Sync protocol reference](https://msdn.microsoft.com/enus/library/mt739986.aspx)
<p><b>AppVDynamicPolicy</b> - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- AppVPublishing
- **AppVDynamicPolicy**
- [ConfigurationId]
- Policy
<p>Dynamic policy examples:</p>
[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#dynamic-configuration-processing)
<p><b>AppVPackageManagement</b> - Primarily read-only App-V package inventory data for MDM servers to query current packages.</p>
- EnterpriseAppVManagement
- **AppVPackageManagement**
- [EnterpriseID]
- [PackageFamilyName]
- [PackageFullName]
- Name
- Version
- Publisher
- InstallLocation
- InstallDate
- Users
- AppVPackageID
- AppVVersionId
- AppVPackageUri
- AppVPublishing
- AppVDynamicPolicy
<p>The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.</p>
## Scenarios addressed in App-V MDM functionality
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
<p>A complete list of App-V policies can be found here:</p>
[ADMX-backed policy reference](mdm/policy-configuration-service-provider.md)
[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md)
### SyncML examples
<p>The following SyncML examples address specific App-V client scenarios.</p>
#### Enable App-V client
<p>This example shows how to enable App-V on the device.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient</LocURI>
</Target>
<Data><enabled/></Data>
</Item>
</Replace>
```
#### Configure App-V client
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
</Target>
<Data><enabled/></Data>
</Item>
</Replace>
```
<p>Complete list of App-V policies can be found here:</p>
[Policy CSP](mdm/policy-configuration-service-provider.md)
#### SyncML with package published for a device (global to all users for that device)
<p>This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device)
<p>This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy</ LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<DeploymentConfiguration PackageId="57650ac1-1731-4b4c-899ca25548374dab" DisplayName="Skype_RS2Win10_X64" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
<MachineConfiguration></MachineConfiguration>
<UserConfiguration>
<Subsystems>
<Shortcuts Enabled="true">
<Extensions>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{ThisPCDesktopFolder}]\Skype_FromMDM.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Desktop}]\Skype_FromMDMAlso.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
</Extensions>
</Shortcuts>
</Subsystems>
</UserConfiguration>
</DeploymentConfiguration>
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab">
<DeploymentConfiguration ConfigurationId="38" Path="38" Timestamp="2012-08-27T16:14:30.87" /></Package>
</Packages>
<NoGroup>
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (using user config deployment) published for a specific user
<p>This SyncML example shows how to publish a package for a specific MDM user.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
</Packages>
<NoGroup>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### SyncML for publishing mixed-mode connection group containing global and user-published packages
<p>This SyncML example shows how to publish a connection group, and group applications and plugins together.</p>
> [!NOTE]
> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group.
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab"></Package>
</Packages>
</Publishing>
</Data>
</Item>
</Exec>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"></Package>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
<Groups>
<Group GroupId="98d5cebd-165f-403b-a426-7a1f6ae9c399" VersionId="AE76602B-5613-4BAD-9EE5-1728FA55B699" Priority="46" Name="Try7">
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" VersionOptional="false" PackageOptional="false"/>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4" VersionOptional="true" PackageOptional="true"/>
</Group>
</Groups>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Unpublish example SyncML for all global packages
<p>This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages></Packages>
<NoGroup></NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Query packages on a device
<p>These SyncML examples return all global, and user-published packages on the device.</p>
```xml
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
```xml
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```

315
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -9,159 +9,94 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.collection:
- highpri
- tier2
ms.date: 12/31/2017
- highpri
- tier2
ms.date: 04/05/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Azure Active Directory integration with MDM
Azure Active Directory is the world's largest enterprise cloud identity management service. Its used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
Azure Active Directory is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
Once a device is enrolled in MDM, the MDM:
- Can enforce compliance with organization policies, add or remove apps, and more.
- Can report a devices compliance in Azure AD.
- Can report a device's compliance in Azure AD.
- Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies.
To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This article describes the steps involved.
## Connect to Azure AD
Several ways to connect your devices:
For company-owned devices:
- Join Windows to a traditional Active Directory domain
- Join Windows to Azure AD
For personal devices (BYOD):
- Add a Microsoft work account to Windows
### Azure AD Join
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device won't be joined to Azure AD.
> [!IMPORTANT]
> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license.
### BYOD scenario
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted.
To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD.
## Integrated MDM enrollment and UX
Two Azure AD MDM enrollment scenarios:
- Joining a device to Azure AD for company-owned devices
- Adding a work account to a personal device (BYOD)
There are several ways to connect your devices to Azure AD:
In both scenarios, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment.
- [Join device to Azure AD](/azure/active-directory/devices/concept-azure-ad-join)
- [Join device to on-premises AD and Azure AD](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register)
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
In each scenario, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure ADintegrated enrollment
### MDM endpoints involved in Azure AD integrated enrollment
Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent.
1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
2. Enroll the device.
- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user's consent before the actual enrollment phase begins.
This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
Its important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
[![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox)
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
After the users accepts the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
## Make the MDM a reliable party of Azure AD
## Make MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
### Add a cloud-based MDM
### Cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
> [!NOTE]
> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guides below:
>
> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs.
The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, in the customer tenant where the managed device belongs.
> [!NOTE]
> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats-and-ownership).
> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
### On-premises MDM
1. Log on to the Azure Management Portal using an admin account in your home tenant.
An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Azure AD.
2. In the left navigation, select **Active Directory**.
3. Select the directory tenant where you want to register the application.
Ensure you're logged into your home tenant.
4. Select the **Applications** tab.
5. In the drawer, select **Add**.
6. Select **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**.
8. Enter the logon URL for your MDM service.
9. For the App ID, enter `https://<your_tenant_name>/ContosoMDM`, then select OK.
10. While still in the Azure portal, select the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You'll need this ID later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You need this key to call the Microsoft Graph API to report device compliance. This information is covered in the next section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
### Add an on-premises MDM
An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
@ -173,24 +108,21 @@ The application keys used by your MDM service are a sensitive resource. They sho
For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys.
## Publish your MDM app to Azure AD app gallery
IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
The following image show how MDM applications show up in the Azure app gallery.
![azure ad add an app for mdm.](images/azure-ad-app-gallery.png)
### Add cloud-based MDM to the app gallery
> [!NOTE]
> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
To publish your application, [submit a request to publish your application in Azure Active Directory application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing)
The following table shows the required information to create an entry in the Azure AD app gallery.
|Item|Description|
@ -201,8 +133,6 @@ The following table shows the required information to create an entry in the Azu
|**Description**|A brief description of your MDM app, which must be under 255 characters.|
|**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215|
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
@ -215,11 +145,11 @@ The pages rendered by the MDM in the integrated enrollment process must use Wind
There are three distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
These scenarios support Windows client Pro, Enterprise, and Education.
These scenarios support Windows Pro, Enterprise, and Education.
The CSS files provided by Microsoft contain version information and we recommend that you use the latest version. There are separate CSS files for Windows client devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
@ -256,7 +186,7 @@ The following parameters are passed in the query string:
Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw...
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
@ -267,13 +197,12 @@ The following claims are expected in the access token passed by Windows to the T
|TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.|
|Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
> [!NOTE]
> There's no device ID claim in the access token because the device may not yet be enrolled at this time.
To retrieve the list of group memberships for the user, you can use the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
Here's an example URL.
Here's an example URL:
```http
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
@ -288,8 +217,8 @@ The MDM may do other more redirects as necessary before displaying the Terms of
The Terms of Use content should contain the following buttons:
- **Accept** - the user accepts the Terms of Use and proceeds with enrollment.
- **Decline** - the user declines and stops the enrollment process.
- **Accept** - the user accepts the Terms of Use and proceeds with enrollment.
- **Decline** - the user declines and stops the enrollment process.
The Terms of Use content must be consistent with the theme used for the other pages rendered during this process.
@ -297,13 +226,13 @@ The Terms of Use content must be consistent with the theme used for the other pa
At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page:
- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This Boolean value is required, and must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true`
- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This Boolean value is required, and must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true`
- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join.
@ -311,7 +240,7 @@ We recommend that you send the client-request-id parameters in the query string
### Terms Of Use Error handling
If an error occurs during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the error\_description should be in English plain text. This text isn't visible to the end-user. So, localization of the error description text isn't a concern.
If an error occurs during the terms of use processing, the MDM can return two parameters - an `error` and `error_description` parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the `error_description` should be in English plain text. This text isn't visible to the end-user. So, localization of the `error_description` text isn't a concern.
Here's the URL format:
@ -334,7 +263,6 @@ The following table shows the error codes.
|Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
|internal service error|302|server_error|internal service error|
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
@ -355,41 +283,43 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
|Enrolled certificate store|My/User|My/System|My/User|
|CSR subject name|User Principal Name|Device ID|User Principal Name|
|EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
|CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
|CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
## Management protocol with Azure AD
There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD-joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
- **Multiple user management for Azure AD-joined devices**
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
- **Adding a work account and MDM enrollment to a device**:
```console
Authorization:Bearer <Azure AD User Token Inserted here>
```
In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
More claims may be present in the Azure AD token, such as:
- **Evaluating Azure AD user tokens**:
- User - user currently logged in
- Device compliance - value set the MDM service into Azure
- Device ID - identifies the device that is checking in
- Tenant ID
The Azure AD token is in the HTTP Authorization header in the following format:
Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
```console
Authorization:Bearer <Azure AD User Token Inserted here>
```
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
More claims may be present in the Azure AD token, such as:
- User - user currently logged in
- Device compliance - value set the MDM service into Azure
- Device ID - identifies the device that is checking in
- Tenant ID
Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM package #1. Here's an example:
```xml
Alert Type: com.microsoft/MDM/AADUserToken
@ -401,25 +331,25 @@ Alert sample:
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
<Type xmlns= "syncml:metinf ">com.microsoft/MDM/AADUserToken</Type>
</Meta>
<Data>UserToken inserted here</Data>
</Item>
</Alert>
… other XML tags …
... other XML tags ...
</SyncBody>
```
## Determine when a user is logged in through polling
An alert is sent to the MDM server in DM package\#1.
An alert is sent to the MDM server in DM package \#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
- Alert data - provide sign-in status information for the current active logged in user.
- Signed-in user who has an Azure AD account - predefined text: user.
- Signed-in user without an Azure AD account- predefined text: others.
- No active user - predefined text:none
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
- Alert data - provide sign-in status information for the current active logged in user.
- Signed-in user who has an Azure AD account - predefined text: user.
- Signed-in user without an Azure AD account- predefined text: others.
- No active user - predefined text:none
Here's an example.
@ -430,12 +360,12 @@ Here's an example.
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Type xmlns= "syncml:metinf ">com.microsoft/MDM/LoginStatus</Type>
</Meta>
<Data>user</Data>
</Item>
</Alert>
… other XML tags …
... other XML tags ...
</SyncBody>
```
@ -445,21 +375,21 @@ Once a device is enrolled with the MDM for management, organization policies con
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
### Use Microsoft Graph API
The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it.
> [!NOTE]
> This API is only applicable for approved MDM apps on Windows 10 devices.
> This API is only applicable for approved MDM apps on Windows devices.
```console
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
Authorization: Bearer eyJ0eXAiO………
Authorization: Bearer eyJ0eXAiO.........
Accept: application/json
Content-Type: application/json
{ "isManaged":true,
@ -469,16 +399,16 @@ Content-Type: application/json
Where:
- **contoso.com** This value is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This value is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
## Data loss during unenrollment from Azure Active Directory Join
@ -488,41 +418,4 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
## Error codes
|Code|ID|Error message|
|--- |--- |--- |
|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.|
|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.|
|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.|
|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.|
|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.|
|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.|
|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.|
|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.|
|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.|
|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.|
|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.|
|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
[!INCLUDE [Enrollment error codes](includes/mdm-enrollment-error-codes.md)]

28
windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
View File

@ -1,33 +1,29 @@
---
title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal
title: Automatic MDM enrollment in the Intune admin center
description: Automatic MDM enrollment in the Intune admin center
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 12/18/2020
ms.date: 04/05/2023
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center
# Automatic MDM enrollment in the Intune admin center
Microsoft Intune can be accessed directly using its own admin center. For more information, go to:
- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
If you use the Azure portal, then you can access Intune using the following steps:
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure Portal.
1. Go to your Azure AD Blade.
2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
3. Select **Microsoft Intune** and configure the blade.
![How to get to the Blade.](images/azure-mdm-intune.png)
1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
Configure the blade
1. Select **Microsoft Intune** and configure the blade. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group).
![Configure the Blade.](images/azure-intune-configure-scope.png)
![Configure the Blade.](images/azure-intune-configure-scope.png)
You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users).
1. Select **Save** to configure MDM auto-enrollment for Azure AD joined devices and bring-your-own-device scenarios.

197
windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
View File

@ -1,9 +1,6 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@ -11,40 +8,45 @@ ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
ms.date: 04/05/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Bulk enrollment
# Bulk enrollment using Windows Configuration Designer
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario.
## Typical use cases
- Set up devices in bulk for large organizations to be managed by MDM.
- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
- Set up school computers.
- Set up industrial machinery.
- Set handheld POS devices.
- Set up devices in bulk for large organizations to be managed by MDM.
- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
- Set up school computers.
- Set up industrial machinery.
- Set handheld POS devices.
On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
On the desktop, you can create an Active Directory account, such as `enrollment@contoso.com` and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
> [!NOTE]
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
> - Bulk Token creation is not supported with federated accounts.
>
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
> - Bulk Token creation is not supported with federated accounts.
## What you need
- Windows 10 devices.
- Windows Configuration Designer (WCD) tool.
- Windows devices.
- Windows Configuration Designer (WCD) tool.
To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
@ -53,112 +55,105 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool.
2. Select **Advanced Provisioning**.
1. Select **Advanced Provisioning**.
![icd start page.](images/bulk-enrollment7.png)
3. Enter a project name and select **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
5. Skip **Import a provisioning package (optional)** and select **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**.
7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings:
- **AuthPolicy** - Select **OnPremise**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
Here's the screenshot of the WCD at this point.
1. Enter a project name and select **Next**.
1. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
1. Skip **Import a provisioning package (optional)** and select **Finish**.
1. Expand **Runtime settings** > **Workplace**.
1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`.
1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings:
- **AuthPolicy** - Select **OnPremise**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). Here's the screenshot of the WCD at this point.
![bulk enrollment screenshot.](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you're done adding all the settings, on the **File** menu, select **Save**.
11. On the main menu, select **Export** &gt; **Provisioning package**.
1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
1. When you're done adding all the settings, on the **File** menu, select **Save**.
1. On the main menu, select **Export** > **Provisioning package**.
![icd menu for export.](images/bulk-enrollment2.png)
12. Enter the values for your package and specify the package output location.
1. Enter the values for your package and specify the package output location.
![enter package information.](images/bulk-enrollment3.png)
![enter additional information for package information.](images/bulk-enrollment4.png)
![specify file location.](images/bulk-enrollment6.png)
13. Select **Build**.
1. Select **Build**.
![icb build window.](images/bulk-enrollment5.png)
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
15. Apply the package to your devices.
1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
1. Apply the package to your devices.
## Create and apply a provisioning package for certificate authentication
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool.
2. Select **Advanced Provisioning**.
3. Enter a project name and select **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
5. Skip **Import a provisioning package (optional)** and select **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
2. Enter a **CertificateName** and then select **Add**.
3. Enter the **CertificatePasword**.
4. For **CertificatePath**, browse and select the certificate to be used.
5. Set **ExportCertificate** to False.
6. For **KeyLocation**, select **Software only**.
1. Select **Advanced Provisioning**.
1. Enter a project name and select **Next**.
1. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
1. Skip **Import a provisioning package (optional)** and select **Finish**.
1. Specify the certificate:
1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**.
1. Enter a **CertificateName** and then select **Add**.
1. Enter the **CertificatePassword**.
1. For **CertificatePath**, browse and select the certificate to be used.
1. Set **ExportCertificate** to False.
1. For **KeyLocation**, select **Software only**.
![icd certificates section.](images/bulk-enrollment8.png)
7. Specify the workplace settings.
1. Got to **Workplace** &gt; **Enrollments**.
2. Enter the **UPN** for the enrollment and then select **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings:
- **AuthPolicy** - Select **Certificate**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
9. When you're done adding all the settings, on the **File** menu, select **Save**.
10. Export and build the package (steps 10-13 in the procedure above).
11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
12. Apply the package to your devices.
1. Specify the workplace settings.
1. Got to **Workplace** > **Enrollments**.
1. Enter the **UPN** for the enrollment and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`.
1. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings:
- **AuthPolicy** - Select **Certificate**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
1. When you're done adding all the settings, on the **File** menu, select **Save**.
1. Export and build the package (steps 10-13 in the procedure above).
1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
1. Apply the package to your devices.
## Apply a provisioning package
Here's the list of articles about applying a provisioning package:
- [Apply a package during initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#during-initial-setup)
- [Apply a package after initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup)
- [Apply a package directly](/windows/configuration/provisioning-packages/provisioning-apply-package#apply-directly)
- [Apply a package from the Settings app](/windows/configuration/provisioning-packages/provisioning-apply-package#windows-settings).
- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package)
- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image)
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below
## Validate that the provisioning package was applied
## Apply a package from the Settings menu
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Select **Add or remove a provisioning package**.
3. Select **Add a package**.
## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Select **Add or remove a provisioning package**.
You should see your package listed.
1. Go to **Settings** > **Accounts** > **Access work or school**.
1. Select **Add or remove a provisioning package**. You should see your package listed.
## Retry logic if there's a failure
If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
- If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from the SYSTEM context.
- It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well.
- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions).
If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -&gt; 1 hr -&gt; 4 hr -&gt; "Next System Start". These attempts will be run from a SYSTEM context.
It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well.
In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
## Other provisioning articles
Here are links to step-by-step provisioning articles:
- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
## Related articles
- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)

36
windows/client-management/certificate-authentication-device-enrollment.md
View File

@ -8,23 +8,21 @@ ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
ms.date: 04/05/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Certificate authentication device enrollment
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows devices, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
> [!Note]
> [!NOTE]
> To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
## In this topic
- [Discovery service](#discovery-service)
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
> [!NOTE]
> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery Service
@ -37,7 +35,6 @@ User-Agent: Windows Enrollment Client
Host: EnterpriseEnrollment.Contoso.com
Content-Length: xxx
Cache-Control: no-cache
<?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
@ -135,7 +132,7 @@ Cache-Control: no-cache
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType="X509v3” wsse:Id="mytoken wsse:EncodingType=
<wsse:BinarySecurityToken wsse:ValueType="X509v3" wsse:Id="mytoken" wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
@ -296,14 +293,13 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
wsu:Id=”29801C2F-F26B-46AD-984B-AFAEFB545FF8”>
wsu:Id="29801C2F-F26B-46AD-984B-AFAEFB545FF8">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> <!X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference -->
</wsse:BinarySecurityToken> <!-X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference -->
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd”>
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- 1.0.xsd">
<ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
<ds:Reference URI="#envelop">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
@ -312,13 +308,13 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SignedMessageBlob/ds:SignatureValue>
<!-- Digest value of message signed with the users private key using RSA-SHA256 -->
<!-- Digest value of message signed with the user's private key using RSA-SHA256 -->
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8"
ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509"/>
<!-— References BinarySecurityToken that contains public key to verify signature -->
<!-- References BinarySecurityToken that contains public key to verify signature -->
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
@ -443,7 +439,7 @@ The following example shows the encoded provisioning XML.
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<!--If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/>
@ -487,7 +483,7 @@ The following example shows the encoded provisioning XML.
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedule's retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>

43
windows/client-management/certificate-renewal-windows-mdm.md
View File

@ -1,9 +1,6 @@
---
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@ -12,29 +9,32 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> [!Note]
> [!NOTE]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
## Automatic certificate renewal request
Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal.
> [!Note]
> [!NOTE]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSPs](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
With automatic renewal, the PKCS\#7 message content isnt b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
@ -94,28 +94,25 @@ The following example shows the details of an automatic renewal request.
## Certificate renewal schedule configuration
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week.
> [!Note]
> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
- The signature of the PKCS\#7 BinarySecurityToken is correct
- The clients certificate is in the renewal period
- The certificate was issued by the enrollment service
- The requester is the same as the requester for initial enrollment
- For standard clients request, the client hasnt been blocked
- The signature of the PKCS\#7 BinarySecurityToken is correct
- The client's certificate is in the renewal period
- The certificate was issued by the enrollment service
- The requester is the same as the requester for initial enrollment
- For standard client's request, the client hasn't been blocked
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> [!Note]
> [!NOTE]
> The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of a certificate renewal response.
@ -145,14 +142,14 @@ The following example shows the details of a certificate renewal response.
</wap-provisioningdoc>
```
> [!Note]
> [!NOTE]
> The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
- CertificateStore
- w7 APPLICATION
- DMClient
- EnterpriseAppManagement
- CertificateStore
- w7 APPLICATION
- DMClient
- EnterpriseAppManagement

18
windows/client-management/administrative-tools-in-windows-10.md → windows/client-management/client-tools/administrative-tools-in-windows.md
View File

@ -6,24 +6,22 @@ author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.localizationpriority: medium
ms.date: 03/28/2022
ms.date: 04/11/2023
ms.topic: article
ms.collection:
- highpri
- tier2
- highpri
- tier2
ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Windows Tools/Administrative Tools
**Applies to**
- Windows 11
- Windows 10
**Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users.
## Windows Tools folder (Windows 11)
## Windows Tools folder
The following graphic shows the **Windows Tools** folder in Windows 11:
@ -33,7 +31,7 @@ The tools in the folder might vary depending on which edition of Windows you use
:::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png":::
## Administrative Tools folder (Windows 10)
## Administrative Tools folder
The following graphic shows the **Administrative Tools** folder in Windows 10:

47
windows/client-management/change-default-removal-policy-external-storage-media.md → windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
View File

@ -1,26 +1,22 @@
---
title: Windows 10 default media removal policy
description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal.
title: Windows default media removal policy
description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/25/2020
ms.date: 04/11/2023
ms.topic: article
ms.custom:
- CI 111493
- CI 125140
- CSSTroubleshooting
audience: ITPro
ms.localizationpriority: medium
manager: kaushika
manager: aaroncz
ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Change in default removal policy for external storage media in Windows 10, version 1809
# Change in default removal policy for external storage media in Windows
Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**.
In earlier versions of Windows, the default policy was **Better performance**.
Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. In earlier versions of Windows, the default policy was **Better performance**.
You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port.
@ -28,31 +24,32 @@ You can change the policy setting for each external device, and the policy that
You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
* **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
* **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
> [!IMPORTANT]
> If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data.
- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
- **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
> [!NOTE]
> If you select **Better performance**, we recommend that you also select **Enable write caching on the device**.
> [!IMPORTANT]
> If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data.
> [!NOTE]
> If you select **Better performance**, we recommend that you also select **Enable write caching on the device**.
To change the policy for an external storage device:
1. Connect the device to the computer.
2. Right-click **Start**, then select **File Explorer**.
3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
4. Right-click **Start**, then select **Disk Management**.
5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
1. Right-click **Start**, then select **File Explorer**.
1. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
1. Right-click **Start**, then select **Disk Management**.
1. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png)
6. Select **Policies**.
1. Select **Policies**.
> [!NOTE]
> Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box.
>
> If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available.
7. Select the policy that you want to use.
1. Select the policy that you want to use.
![Policy options for disk management.](./images/change-def-rem-policy-2.png)

16
windows/client-management/connect-to-remote-aadj-pc.md → windows/client-management/client-tools/connect-to-remote-aadj-pc.md
View File

@ -1,25 +1,25 @@
---
title: Connect to remote Azure Active Directory joined device (Windows)
title: Connect to remote Azure Active Directory joined device
description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: vinpa
ms.date: 01/18/2022
ms.date: 04/11/2023
manager: aaroncz
ms.topic: article
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier2
- highpri
- tier2
ms.technology: itpro-manage
---
# Connect to remote Azure Active Directory joined device
From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP.
Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP).
- Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
- Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication).
@ -129,5 +129,3 @@ Remote Desktop Users group is used to grant users and groups permissions to remo
## Related articles
[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)

0
windows/client-management/images/admin-tools-folder.png → windows/client-management/client-tools/images/admin-tools-folder.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 31 KiB

0
windows/client-management/images/admin-tools.png → windows/client-management/client-tools/images/admin-tools.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/client-management/images/allow-rdp.png → windows/client-management/client-tools/images/allow-rdp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

0
windows/client-management/images/change-def-rem-policy-1.png → windows/client-management/client-tools/images/change-def-rem-policy-1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 125 KiB

After

Width:  |  Height:  |  Size: 125 KiB

0
windows/client-management/images/change-def-rem-policy-2.png → windows/client-management/client-tools/images/change-def-rem-policy-2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 159 KiB

After

Width:  |  Height:  |  Size: 159 KiB

0
windows/client-management/images/checkmark.png → windows/client-management/client-tools/images/checkmark.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

0
windows/client-management/images/copy-to-change.png → windows/client-management/client-tools/images/copy-to-change.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 11 KiB

0
windows/client-management/images/copy-to-path.png → windows/client-management/client-tools/images/copy-to-path.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

0
windows/client-management/images/copy-to.PNG → windows/client-management/client-tools/images/copy-to.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 54 KiB

0
windows/client-management/images/crossmark.png → windows/client-management/client-tools/images/crossmark.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

0
windows/client-management/images/device-installation-apply-layered-policy-2.png → windows/client-management/client-tools/images/device-installation-apply-layered-policy-2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 81 KiB

After

Width:  |  Height:  |  Size: 81 KiB

0
windows/client-management/images/device-installation-apply-layered_policy-1.png → windows/client-management/client-tools/images/device-installation-apply-layered_policy-1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 240 KiB

After

Width:  |  Height:  |  Size: 240 KiB

0
windows/client-management/images/device-installation-dm-printer-by-device.png → windows/client-management/client-tools/images/device-installation-dm-printer-by-device.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 120 KiB

After

Width:  |  Height:  |  Size: 120 KiB

0
windows/client-management/images/device-installation-dm-printer-compatible-ids.png → windows/client-management/client-tools/images/device-installation-dm-printer-compatible-ids.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 42 KiB

0
windows/client-management/images/device-installation-dm-printer-details-screen.png → windows/client-management/client-tools/images/device-installation-dm-printer-details-screen.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 33 KiB

After

Width:  |  Height:  |  Size: 33 KiB

0
windows/client-management/images/device-installation-dm-printer-hardware-ids.png → windows/client-management/client-tools/images/device-installation-dm-printer-hardware-ids.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 36 KiB

0
windows/client-management/images/device-installation-dm-usb-by-connection-blocked.png → windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-blocked.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 97 KiB

After

Width:  |  Height:  |  Size: 97 KiB

0
windows/client-management/images/device-installation-dm-usb-by-connection-layering.png → windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-layering.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 203 KiB

After

Width:  |  Height:  |  Size: 203 KiB

0
windows/client-management/images/device-installation-dm-usb-by-connection.png → windows/client-management/client-tools/images/device-installation-dm-usb-by-connection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 202 KiB

After

Width:  |  Height:  |  Size: 202 KiB

0
windows/client-management/images/device-installation-dm-usb-by-device.png → windows/client-management/client-tools/images/device-installation-dm-usb-by-device.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 47 KiB

0
windows/client-management/images/device-installation-dm-usb-hwid.png → windows/client-management/client-tools/images/device-installation-dm-usb-hwid.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 42 KiB

0
windows/client-management/images/device-installation-flowchart.png → windows/client-management/client-tools/images/device-installation-flowchart.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 66 KiB

0
windows/client-management/images/device-installation-gpo-allow-device-id-list-printer.png → windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-printer.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

0
windows/client-management/images/device-installation-gpo-allow-device-id-list-usb.png → windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-usb.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 45 KiB

0
windows/client-management/images/device-installation-gpo-prevent-class-list.png → windows/client-management/client-tools/images/device-installation-gpo-prevent-class-list.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

0
windows/client-management/images/device-installation-gpo-prevent-device-id-list-printer.png → windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-printer.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

0
windows/client-management/images/device-installation-gpo-prevent-device-id-list-usb.png → windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-usb.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

0
windows/client-management/images/msinfo32.png → windows/client-management/client-tools/images/msinfo32.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

0
windows/client-management/images/quick-assist-flow.png → windows/client-management/client-tools/images/quick-assist-flow.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

0
windows/client-management/images/quick-assist-get.png → windows/client-management/client-tools/images/quick-assist-get.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.1 KiB

After

Width:  |  Height:  |  Size: 6.1 KiB

0
windows/client-management/images/rdp.png → windows/client-management/client-tools/images/rdp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

0
windows/client-management/images/refcmd.png → windows/client-management/client-tools/images/refcmd.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
windows/client-management/images/settings-page-visibility-gp.png → windows/client-management/client-tools/images/settings-page-visibility-gp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 31 KiB

0
windows/client-management/images/slmgr_dlv.png → windows/client-management/client-tools/images/slmgr-dlv.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 73 KiB

After

Width:  |  Height:  |  Size: 73 KiB

0
windows/client-management/images/sysprep-error.png → windows/client-management/client-tools/images/sysprep-error.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

0
windows/client-management/images/systemcollage.png → windows/client-management/client-tools/images/systemcollage.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 103 KiB

After

Width:  |  Height:  |  Size: 103 KiB

0
windows/client-management/images/win11-control-panel-windows-tools.png → windows/client-management/client-tools/images/win11-control-panel-windows-tools.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 55 KiB

After

Width:  |  Height:  |  Size: 55 KiB

0
windows/client-management/images/win11-windows-tools.png → windows/client-management/client-tools/images/win11-windows-tools.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 41 KiB

After

Width:  |  Height:  |  Size: 41 KiB

0
windows/client-management/images/WinVer.PNG → windows/client-management/client-tools/images/winver.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

261
windows/client-management/manage-device-installation-with-group-policy.md → windows/client-management/client-tools/manage-device-installation-with-group-policy.md
View File

@ -9,16 +9,14 @@ manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
---
# Manage Device Installation with Group Policy
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2022
## Summary
By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
@ -26,6 +24,7 @@ By using Windows operating systems, administrators can determine what devices ca
## Introduction
### General
This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.
@ -63,7 +62,7 @@ You can ensure that users install only those devices that your technical support
## Scenario Overview
The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
Group Policy guides:
@ -72,7 +71,7 @@ Group Policy guides:
### Scenario #1: Prevent installation of all printers
In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the prevent/allow functionality of Device Installation policies in Group Policy.
In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy.
### Scenario #2: Prevent installation of a specific printer
@ -84,11 +83,11 @@ In this scenario, you'll combine what you learned from both scenario #1 and scen
### Scenario #4: Prevent installation of a specific USB device
This scenario, although similar to scenario #2, brings another layer of complexity how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
This scenario, although similar to scenario #2, brings another layer of complexityhow does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the prevent functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
## Technology Review
@ -96,7 +95,7 @@ The following sections provide a brief overview of the core technologies discuss
### Device Installation in Windows
A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definitionit's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages.
@ -107,7 +106,7 @@ The four types of identifiers are:
- Device Instance ID
- Device ID
- Device setup classes
- Removable Devices device type
- 'Removable Devices' device type
#### Device Instance ID
@ -146,12 +145,12 @@ For more information, see [Device Setup Classes](/windows-hardware/drivers/insta
This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
The following two links provide the complete list of Device Setup Classes. System Use classes are mostly referred to devices that come with a computer/machine from the factory, while Vendor classes are mostly referred to devices that could be connected to an existing computer/machine:
The following two links provide the complete list of Device Setup Classes. 'System Use' classes are mostly referred to devices that come with a computer/machine from the factory, while 'Vendor' classes are mostly referred to devices that could be connected to an existing computer/machine:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
#### Removable Device Device type
#### 'Removable Device' Device type
Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
@ -164,7 +163,7 @@ Device Installation section in Group Policy is a set of policies that control wh
The following passages are brief descriptions of the Device Installation policies that are used in this guide.
> [!NOTE]
> Device Installation control is applied only to machines (computer configuration) and not users (user configuration) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
> Device Installation control is applied only to machines ('computer configuration') and not users ('user configuration') by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
#### Allow administrators to override Device Installation Restriction policies
@ -219,22 +218,22 @@ To complete each of the scenarios, ensure you have:
- A client computer running Windows.
- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
- A USB/network printer pre-installed on the machine.
- Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps.
### Understanding implications of applying Prevent policies retroactive
### Understanding implications of applying 'Prevent' policies retroactive
All Prevent policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones.
For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones.
This option is a powerful tool, but as such it has to be used carefully.
> [!IMPORTANT]
> Applying the Prevent retroactive option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all Disk Drives could block the access to the disk on which the OS boots with; Preventing retroactive all Net could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
> Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
## Determine device identification strings
@ -249,19 +248,19 @@ To find device identification strings using Device Manager
1. Make sure your printer is plugged in and installed.
2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
4. Find the “Printers” section and find the target printer
1. Find the "Printers" section and find the target printer
![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
5. Double-click the printer and move to the Details tab.
1. Double-click the printer and move to the 'Details' tab.
![Details tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the Details tab to look for the device identifiers_
!['Details' tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the 'Details' tab to look for the device identifiers_
6. From the Value window, copy the most detailed Hardware ID we'll use this value in the policies.
1. From the 'Value' window, copy the most detailed Hardware ID—we'll use this value in the policies.
![HWID.](images/device-installation-dm-printer-hardware-ids.png)
@ -311,24 +310,24 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, except Apply layered order of evaluationalthough the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters
1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters
4. Have a USB/network printer available to test the policy with
1. Have a USB/network printer available to test the policy with
### Scenario steps preventing installation of prohibited devices
### Scenario steps - preventing installation of prohibited devices
Getting the right device identifier to prevent it from being installed:
1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID).
2. If you dont have such device installed on your system or know the name of the class, you can check the following two links:
1. If you don't have such device installed on your system or know the name of the class, you can check the following two links:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
> Printers\
> Class = Printer\
@ -340,40 +339,40 @@ Getting the right device identifier to prevent it from being installed:
Creating the policy to prevent all printers from being installed:
1. Open Group Policy Object Editoreither click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page:
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled (recommended to keep applied layered order of evaluation policy enabled).
1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled).
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318}
1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`.
![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
7. Click OK.
1. Click 'OK'.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future printer installations, but doesnt apply to existing installs.
1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
9. Optional if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed
1. Optional—if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
> [!IMPORTANT]
> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using Disk Drive class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
### Testing the scenario
1. If you haven't completed step #9 follow these steps:
1. If you haven't completed step #9, follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
1. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
1. For USB printer—unplug and plug back the cable; for network device—make a search for the printer in the Windows Settings app.
1. You shouldn't be able to reinstall the printer.
2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
## Scenario #2: Prevent installation of a specific printer
@ -385,39 +384,39 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Ensure all previous Device Installation policies are disabled except Apply layered order of evaluation (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
### Scenario steps preventing installation of a specific device
### Scenario steps - preventing installation of a specific device
Getting the right device identifier to prevent it from being installed:
1. Get your printers Hardware ID in this example we'll use the identifier we found previously
1. Get your printer's Hardware ID. In this example we'll use the identifier we found previously.
![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
2. Write down the device ID (in this case Hardware ID) WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
1. Write down the device ID (in this case Hardware ID): `WSDPRINT\CanonMX920_seriesC1A0;`. Take the more specific identifier to make sure you block a specific printer and not a family of printers
Creating the policy to prevent a single printer from being installed:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
1. Open Group Policy Object Editor.
2. Navigate to the Device Installation Restriction page:
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Open **Prevent installation of devices that match any of these device IDs** policy and select the Enable radio button.
1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
4. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to block.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block.
5. Enter the printer device ID you found above WSDPRINT\CanonMX920_seriesC1A0
1. Enter the printer device ID you found above: `WSDPRINT\CanonMX920_seriesC1A0`.
![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
6. Click OK.
1. Click 'OK'.
7. Click Apply on the bottom right of the policys window. This option pushes the policy and blocks the target printer in future installations, but doesnt apply to an existing install.
1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install.
8. Optional if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed.
1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'.
### Testing the scenario
@ -425,12 +424,11 @@ If you completed step #8 above and restarted the machine, look for your printer
If you haven't completed step #8, follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
2. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
3. You shouldn't be able to reinstall the printer.
1. For USB printer, unplug and plug back the cable; for network device, make a search for the printer in the Windows Settings app.
1. You shouldn't be able to reinstall the printer.
## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
@ -442,67 +440,66 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, and enable Apply layered order of evaluation.
1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters.
1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
4. Have a USB/network printer available to test the policy with.
1. Have a USB/network printer available to test the policy with.
### Scenario steps preventing installation of an entire class while allowing a specific printer
### Scenario steps - preventing installation of an entire class while allowing a specific printer
Getting the device identifier for both the Printer Class and a specific printer following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
Getting the device identifier for both the Printer Class and a specific printerfollowing the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
- ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}
- Hardware ID = WSDPRINT\CanonMX920_seriesC1A0
First create a Prevent Class policy and then create Allow Device one:
First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
1. Open Group Policy Object Editoreither click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page:
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled
1. Make sure all policies are disabled
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318}
1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
7. Click OK.
1. Click 'OK'.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future printer installations, but doesnt apply to existing installs.
1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
9. To complete the coverage of all future and existing printers Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed and click OK
1. To complete the coverage of all future and existing printers, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'
10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it this policy will enable you to override the wide coverage of the Prevent policy with a specific device.
1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it—this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
:::image type="content" alt-text="Screenshot of Local Group Policy Editor that shows the policies under Device Installation Restrictions and the policy named in this step." source="images/device-installation-apply-layered_policy-1.png" lightbox="images/device-installation-apply-layered_policy-1.png":::
![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
[![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.](images/device-installation-apply-layered-policy-2.png)](images/device-installation-apply-layered-policy-2.png#lightbox)<br/>_Apply layered order of evaluation policy_
9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the Enable radio button.
1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
10. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to allow.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
12. Click OK.
1. Click 'OK'.
13. Click Apply on the bottom right of the policys window this option pushes the policy and allows the target printer to be installed (or stayed installed).
1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and allows the target printer to be installed (or stayed installed).
## Testing the scenario
1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document.
2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer you shouldn't be bale to print anything or able to access the printer at all.
1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer—you shouldn't be bale to print anything or able to access the printer at all.
## Scenario #4: Prevent installation of a specific USB device
@ -514,67 +511,65 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section
2. Ensure all previous Device Installation policies are disabled except Apply layered order of evaluation (this prerequisite is optional to be On/Off this scenario) although the policy is disabled in default, it's recommended to be enabled in most practical applications.
1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation'. This prerequisite is optional to be On/Off this scenario. Although the policy is disabled in default, it's recommended to be enabled in most practical applications.
### Scenario steps preventing installation of a specific device
### Scenario steps - preventing installation of a specific device
Getting the right device identifier to prevent it from being installed and its location in the PnP tree:
1. Connect a USB thumb drive to the machine
2. Open Device Manager
1. Open Device Manager
3. Find the USB thumb-drive and select it.
1. Find the USB thumb-drive and select it.
![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
4. Change View (in the top menu) to Devices by connections. This view represents the way devices are installed in the PnP tree.
1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree.
![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
> [!NOTE]
> When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
> When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked.
![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
5. Double-click the USB thumb-drive and move to the Details tab.
1. Double-click the USB thumb-drive and move to the 'Details' tab.
6. From the Value window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
Creating the policy to prevent a single USB thumb-drive from being installed:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
1. Open Group Policy Object Editor and either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page:
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Open **Prevent installation of devices that match any of these device IDs** policy and select the Enable radio button.
1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
4. In the lower left side, in the Options window, click the Show box. This option will take you to a table where you can enter the device identifier to block.
1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block.
5. Enter the USB thumb-drive device ID you found above USBSTOR\DiskGeneric_Flash_Disk______8.07
1. Enter the USB thumb-drive device ID you found above—`USBSTOR\DiskGeneric_Flash_Disk______8.07`.
![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
6. Click OK.
1. Click 'OK'.
7. Click Apply on the bottom right of the policys window this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesnt apply to an existing install.
8. Optional if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the Options window, mark the checkbox that says also apply to matching devices that are already installed
1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install.
1. Optional - if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'.
### Testing the scenario
1. If you haven't completed step #8 follow these steps:
1. If you haven't completed step #8, follow these steps:
- Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”.
- Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device".
- You shouldn't be able to reinstall the device.
2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
@ -586,15 +581,15 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, and **enable** Apply layered order of evaluation.
1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters.
1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
4. Have a USB thumb-drive available to test the policy with.
1. Have a USB thumb-drive available to test the policy with.
### Scenario steps preventing installation of all USB devices while allowing only an authorized USB thumb-drive
### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive
Getting the device identifier for both the USB Classes and a specific USB thumb-drive following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
Getting the device identifier for both the USB Classes and a specific USB thumb-drive and following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
- USB Bus Devices (hubs and host controllers)
- Class = USB
@ -610,16 +605,16 @@ Getting the device identifier for both the USB Classes and a specific USB thumb-
As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
- “Intel(R) USB 3.0 eXtensible Host Controller 1.0 (Microsoft)” -> PCI\CC_0C03
- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
- “Generic USB Hub” -> USB\USB20_HUB
- "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03
- "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30
- "Generic USB Hub" -> USB\USB20_HUB
![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine.
> [!IMPORTANT]
> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an Allow list in such cases. See below for the list:
> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list:
>
> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
> USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
@ -629,49 +624,49 @@ These devices are internal devices on the machine that define the USB port conne
>
> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.
First create a Prevent Class policy and then create Allow Device one:
First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
1. Open Group Policy Object Editor: either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page:
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled
1. Make sure all policies are disabled
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
6. Enter both USB classes GUID you found above with the curly braces:
1. Enter both USB classes GUID you found above with the curly braces:
> {36fc9e60-c465-11cf-8056-444553540000}/
> {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
7. Click OK.
1. Click 'OK'.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future USB device installations, but doesnt apply to existing installs.
1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs.
> [!IMPORTANT]
> The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it this policy will enable you to override the wide coverage of the Prevent policy with a specific device.
1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it. This policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the Enable radio button.
1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
11. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to allow.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation USBSTOR\DiskGeneric_Flash_Disk______8.07
1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation`USBSTOR\DiskGeneric_Flash_Disk______8.07`.
![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
13. Click OK.
1. Click 'OK'.
14. Click Apply on the bottom right of the policys window.
1. Click 'Apply' on the bottom right of the policy's window.
15. To apply the Prevent coverage of all currently installed USB devices Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed and click OK.
1. To apply the 'Prevent' coverage of all currently installed USB devices, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'.
### Testing the scenario

44
windows/client-management/client-tools/manage-settings-app-with-group-policy.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Manage the Settings app with Group Policy
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.prod: windows-client
author: vinaypamnani-msft
ms.date: 04/13/2023
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Manage the Settings app with Group Policy
You can manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users.
> [!NOTE]
> To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. Each server that you want to manage access to the Settings App must be patched.
If your organization uses the [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for Group Policy management, to manage the policies, copy the ControlPanel.admx and ControlPanel.adml file to PolicyDefinitions folder.
This policy is available for both User and Computer configurations.
- **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
- **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
![Settings page visibility policy.](images/settings-page-visibility-gp.png)
## Configuring the Group Policy
The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
> [!IMPORTANT]
> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
For example:
- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**.
- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.

71
windows/client-management/mandatory-user-profile.md → windows/client-management/client-tools/mandatory-user-profile.md
View File

@ -1,46 +1,44 @@
---
title: Create mandatory user profiles (Windows 10 and Windows 11)
title: Create mandatory user profiles
description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 09/14/2021
ms.date: 04/11/2023
ms.reviewer:
manager: aaroncz
ms.topic: article
ms.collection:
- highpri
- tier2
- highpri
- tier2
ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Create mandatory user profiles
**Applies to**
- Windows 10
- Windows 11
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile.
User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
## Profile extension for each Windows version
The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
| Client operating system version | Server operating system version | Profile extension |
| --- | --- | --- |
| Windows XP | Windows Server 2003 </br>Windows Server 2003 R2 | none |
| Windows Vista</br>Windows 7 | Windows Server 2008 </br>Windows Server 2008 R2 | v2 |
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 |
| Client operating system version | Server operating system version | Profile extension |
|-------------------------------------|-------------------------------------------------|-------------------|
| Windows XP | Windows Server 2003 </br>Windows Server 2003 R2 | none |
| Windows Vista</br>Windows 7 | Windows Server 2008 </br>Windows Server 2008 R2 | v2 |
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607 and later | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning).
@ -50,33 +48,33 @@ First, you create a default user profile with the customizations that you want,
### How to create a default user profile
1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account.
> [!NOTE]
> Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
> Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
> [!NOTE]
> Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on users profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10).
1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
> [!NOTE]
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
1. At a command prompt, type the following command and press **ENTER**.
```console
```cmd
sysprep /oobe /reboot /generalize /unattend:unattend.xml
```
(Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
(Sysprep.exe is located at: `C:\Windows\System32\sysprep`. By default, Sysprep looks for `unattend.xml` in the same folder.)
> [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open `%WINDIR%\System32\Sysprep\Panther\setupact.log` and look for an entry like the following:
>
> ![Microsoft Bing Translator package error.](images/sysprep-error.png)
>
@ -88,7 +86,6 @@ First, you create a default user profile with the customizations that you want,
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
![Example of User Profiles UI.](images/copy-to.png)
1. In **Copy To**, under **Permitted to use**, click **Change**.
@ -97,7 +94,7 @@ First, you create a default user profile with the customizations that you want,
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later.
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
@ -105,8 +102,6 @@ First, you create a default user profile with the customizations that you want,
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
![Example of Copy To UI with UNC path.](images/copy-to-path.png)
1. Click **OK** to copy the default user profile.
### How to make the user profile mandatory
@ -137,7 +132,7 @@ In a domain, you modify properties for the user account to point to the mandator
1. Right-click the user name and open **Properties**.
1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile.
1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`.
1. Click **OK**.
@ -145,16 +140,16 @@ It may take some time for this change to replicate to all domain controllers.
## Apply policies to improve sign-in time
When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.)
When a user is configured with a mandatory profile, Windows starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table.
| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
| --- | --- | --- | --- | --- |
| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
| Group Policy setting | Windows 10 | Windows Server 2016 |
|-----------------------------------------------------------------------------------------------------------------------------------------------|:----------:|:-------------------:|
| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ✅ | ✅ |
| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ✅ | ✅ |
| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅ | ❌ |
> [!NOTE]
> The Group Policy settings above can be applied in Windows 10 Professional edition.
> The Group Policy settings above can be applied in Windows Professional edition.
## Related topics

13
windows/client-management/quick-assist.md → windows/client-management/client-tools/quick-assist.md
View File

@ -1,6 +1,7 @@
---
title: Use Quick Assist to help users
description: Learn how IT Pros can use Quick Assist to help users.
ms.date: 04/11/2023
ms.prod: windows-client
ms.topic: article
ms.technology: itpro-manage
@ -10,12 +11,11 @@ ms.author: vinpa
manager: aaroncz
ms.reviewer: pmadrigal
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier1
ms.date: 03/06/2023
- highpri
- tier1
---
# Use Quick Assist to help users
@ -26,9 +26,6 @@ Quick Assist is a Microsoft Store application that enables a person to share the
All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
> [!IMPORTANT]
> Quick Assist is not available in the Azure Government cloud.
### Authentication
The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.

19
windows/client-management/client-tools/toc.yml Normal file
View File

@ -0,0 +1,19 @@
items:
- name: Windows Tools/Administrative Tools
href: administrative-tools-in-windows.md
- name: Use Quick Assist to help users
href: quick-assist.md
- name: Connect to remote Azure Active Directory-joined PC
href: connect-to-remote-aadj-pc.md
- name: Create mandatory user profiles
href: mandatory-user-profile.md
- name: Manage Device Installation with Group Policy
href: manage-device-installation-with-group-policy.md
- name: Manage the Settings app with Group Policy
href: manage-settings-app-with-group-policy.md
- name: Manage default media removal policy
href: change-default-removal-policy-external-storage-media.md
- name: What version of Windows am I running
href: windows-version-search.md
- name: Windows libraries
href: windows-libraries.md

48
windows/client-management/windows-libraries.md → windows/client-management/client-tools/windows-libraries.md
View File

@ -1,26 +1,30 @@
---
ms.reviewer:
manager: aaroncz
title: Windows Libraries
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.manager: dongill
manager: aaroncz
ms.reviewer:
ms.technology: itpro-manage
ms.topic: article
author: vinaypamnani-msft
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
ms.date: 09/15/2021
ms.date: 04/11/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Windows libraries
> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
Libraries are virtual containers for users content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
## Features for Users
Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
- Aggregate content from multiple storage locations into a single, unified presentation.
- Enable users to stack and group library contents based on metadata.
- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu.
@ -30,6 +34,7 @@ Windows libraries are backed by full content search and rich metadata. Libraries
## Features for Administrators
Administrators can configure and control Windows libraries in the following methods:
- Create custom libraries by creating and deploying Library Description (*.library-ms) files.
- Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.)
- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
@ -48,6 +53,7 @@ Including a folder in a library doesn't physically move or change the storage lo
### Default Libraries and Known Folders
The default libraries include:
- Documents
- Music
- Pictures
@ -64,16 +70,17 @@ Users or administrators can hide or delete the default libraries, though the lib
Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location.
If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails.
### Indexing Requirements and “Basic” Libraries
### Indexing Requirements and "Basic" Libraries
Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality:
- No support for metadata browsing via **Arrange By** views.
- Grep-only searches.
- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**.
- No support for searching from the Start menu. Start menu searches don't return files from basic libraries.
- No previews of file snippets for search results returned in Content mode.
To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folders files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally.
To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder "Always available offline" creates a local copy of the folder's files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally.
For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations).
@ -81,20 +88,20 @@ If your environment doesn't support caching files locally, you should enable the
### Folder Redirection
While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the "My Documents" folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
### Supported storage locations
The following table shows which locations are supported in Windows libraries.
|Supported Locations|Unsupported Locations|
|---|---|
|Fixed local volumes (NTFS/FAT)|Removable drives|
|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices|
||Other data sources: SharePoint, Exchange, etc.|
| Supported Locations | Unsupported Locations |
|--|--|
| Fixed local volumes (NTFS/FAT) | Removable drives |
| Shares that are indexed (departmental servers*, Windows home PCs) | Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster |
| Shares that are available offline (redirected folders that use Offline Files) | Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices |
| | Other data sources: SharePoint, Exchange, etc. |
\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics:
\* For shares that are indexed on a departmental server, Windows Search works well in a workgroup or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics:
- Expected maximum load is four concurrent query requests.
- Expected indexing corpus is a maximum of one million documents.
@ -104,6 +111,7 @@ The following table shows which locations are supported in Windows libraries.
### Library Attributes
The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms):
- Name
- Library locations
- Order of library locations
@ -111,7 +119,7 @@ The following library attributes can be modified within Windows Explorer, the Li
The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
See the [Library Description Schema](/windows/win32/shell/library-schema-entry) topic on MSDN for information on creating Library Description files.
See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files.
## See also

54
windows/client-management/client-tools/windows-version-search.md Normal file
View File

@ -0,0 +1,54 @@
---
title: What version of Windows am I running?
description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 04/13/2023
ms.reviewer:
manager: aaroncz
ms.topic: troubleshooting
ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# What version of Windows am I running?
The [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) build of Windows doesn't contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It's important to remember that the LTSC model is primarily for specialized devices.
In the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels), you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you'll need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them.
## System Properties
Select **Start** > **Settings** > **System**, then select **About**. You'll then see **Edition**, **Version**, and **OS Build** information.
:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10.":::
## Using Keyword Search
You can type the following in the search bar and press **ENTER** to see version details for your device.
- **"winver"**:
:::image type="content" source="images/winver.png" alt-text="screenshot of the About Windows display text.":::
- **"msinfo"** or **"msinfo32"** to open **System Information**:
:::image type="content" source="images/msinfo32.png" alt-text="screenshot of the System Information display text.":::
> [!TIP]
> You can also use `winver` or `msinfo32` commands at the command prompt.
## Using Command Prompt or PowerShell
- At the PowerShell or Command Prompt, type `systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"` and then press **ENTER**
:::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text.":::
- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below:
:::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager.":::

8
windows/client-management/config-lock.md
View File

@ -8,14 +8,12 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 05/24/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
---
# Secured-core PC configuration lock
**Applies to**
- Windows 11
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.
@ -77,7 +75,7 @@ Config lock is designed to ensure that a secured-core PC isn't unintentionally m
- Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities.
### List of locked policies
## List of locked policies
|**CSPs** |
|-----|

892
windows/client-management/device-update-management.md
View File

@ -1,6 +1,6 @@
---
title: Mobile device management MDM for device updates
description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@ -8,10 +8,13 @@ ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 11/15/2017
ms.date: 04/05/2023
ms.collection:
- highpri
- tier2
- highpri
- tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Mobile device management (MDM) for device updates
@ -19,38 +22,34 @@ ms.collection:
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
In particular, Windows 10 provides APIs to enable MDMs to:
In particular, Windows provides APIs to enable MDMs to:
- Ensure machines stay up to date by configuring Automatic Update policies.
- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
- Ensure machines stay up to date by configuring Automatic Update policies.
- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed).
- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
This article provides independent software vendors (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md).
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed).
- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the updates title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](mdm/update-csp.md) and the update policy area of the [Policy CSP](mdm/policy-configuration-service-provider.md).
> [!NOTE]
> The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [[MS-WSUSSS]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
The following diagram provides a conceptual overview of how this works:
![mobile device update management.](images/mdm-update-sync.png)
:::image type="content" source="images/mdm-update-sync.png" alt-text="mobile device update management.":::
The diagram can be roughly divided into three areas:
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
## <a href="" id="gettingupdatemetadata"></a>Getting update metadata using the Server-Server sync protocol
## Getting update metadata using the Server-Server sync protocol
The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client.
@ -60,40 +59,39 @@ This section describes this setup. The following diagram shows the server-server
MSDN provides much information about the Server-Server sync protocol. In particular:
- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights:
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> [!NOTE]
> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
> Over time, Microsoft Update modifies metadata for a given update, for example, by updating descriptive information, fixing bugs in applicability rules, making localization changes, and so on. Each time a change occurs that doesn't affect the update itself, a new update revision is created. An UpdateID (GUID) and a RevisionNumber (int) compounds to comprise an identity key for an update revision. The MDM doesn't present an update revision to IT. Instead, for each UpdateID (GUID) the MDM keeps the metadata for the later revision of that update, which is the one with the highest revision number.
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions
### Examples of update metadata XML structure and element descriptions
The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below:
- **UpdateID** The unique identifier for an update
- **RevisionNumber** Revision number for the update in case the update was modified.
- **CreationDate** the date on which this update was created.
- **UpdateType** The type of update, which could include the following:
- **Detectoid** if this update identity represents a compatibility logic
- **Category** This element could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office, and so on.
- The classification the update belongs to. For example, drivers, security, and so on.
- **Software** If the update is a software update.
- **Driver** if the update is a driver update.
- **LocalizedProperties** represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** The language code identifier (LCID). For example, en or es.
- **Title** Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.
- **KBArticleID** The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
- **UpdateID** - The unique identifier for an update
- **RevisionNumber** - Revision number for the update in case the update was modified.
- **CreationDate** - The date on which this update was created.
- **UpdateType** - The type of update, which could include the following:
- **Detectoid** - If this update identity represents a compatibility logic
- **Category** - This element could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office, and so on.
- The classification the update belongs to. For example, drivers, security, and so on.
- **Software** - If the update is a software update.
- **Driver** - If the update is a driver update.
- **LocalizedProperties** - Represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** - The language code identifier (LCID). For example, en or es.
- **Title** - Title of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)"
- **Description** - Description of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed."
- **KBArticleID** - The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol
### Recommended Flow for Using the Server-Server Sync Protocol
This section describes a possible algorithm for using the server-server sync protocol to pull in update metadata to the MDM.
@ -103,782 +101,43 @@ First some background:
- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
The following procedure describes a basic algorithm for a metadata sync service:
- Initialization uses the following steps:
a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they've been brought in.
1. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
1. Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
1. Implement the metadata portion of the protocol. See **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they've been brought in.
These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed.
## <a href="" id="managingupdates"></a>Managing updates using OMA DM
## Managing updates using OMA DM
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information:
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed)
- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed).
- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs.
The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
1. Have a "Test Group" and an "All Group".
1. In the Test group, let all updates flow.
1. In the All Group, set the Quality Update deferral for seven days, and then, Quality Updates are auto approved after seven days. Quality Update deferrals exclude Definition Updates, so Definition Updates automatically are approved when they're available. Match the schedule for Definition Updates with the Quality Update deferral schedule by setting Update/DeferQualityUpdatesPeriodInDays to seven. Let updates flow after seven days or by pausing if any issues occur.
Updates are configured using a combination of the [Update CSP](mdm/update-csp.md), and the update portion of the [Policy CSP](mdm/policy-configuration-service-provider.md).
Updates are configured using the [Update Policy CSP](mdm/policy-csp-update.md).
### Update policies
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following information shows the Update policies in a tree format.
```console
./Vendor/MSFT
Policy
----Config
--------Update
-----------ActiveHoursEnd
-----------ActiveHoursMaxRange
-----------ActiveHoursStart
-----------AllowAutoUpdate
-----------AllowMUUpdateService
-----------AllowNonMicrosoftSignedUpdate
-----------AllowUpdateService
-----------AutoRestartNotificationSchedule
-----------AutoRestartRequiredNotificationDismissal
-----------BranchReadinessLevel
-----------DeferFeatureUpdatesPeriodInDays
-----------DeferQualityUpdatesPeriodInDays
-----------DeferUpdatePeriod
-----------DeferUpgradePeriod
-----------EngagedRestartDeadline
-----------EngagedRestartSnoozeSchedule
-----------EngagedRestartTransitionSchedule
-----------ExcludeWUDriversInQualityUpdate
-----------IgnoreMOAppDownloadLimit
-----------IgnoreMOUpdateDownloadLimit
-----------PauseDeferrals
-----------PauseFeatureUpdates
-----------PauseQualityUpdates
-----------RequireDeferUpgrade
-----------RequireUpdateApproval
-----------ScheduleImminentRestartWarning
-----------ScheduledInstallDay
-----------ScheduledInstallTime
-----------ScheduleRestartWarning
-----------SetAutoRestartNotificationDisable
-----------UpdateServiceUrl
-----------UpdateServiceUrlAlternate
```
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
Supported values are 8-18.
The default value is 18 (hours).
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
The default value is 8 (8 AM).
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
Supported operations are Get and Replace.
The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
If the policy isn't configured, end users get the default behavior (Auto install and restart).
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
The following list shows the supported values:
- 0 Not allowed or not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
Supported operations are Get and Replace.
The following list shows the supported values:
- 0 Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update.
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
The following list shows the supported values:
- 0 Update service isn't allowed.
- 1 (default) Update service is allowed.
> [!NOTE]
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
Supported values are 15, 30, 60, 120, and 240 (minutes).
The default value is 15 (minutes).
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
The following list shows the supported values:
- 1 (default) Auto Dismissal.
- 2 User Dismissal.
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
The following list shows the supported values:
- 16 (default) User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB).
<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
Supported values are 0-180.
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
Supported values are 0-30.
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to four weeks.
Supported values are 0-4, which refers to the number of weeks to defer updates.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
- **Update category**: OS upgrade
- **Maximum deferral**: 8 months
- **Deferral increment**: 1 month
- **Update type/notes**: Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
- **Update category**: Update
- **Maximum deferral**: 1 month
- **Deferral increment**: 1 week
- **Update type/notes**: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
- Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
- **Update category**: Other/cannot defer
- **Maximum deferral**: No deferral
- **Deferral increment**: No deferral
- **Update type/notes**: Any update category not enumerated above falls into this category.
- Definition Update - E0789628-CE08-4437-BE74-2495B842F43B
<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to enter more upgrade delays for up to eight months.
Supported values are 0-8, which refers to the number of months to defer upgrades.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
Supported values are 2-30 days.
The default value is 0 days (not specified).
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
Supported values are 1-3 days.
The default value is three days.
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Supported values are 2-30 days.
The default value is seven days.
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
The following list shows the supported values:
- 0 (default) Allow Windows Update drivers.
- 1 Exclude Windows Update drivers.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
The following list shows the supported values:
- 0 (default) Don't ignore MO download limit for apps and their updates.
- 1 Ignore MO download limit (allow unlimited downloading) for apps and their updates.
To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
The following list shows the supported values:
- 0 (default) Don't ignore MO download limit for OS updates.
- 1 Ignore MO download limit (allow unlimited downloading) for OS updates.
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
The following list shows the supported values:
- 0 (default) Deferrals aren't paused.
- 1 Deferrals are paused.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
The following list shows the supported values:
- 0 (default) Feature Updates aren't paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
The following list shows the supported values:
- 0 (default) Quality Updates aren't paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to CBB train.
The following list shows the supported values:
- 0 (default) User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business.
<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<br>
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
Supported operations are Get and Replace.
The following list shows the supported values:
- 0 Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
Supported values are 15, 30, or 60 (minutes).
The default value is 15 (minutes).
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the day of the update installation.
The data type is a string.
Supported operations are Add, Delete, Get, and Replace.
The following list shows the supported values:
- 0 (default) Every day
- 1 Sunday
- 2 Monday
- 3 Tuesday
- 4 Wednesday
- 5 Thursday
- 6 Friday
- 7 Saturday
<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the time of the update installation.
The data type is a string.
Supported operations are Add, Delete, Get, and Replace.
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
The default value is 3.
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
Supported values are 2, 4, 8, 12, or 24 (hours).
The default value is 4 (hours).
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
The following list shows the supported values:
- 0 (default) Enabled
- 1 Disabled
<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!Important]
> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
Supported operations are Get and Replace.
The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
Example
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
</Target>
<Data>http://abcd-srv:8530</Data>
</Item>
</Replace>
```
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](mdm/update-csp.md). The following information shows the Update CSP in tree format.
```console
./Vendor/MSFT
Update
----ApprovedUpdates
--------Approved Update Guid
------------ApprovedTime
----FailedUpdates
--------Failed Update Guid
------------HResult
------------Status
------------RevisionNumber
----InstalledUpdates
--------Installed Update Guid
------------RevisionNumber
----InstallableUpdates
--------Installable Update Guid
------------Type
------------RevisionNumber
----PendingRebootUpdates
--------Pending Reboot Update Guid
------------InstalledTime
------------RevisionNumber
----LastSuccessfulScanTime
----DeferUpgrade
----Rollback
--------QualityUpdate
--------FeatureUpdate
--------QualityUpdateStatus
--------FeatureUpdateStatus
```
<a href="" id="update"></a>**Update**
The root node.
Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
Node for update approvals and EULA acceptance for the end user.
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
Supported operations are Get and Add.
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/**<strong>*Approved Update Guid*</strong>
Specifies the update GUID.
To auto-approve a class of updates, you can specify the [Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85)) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
Supported operations are Get and Add.
Sample syncml:
```
<LocURI>./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d</LocURI>
```
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
Specifies the time the update gets approved.
Supported operations are Get and Add.
<a href="" id="failedupdates"></a>**FailedUpdates**
Specifies the approved updates that failed to install on a device.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/**<strong>*Failed Update Guid*</strong>
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
The update failure error code.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
Specifies the failed update status (for example, download, install).
Supported operation is Get.
<a href="" id="installedupdates"></a>**InstalledUpdates**
The updates that are installed on the device.
Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/**<strong>*Installed Update Guid*</strong>
UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/**<strong>*Installable Update Guid*</strong>
Update identifiers that represent the updates applicable and not installed on a device.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
The UpdateClassification value of the update. Valid values are:
- 0 - None
- 1 - Security
- 2 = Critical
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
The updates that require a reboot to complete the update session.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/**<strong>*Pending Reboot Update Guid*</strong>
Update identifiers for the pending reboot state.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
The time the update is installed.
Supported operation is Get.
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
The last successful scan time.
Supported operation is Get.
<a href="" id="deferupgrade"></a>**DeferUpgrade**
Upgrades deferred until the next period.
Supported operation is Get.
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
- Update/AllowMUUpdateService
- Update/BranchReadinessLevel
- Update/DeferFeatureUpdatePeriodInDays
- Update/DeferQualityUpdatePeriodInDays
- Update/ExcludeWUDriversInQualityUpdate
- Update/PauseFeatureUpdates
- Update/PauseQualityUpdates
Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate.
|GPO key|Type|Value|
|--- |--- |--- |
|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train<br><br>32: systems take Feature Updates on the Current Branch for Business<br><br>Other value or absent: receive all applicable updates (CB)|
|DeferQualityUpdates|REG_DWORD|1: defer quality updates<br><br>Other value or absent: dont defer quality updates|
|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates|
|PauseQualityUpdates|REG_DWORD|1: pause quality updates<br><br>Other value or absent: dont pause quality updates|
|DeferFeatureUpdates|REG_DWORD|1: defer feature updates<br><br>Other value or absent: dont defer feature updates|
|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
|PauseFeatureUpdates|REG_DWORD|1: pause feature updates<br><br>Other value or absent: dont pause feature updates|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers<br><br>Other value or absent: offer Windows Update drivers|
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
- Update/DeferUpdatePeriod
- Update/PauseDeferrals
## <a href="" id="userexperiencescreenshot"></a>Update management user experience screenshot
### Update management user experience screenshot
The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields.
![mdm update management screenshot.](images/deviceupdatescreenshot1.png)
:::image type="content" source="images/deviceupdatescreenshot1.png" alt-text="mdm update management screenshot.":::
![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png)
:::image type="content" source="images/deviceupdatescreenshot2.png" alt-text="mdm update management metadata screenshot.":::
## <a href="" id="syncmlexample"></a>SyncML example
### SyncML example
Set auto update to notify and defer.
@ -929,16 +188,21 @@ Set auto update to notify and defer.
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)
:::image type="content" source="images/deviceupdatescreenshot3.png" alt-text="mdm device update management screenshot3.":::
![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)
:::image type="content" source="images/deviceupdatescreenshot4.png" alt-text="mdm device update management screenshot4":::
![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)
:::image type="content" source="images/deviceupdatescreenshot5.png" alt-text="mdm device update management screenshot5":::
![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)
:::image type="content" source="images/deviceupdatescreenshot6.png" alt-text="mdm device update management screenshot6":::
![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)
:::image type="content" source="images/deviceupdatescreenshot7.png" alt-text="mdm device update management screenshot7":::
![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)
:::image type="content" source="images/deviceupdatescreenshot8.png" alt-text="mdm device update management screenshot8":::
![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)
:::image type="content" source="images/deviceupdatescreenshot9.png" alt-text="mdm device update management screenshot9":::
## Related articles
- [Policy CSP - Update](mdm/policy-csp-update.md)
- [Policy configuration service provider](mdm/policy-configuration-service-provider.md)

62
windows/client-management/disconnecting-from-mdm-unenrollment.md
View File

@ -1,9 +1,6 @@
---
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
MS-HAID:
- 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_'
- 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@ -11,31 +8,24 @@ ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
ms.date: 04/13/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Disconnecting from the management infrastructure (unenrollment)
The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account.
The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after theyve left the company or because the device is regularly failing to comply with the organizations security settings policy.
The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy.
During disconnection, the client executes the following tasks:
- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well.
- Removes certificates that are configured by MDM server.
- Ceases enforcement of the settings policies applied by the management infrastructure.
- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure.
- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort.
## In this topic
- [User-initiated disconnection](#user-initiated-disconnection)
- [Server-initiated disconnection](#server-initiated-disconnection)
- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page)
- [IT adminrequested disconnection](#it-admin-requested-disconnection)
- [Unenrollment from Azure Active Directory Join](#dataloss)
- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well.
- Removes certificates that are configured by MDM server.
- Ceases enforcement of the settings policies applied by the management infrastructure.
- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure.
- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort.
## User-initiated disconnection
@ -44,16 +34,15 @@ In Windows, after the user confirms the account deletion command and before the
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> [!NOTE]
> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
 
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic.
```
```xml
<SyncML xmlns=&#39;SYNCML:SYNCML1.2&#39;>
<SyncHdr>
<VerDTD>1.2</VerDTD>
@ -100,10 +89,9 @@ The following sample shows an OMA DM first package that contains a generic alert
After the previous package is sent, the unenrollment process begins.
## Server-initiated disconnection
When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1.
When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with `messageid=1`.
```xml
<Alert>
@ -119,41 +107,29 @@ When the server initiates disconnection, all undergoing sessions for the enrollm
</Alert>
```
<a href="" id="work-access"></a>
## Unenrollment from Work Access settings page
If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device.
You can only use the Work Access page to unenroll under the following conditions:
- Enrollment was done using bulk enrollment.
- Enrollment was created using the Work Access page.
- Enrollment was done using bulk enrollment.
- Enrollment was created using the Work Access page.
<a href="" id="dataloss"></a>
## Unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenerollment.](images/azure-ad-unenrollment.png)
During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in un-managed state.
Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation.
Before remotely un-enrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation.
In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device.
<a href="" id="it-admin-requested-disconnection"></a>
## IT adminrequested disconnection
## IT admin-requested disconnection
The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service providers Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic.
The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic.
When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management.
 

12
windows/client-management/docfx.json
View File

@ -43,7 +43,7 @@
"ms.technology": "itpro-manage",
"audience": "ITPro",
"ms.topic": "article",
"manager": "dansimp",
"manager": "aaroncz",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@ -62,9 +62,15 @@
"jborsecnik",
"tiburd",
"garycentric",
"beccarobins"
"beccarobins",
"american-dipper",
"angelamotherofdragons",
"v-stsavell",
"stacyrch140"
],
"searchScope": ["Windows 10"]
"searchScope": [
"Windows 10"
]
},
"fileMetadata": {},
"template": [],

36
windows/client-management/enable-admx-backed-policies-in-mdm.md
View File

@ -10,16 +10,17 @@ ms.localizationpriority: medium
ms.date: 11/01/2017
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Enable ADMX policies in MDM
Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Starting in Windows 10, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
- Find the policy from the list ADMX policies.
- Find the Group Policy related information from the MDM policy description.
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
@ -27,21 +28,18 @@ Summary of steps to enable a policy:
See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune.
<!-- >[!TIP] -->
<!-- >Intune has added a number of ADMX administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) -->
## Enable a policy
> [!NOTE]
> See [Understanding ADMX policies in Policy CSP](understanding-admx-backed-policies.md).
1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP Friendly name
- GP name
- GP ADMX file name
- GP path
2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
1. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
1. Click **Start**, then in the text box type **gpedit**.
@ -61,7 +59,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
![Enable App-V client.](images/admx-appv-enableapp-vclient.png)
3. Create the SyncML to enable the policy that doesn't require any parameter.
1. Create the SyncML to enable the policy that doesn't require any parameter.
In this example, you configure **Enable App-V Client** to **Enabled**.
@ -89,10 +87,8 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
</SyncML>
```
## Enable a policy that requires parameters
1. Create the SyncML to enable the policy that requires parameters.
In this example, the policy is in **Administrative Templates > System > App-V > Publishing**.
@ -103,23 +99,22 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png)
2. Find the variable names of the parameters in the ADMX file.
1. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#publishingallowserver2).
![Publishing server 2 policy description.](images/admx-appv-policy-description.png)
3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx.
1. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx.
4. Search for GP name **Publishing_Server2_policy**.
1. Search for GP name **Publishing_Server2_policy**.
5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
1. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
Here's the snippet from appv.admx:
```xml
<!-- Publishing Server 2 -->
<!-- Publishing Server 2 -->
<policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)"
explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)"
key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
@ -206,7 +201,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
</policy>
```
6. From the **\<elements>** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor.
1. From the **\<elements>** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor.
Here's the example XML for Publishing_Server2_Policy:
@ -223,7 +218,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
<data id="User_Refresh_Unit_Options" value="1"/>
```
7. Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.
1. Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.
Here's the example for **AppVirtualization/PublishingAllowServer2**:
@ -263,7 +258,6 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
</SyncML>
```
## Disable a policy
The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.

316
windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -1,322 +1,146 @@
---
title: Enroll a Windows 10 device automatically using Group Policy
title: Enroll a Windows device automatically using Group Policy
description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 04/30/2022
ms.date: 04/13/2023
ms.reviewer:
manager: aaroncz
ms.collection:
- highpri
- tier2
- highpri
- tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Enroll a Windows 10 device automatically using Group Policy
# Enroll a Windows device automatically using Group Policy
**Applies to:**
- Windows 11
- Windows 10
Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
You can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
Requirements:
- Active Directory-joined PC running Windows 10, version 1709 or later
- The enterprise has configured a mobile device management (MDM) service
- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
**Requirements**:
- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
- The enterprise has configured a Mobile Device Management (MDM) service.
- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`).
- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
> [!TIP]
> For more information, see the following topics:
>
> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure ADregistered.
The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered.
> [!NOTE]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices.
## Verify auto-enrollment requirements and settings
To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly.
The following steps demonstrate required settings using the Intune service:
1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses).
:::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
> [!IMPORTANT]
> For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
>
> For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later.
4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png)
Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png)
This information can also be found on the Azure AD device list.
![Azure AD device list.](images/azure-ad-device-list.png)
5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png)
6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
:::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal).
9. Verify that Microsoft Intune should allow enrollment of Windows devices.
:::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png":::
## Configure the auto-enrollment Group Policy for a single PC
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
Requirements:
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`.
![GPEdit desktop app search result.](images/autoenrollment-gpedit.png)
2. Under **Best match**, select **Edit group policy** to launch it.
3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
:::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png":::
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**.
:::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
> [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**.
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory."
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot.
![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
> [!Tip]
> You can avoid this behavior by using Conditional Access Policies in Azure AD.
Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.
7. Select **Info** to see the MDM enrollment information.
![Work School Settings.](images/autoenrollment-settings-work-school.png)
If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app).
### Task Scheduler app
1. Select **Start**, then in the text box type `task scheduler`.
![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png)
2. Under **Best match**, select **Task Scheduler** to launch it.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). You can see the logs in the **History** tab.
If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
> [!NOTE]
> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
## Configure the auto-enrollment for a group of devices
Requirements:
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured (with Intune or a third-party service provider)
- Enterprise AD must be integrated with Azure AD.
- Ensure that PCs belong to same computer group.
To configure auto-enrollment using a group policy, use the following steps:
> [!IMPORTANT]
> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
1. Create a Security Group for the PCs.
1. Link the GPO.
1. Filter using Security Groups.
1. Download:
If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
- 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
1. Download the administrative templates for the desired version:
- 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
- [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
- [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
- [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
- [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
- [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
- [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
- [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
- [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
- [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
- 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
1. Install the package on the Domain Controller.
- 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate sub-directory depending on the installed version.
- 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
- 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
- 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
- 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
- 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
2. Install the package on the Domain Controller.
3. Navigate, depending on the version to the folder:
- 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**
- 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
- 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
- 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)**
- 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)**
- 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
- 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
- 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)**
- 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)**
- 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)**
4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
This procedure will work for any future version as well.
## Configure the auto-enrollment Group Policy for a single PC
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise.
2. Create a Security Group for the PCs.
1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`.
3. Link the GPO.
1. Under **Best match**, select **Edit group policy** to launch it.
4. Filter using Security Groups.
1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
## Troubleshoot auto-enrollment of devices
1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device.
:::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
To collect Event Viewer logs:
> [!NOTE]
> In Windows 10, version 1903 and later, the MDM.admx file was updated to include the **Device Credential** option to select which credential is used to enroll the device. The default behavior for older releases is to revert to **User Credential**.
>
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
1. Open Event Viewer.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**.
If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot.
> [!Tip]
> For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:
> [!TIP]
> You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
:::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
## Verify enrollment
If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons:
To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.Select **Info** to see the MDM enrollment information.
- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed:
:::image type="content" source="images/autoenrollment-settings-work-school.png" alt-text="Screenshot of Work School Settings.":::
:::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png":::
> [!NOTE]
> If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app) and see [Diagnose MDM enrollment](./mdm-diagnose-enrollment.md).
To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors).
## Task Scheduler app
- The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
Select **Start**, then in the text box type `task scheduler`. Under **Best match**, select **Task Scheduler** to launch it.
The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
:::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
> [!Note]
> This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. You can see the logs in the **History** tab.
This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs:
**Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107.
The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
:::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
> [!NOTE]
> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
When the task is completed, a new event ID 102 is logged.
:::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png":::
The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment.
If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required.
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
:::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
:::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png":::
### Related topics
## Related topics
- [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
- [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11))
- [Link a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11))
- [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11))
- [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11))
- [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- [Getting started with Cloud Native Windows Endpoints](/mem/cloud-native-windows-endpoints)
- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)

974
windows/client-management/enterprise-app-management.md
View File

File diff suppressed because it is too large Load Diff

16
windows/client-management/esim-enterprise-management.md
View File

@ -8,15 +8,21 @@ ms.author: vinpa
ms.topic: conceptual
ms.technology: itpro-manage
ms.date: 12/31/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# How Mobile Device Management Providers support eSIM Management on Windows
The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
- Onboard to Azure Active Directory
- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
- [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
- [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub)
- [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
- [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub)
- Assess solution type that you would like to provide your customers
- Batch/offline solution
- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
@ -24,4 +30,6 @@ The eSIM Profile Management Solution places the Mobile Device Management (MDM) P
- Real-time solution
- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used
**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator.
> [!NOTE]
> End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator.

274
windows/client-management/federated-authentication-device-enrollment.md
View File

@ -8,7 +8,10 @@ ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 07/28/2017
ms.date: 04/05/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Federated authentication device enrollment
@ -17,28 +20,23 @@ This section provides an example of the mobile device enrollment protocol using
The `<AuthenticationServiceURL>` element the discovery response message specifies web authentication broker page start URL.
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## In this topic
[Discovery service](#discovery-service)
[Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
> [!NOTE]
> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service
The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only).
> [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
> The administrator of the discovery service must create a host with the address `enterpriseenrollment.<domain_name>.com`.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The first request is a standard HTTP GET request.
The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address.
The following example shows a request via HTTP GET to the discovery server given `user@contoso.com` as the email address.
```http
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
@ -70,16 +68,16 @@ Content-Type: text/html
Content-Length: 0
```
After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server.
After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment.<domain_name>/EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.<domain_name>` enrollment server.
The following logic is applied:
1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails.
2. If that fails, the device tries HTTP to see whether it's redirected:
- If the device isn't redirected, it prompts the user for the server address.
- If the device is redirected, it prompts the user to allow the redirect.
1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails.
1. If that fails, the device tries HTTP to see whether it's redirected:
- If the device isn't redirected, it prompts the user for the server address.
- If the device is redirected, it prompts the user to allow the redirect.
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
The following example shows a request via an HTTP POST command to the discovery web service given `user@contoso.com` as the email address
```http
https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
@ -90,64 +88,68 @@ The following example shows the discovery service request.
```xml
<?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To>
</s:Header>
<s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>3</OSEdition> <!--New -->
<RequestVersion>3.0</RequestVersion> <!-- Updated -->
<DeviceType>WindowsPhone</DeviceType> <!--Updated -->
<ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies>
<AuthPolicy>OnPremise</AuthPolicy>
<AuthPolicy>Federated</AuthPolicy>
</AuthPolicies>
</request>
</Discover>
</s:Body>
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To>
</s:Header>
<s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>3</OSEdition>
<!-- New -->
<RequestVersion>3.0</RequestVersion>
<!-- Updated -->
<DeviceType>WindowsPhone</DeviceType>
<!-- Updated -->
<ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies>
<AuthPolicy>OnPremise</AuthPolicy>
<AuthPolicy>Federated</AuthPolicy>
</AuthPolicies>
</request>
</Discover>
</s:Body>
</s:Envelope>
```
The discovery response is in the XML format and includes the following fields:
- Enrollment service URL (EnrollmentServiceUrl) Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
- Authentication policy (AuthPolicy) Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> [!Note]
> [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
> [!Note]
> [!NOTE]
> Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
> - Parse the OS version from the data sent up during the discovery request.
> - Append the OS version as a parameter in the AuthenticationServiceURL.
> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
>
> - Parse the OS version from the data sent up during the discovery request.
> - Append the OS version as a parameter in the AuthenticationServiceURL.
> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
A new XML tag, **AuthenticationServiceUrl**, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
> [!Note]
> [!NOTE]
> The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
The following are the explicit requirements for the server.
- The `<DiscoveryResponse>``<AuthenticationServiceUrl>` element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesnt support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
- The `<DiscoveryResponse>``<AuthenticationServiceUrl>` element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesn't support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
The enrollment client issues an HTTPS request as follows:
@ -196,35 +198,34 @@ The following example shows a response received from the discovery web service t
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action>
<ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse
xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult>
<AuthPolicy>Federated</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl>
<AuthenticationServiceUrl>
https://portal.manage.contoso.com/LoginRedirect.aspx
</AuthenticationServiceUrl>
</DiscoverResult>
</DiscoverResponse>
</s:Body>
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action>
<ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult>
<AuthPolicy>Federated</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl>
<AuthenticationServiceUrl>
https://portal.manage.contoso.com/LoginRedirect.aspx
</AuthenticationServiceUrl>
</DiscoverResult>
</DiscoverResponse>
</s:Body>
</s:Envelope>
```
@ -236,8 +237,8 @@ This web service implements the X.509 Certificate Enrollment Policy Protocol (MS
For Federated authentication policy, the security token credential is provided in a request message using the `<wsse:BinarySecurityToken>` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
- wsse:Security: The enrollment client implements the `<wsse:Security>` element defined in \[WSS\] section 5. The `<wsse:Security>` element must be a child of the `<s:Header>` element.
- wsse:BinarySecurityToken: The enrollment client implements the `<wsse:BinarySecurityToken>` element defined in \[WSS\] section 6.3. The `<wsse:BinarySecurityToken>` element must be included as a child of the `<wsse:Security>` element in the SOAP header.
- wsse:Security: The enrollment client implements the `<wsse:Security>` element defined in \[WSS\] section 5. The `<wsse:Security>` element must be a child of the `<s:Header>` element.
- wsse:BinarySecurityToken: The enrollment client implements the `<wsse:BinarySecurityToken>` element defined in \[WSS\] section 6.3. The `<wsse:BinarySecurityToken>` element must be included as a child of the `<wsse:Security>` element in the SOAP header.
As was described in the discovery response section, the inclusion of the `<wsse:BinarySecurityToken>` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `<AuthenticationServiceUrl>` element of `<DiscoveryResponse>` and the enterprise server.
@ -251,42 +252,39 @@ The following example is an enrollment policy request with a received security t
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client>
<lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/>
</client>
<requestFilter xsi:nil="true"/>
</GetPolicies>
</s:Body>
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client>
<lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/>
</client>
<requestFilter xsi:nil="true"/>
</GetPolicies>
</s:Body>
</s:Envelope>
```
@ -386,7 +384,7 @@ The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.
The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
> [!Note]
> [!NOTE]
> The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
The following example shows the enrollment web service request for federated authentication.
@ -474,15 +472,15 @@ The following example shows the enrollment web service request for federated aut
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
> [!Note]
> [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate.
The provisioning XML contains:
- The requested certificates (required)
- The DM client configuration (required)
- The requested certificates (required)
- The DM client configuration (required)
The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server.
@ -558,7 +556,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<!If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<!-If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/>
@ -602,7 +600,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedule's retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>
@ -615,14 +613,14 @@ The following code shows sample provisioning XML (presented in the preceding pac
> [!NOTE]
>
> - `<Parm name>` and `<characteristic type=>` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
> - `<Parm name>` and `<characteristic type=>` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
>
> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
>
> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
>
> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
>
> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
>
> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.

40
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -1,40 +0,0 @@
---
title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/14/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: troubleshooting
ms.technology: itpro-manage
---
# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
**Applies to**
- Windows 10
- Windows 11
In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education.
| Policy name | Policy path | Comments |
| --- | --- | --- |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). |
| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |

BIN
windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/client-management/images/azure-ad-device-list.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 83 KiB

BIN
windows/client-management/images/implement-server-side-mobile-application-management.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 64 KiB

After

Width:  |  Height:  |  Size: 20 KiB

36
windows/client-management/implement-server-side-mobile-application-management.md
View File

@ -6,15 +6,19 @@ ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 08/03/2022
ms.date: 04/05/2023
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Support for mobile application management on Windows
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
## Integration with Azure AD
@ -22,7 +26,7 @@ MAM on Windows is integrated with Azure Active Directory (Azure AD) identity ser
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
Regular non-admin users can enroll to MAM.
@ -34,15 +38,15 @@ To make applications WIP-aware, app developers need to include the following dat
``` syntax
// Mark this binary as Allowed for WIP (EDP) purpose
MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID
BEGIN
0x0001
END
MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID
BEGIN
0x0001
END
```
## Configuring an Azure AD tenant for MAM enrollment
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
:::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
@ -83,12 +87,12 @@ MAM on Windows supports the following configuration service providers (CSPs). Al
- [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
- [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support.
- [DevInfo CSP](mdm/devinfo-csp.md).
- [DMAcc CSP](mdm/dmacc-csp.md).
- [DMClient CSP](mdm/dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
- [EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md) has Windows Information Protection policies.
- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support.
- [PassportForWork CSP](mdm/passportforwork-csp.md) for Windows Hello for Business PIN management.
- [Policy CSP](mdm/policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
- [Reporting CSP](mdm/reporting-csp.md) for retrieving Windows Information Protection logs.
@ -127,13 +131,3 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f
- EDP CSP RevokeOnMDMHandoff is set to false.
If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected.
## Skype for Business compliance with MAM
We've updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature.
|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products|
|--- |--- |--- |--- |
|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365<br>Project Desktop Client<br>Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)|
|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise|
|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017||

11
windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge doesn't use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account.

11
windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings.

11
windows/client-management/includes/allow-adobe-flash-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running.

11
windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes.

11
windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file.

11
windows/client-management/includes/allow-developer-tools-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools.

11
windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and more diagnostic data, such as usage data.

11
windows/client-management/includes/allow-extensions-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions.

11
windows/client-management/includes/allow-fullscreen-mode-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. To use fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge.

11
windows/client-management/includes/allow-inprivate-browsing-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing.

11
windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat.

11
windows/client-management/includes/allow-prelaunch-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching.

11
windows/client-management/includes/allow-printing-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content.

11
windows/client-management/includes/allow-saving-history-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy doesn't stop roaming of existing browsing history or browsing history from other devices.

15
windows/client-management/includes/allow-search-engine-customization-shortdesc.md
View File

@ -1,15 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can execute the following tasks in Settings:
- Add new search engines
- Change the default search engine
With this policy, you can prevent users from customizing the search engine in the Microsoft Edge browser.

11
windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but doesn't prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).

11
windows/client-management/includes/allow-tab-preloading-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign-in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.

11
windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 11/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it.

11
windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder.

11
windows/client-management/includes/always-show-books-library-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the devices country or region.

17
windows/client-management/includes/configure-additional-search-engines-shortdesc.md
View File

@ -1,17 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
The Set default search engine policy enables the users to:
- Set a default search engine
- Configure up to five more search engines, and set any one of them as the default
If you previously enabled this policy and now want to disable it, doing so results in deletion of all the configured search engines

11
windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically.

11
windows/client-management/includes/configure-autofill-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill.

11
windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge doesn't send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.

11
windows/client-management/includes/configure-cookies-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies.

11
windows/client-management/includes/configure-do-not-track-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge doesn't send Do Not Track requests to websites that ask for tracking information. However, users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.

11
windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.

11
windows/client-management/includes/configure-favorites-bar-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages.

11
windows/client-management/includes/configure-home-button-shortdesc.md
View File

@ -1,11 +0,0 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button.

Some files were not shown because too many files have changed in this diff Show More