deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into Connectioendpoints-21H2

Browse Source
This commit is contained in:
Gary Moore 2021-11-16 15:42:25 -08:00 committed by GitHub
commit 45e4e639cb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 982 additions and 2159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
windows/client-management/mdm/get-seats.md
View File

@ -1,6 +1,6 @@
---
title: Get seats
description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business.
description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business.
ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F
ms.reviewer:
manager: dansimp
@ -18,118 +18,34 @@ The **Get seats** operation retrieves the information about active seats in the
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GET</p></td>
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&amp;maxResults={MaxResults}</p></td>
</tr>
</tbody>
</table>
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&amp;maxResults={MaxResults}
```
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>continuationToken</p></td>
<td><p>string</p></td>
<td><p>Optional.</p></td>
</tr>
<tr class="even">
<td><p>maxResults</p></td>
<td><p>int32</p></td>
<td><p>Optional. Default = 25, Maximum = 100</p></td>
</tr>
</tbody>
</table>
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|continuationToken|string|Optional.|
|maxResults|int32|Optional. Default = 25, Maximum = 100|
 
## Response
### Response body
The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>400</p></td>
<td><p>Invalid parameters</p></td>
<td><p>No</p></td>
<td><p>Parameter name</p>
<p>Reason: Missing parameter or invalid parameter</p>
<p>Details: String</p></td>
</tr>
<tr class="even">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td></td>
</tr>
<tr class="odd">
<td><p>409</p></td>
<td><p>Conflict</p></td>
<td></td>
<td><p>Reason: Not online</p></td>
</tr>
</tbody>
</table>
 
 
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br> Reason: Missing parameter or invalid parameter <br> Details: String|
|404|Not found|||
|409|Conflict||Reason: Not online|

1313
windows/client-management/mdm/healthattestation-csp.md
View File

File diff suppressed because it is too large Load Diff

66
windows/client-management/mdm/hotspot-csp.md
View File

@ -17,13 +17,10 @@ ms.date: 06/26/2017
The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers.
> **Note**  HotSpot CSP is only supported in Windows 10 Mobile.
> [!Note]
> HotSpot CSP is only supported in Windows 10 Mobile.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
@ -62,8 +59,8 @@ By default, any available connection will be used as a public connection. Howeve
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
> **Note**   The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
> [!Note]
> The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
@ -77,9 +74,8 @@ If a CDMA mobile operator requires using a Tethering NAI during Internet sharing
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
> **Note**   The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
> [!Note]
> The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
@ -109,8 +105,8 @@ Optional. Reference to a localized string, provided by the mobile operator, that
Where `<path_to_res_dll>` is the path to the resource dll that contains the string and `<str_id>` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](/windows/win32/intl/using-registry-string-redirection) on MSDN.
> **Note**  MOAppLink is required to use the MOHelpMessage setting.
> [!Note]
> MOAppLink is required to use the MOHelpMessage setting.
<a href="" id="entitlementrequired"></a>**EntitlementRequired**
@ -137,14 +133,14 @@ Optional. The time-out value, in minutes, after which Internet sharing is automa
Changes to this node require a reboot.
<a href="" id="minwifikeylength"></a>**MinWifiKeyLength**
> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
> [!Important]
> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
<a href="" id="minwifissidlength"></a>**MinWifiSSIDLength**
> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
> [!Important]
> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
## Additional requirements for CDMA networks
@ -169,7 +165,8 @@ For CDMA networks that use a separate Network Access Identity (NAI) for Internet
</wap-provisioningdoc>
```
> **Note**  CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
> [!Note]
> CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
@ -186,34 +183,11 @@ The DLL must be code signed in a specific way, see [Sign binaries and packages](
During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>ENTITLEMENT_SUCCESS</strong></p></td>
<td><p>The device is allowed to connect to the server.</p></td>
</tr>
<tr class="even">
<td><p><strong>ENTITLEMENT_FAILED</strong></p></td>
<td><p>The device is not allowed to connect to the server</p></td>
</tr>
<tr class="odd">
<td><p><strong>ENTITLEMENT_UNAVAILABLE</strong></p></td>
<td><p>The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.</p></td>
</tr>
</tbody>
</table>
|Value|Description|
|--- |--- |
|**ENTITLEMENT_SUCCESS**|The device is allowed to connect to the server.|
|**ENTITLEMENT_FAILED**|The device is not allowed to connect to the server|
|**ENTITLEMENT_UNAVAILABLE**|The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.|
The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit.

50
windows/client-management/mdm/implement-server-side-mobile-application-management.md
View File

@ -18,11 +18,11 @@ The Windows version of mobile application management (MAM) is a lightweight solu
## Integration with Azure AD
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). 
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). 
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users personal devices will be enrolled to MAM or MDM, depending on the users actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a users personal devices will be enrolled to MAM or MDM, depending on the users actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
Regular non-admin users can enroll to MAM. 
@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. 
![Mobile application management app.](images/implement-server-side-mobile-application-management.png)
:::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured. 
@ -129,40 +129,8 @@ If the MAM device is properly configured for MDM enrollment, then the Enroll onl
We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature.
<table>
<colgroup>
<col width="15%" />
<col width="35%" />
<col width="15%" />
<col width="35%" />
</colgroup>
<thead>
<tr class="header">
<th>Update channel</th>
<th>Primary purpose</th>
<th>LOB Tattoo availability</th>
<th>Default update channel for the products</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="/deployoffice/overview-update-channels#BKMK_CB" data-raw-source="[Current channel](/deployoffice/overview-update-channels#BKMK_CB)">Current channel</a></td>
<td>Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. </td>
<td>March 9 2017</td>
<td><p>Visio Pro for Office 365</p>
<p>Project Desktop Client</p>
<p>Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)</p></td>
</tr>
<tr>
<td><a href="/deployoffice/overview-update-channels#BKMK_CBB" data-raw-source="[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)">Deferred channel</a></td>
<td>Provide users with new features of Office only a few times a year.</td>
<td>October 10 2017</td>
<td>Microsoft 365 Apps for enterprise</td>
</tr><tr>
<td><a href="/deployoffice/overview-update-channels#BKMK_FRCBB" data-raw-source="[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)">First release for Deferred channel</a></td>
<td>Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. </td>
<td>June 13 2017</td>
<td></td>
</tr>
</tbody>
</table>
|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products|
|--- |--- |--- |--- |
|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365<br>Project Desktop Client<br>Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)|
|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise|
|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017||

30
windows/client-management/mdm/management-tool-for-windows-store-for-business.md
View File

@ -34,26 +34,12 @@ For additional information about Store for Business, see the TechNet topics in [
The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p>Application data</p></td>
<td><p>The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.</p></td>
</tr>
<tr class="even">
<td><p>Licensing models</p></td>
<td><p><strong>Offline vs. Online</strong></p>
<p>Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.</p>
<p>Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.</p></td>
</tr>
</tbody>
</table>
- **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
- **Licensing models**:
- **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
- **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
### Offline-licensed application distribution
@ -89,13 +75,11 @@ MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The
Here are the details for requesting an authorization token:
- Login Authority = https:<span></span>//login.windows.net/\<TargetTenantId\>
- Resource/audience\* = https:<span></span>//onestore.microsoft.com
- Login Authority = `https://login.windows.net/<TargetTenantId>`
- Resource/audience = `https://onestore.microsoft.com`: The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page.
- ClientId = your AAD application client id
- ClientSecret = your AAD application client secret/key
\* The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page.
## Using the management tool
After registering your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns:

210
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -110,75 +110,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
</s:envelope>
```
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>Namespace</th>
<th>Subcode</th>
<th>Error</th>
<th>Description</th>
<th>HRESULT</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>s:</p></td>
<td><p>MessageFormat</p></td>
<td><p>MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</p></td>
<td><p>Invalid message from the Mobile Device Management (MDM) server.</p></td>
<td><p>80180001</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>Authentication</p></td>
<td><p>MENROLL_E_DEVICE_AUTHENTICATION_ERROR</p></td>
<td><p>The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.</p></td>
<td><p>80180002</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>Authorization</p></td>
<td><p>MENROLL_E_DEVICE_AUTHORIZATION_ERROR</p></td>
<td><p>The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.</p></td>
<td><p>80180003</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>CertificateRequest</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR</p></td>
<td><p>The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.</p></td>
<td><p>80180004</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>EnrollmentServer</p></td>
<td><p>MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</p></td>
<td>The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.</td>
<td><p>80180005</p></td>
</tr>
<tr class="even">
<td><p>a:</p></td>
<td><p>InternalServiceFault</p></td>
<td><p>MENROLL_E_DEVICE_INTERNALSERVICE_ERROR</p></td>
<td><p> There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.</p></td>
<td><p>80180006</p></td>
</tr>
<tr class="odd">
<td><p>a:</p></td>
<td><p>InvalidSecurity</p></td>
<td><p>MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</p></td>
<td><p>The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.</p></td>
<td><p>80180007</p></td>
</tr>
</tbody>
</table>
**Sample error messages**
- **Namespace**: `s:`
- **Subcode**: MessageFormat
- **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
- **Description**: Invalid message from the Mobile Device Management (MDM) server.
- **HRESULT**: 80180001
- **Namespace**: `s:`
- **Subcode**: Authentication
- **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR
- **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.
- **HRESULT**: 80180002
- **Namespace**: `s:`
- **Subcode**: Authorization
- **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR
- **Description**: The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
- **HRESULT**: 80180003
- **Namespace**: `s:`
- **Subcode**: CertificateRequest
- **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR
- **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.
- **HRESULT**: 80180004
- **Namespace**: `s:`
- **Subcode**: EnrollmentServer
- **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
- **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.
- **HRESULT**: 80180005
- **Namespace**: `a:`
- **Subcode**: InternalServiceFault
- **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
- **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.
- **HRESULT**: 80180006
- **Namespace**: `a:`
- **Subcode**: InvalidSecurity
- **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
- **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.
- **HRESULT**: 80180007
In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
@ -212,66 +186,42 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
</s:envelope>
```
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Subcode</th>
<th>Error</th>
<th>Description</th>
<th>HRESULT</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>DeviceCapReached</p></td>
<td><p>MENROLL_E_DEVICECAPREACHED</p></td>
<td><p>The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.</p></td>
<td><p>80180013</p></td>
</tr>
<tr class="even">
<td><p>DeviceNotSupported</p></td>
<td><p>MENROLL_E_DEVICENOTSUPPORTED</p></td>
<td><p>The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.</p></td>
<td><p>80180014</p></td>
</tr>
<tr class="odd">
<td><p>NotSupported</p></td>
<td><p>MENROLL_E_NOT_SUPPORTED</p></td>
<td><p>Mobile Device Management (MDM) is generally not supported for this device.</p></td>
<td><p>80180015</p></td>
</tr>
<tr class="even">
<td><p>NotEligibleToRenew</p></td>
<td><p>MENROLL_E_NOTELIGIBLETORENEW</p></td>
<td><p>The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.</p></td>
<td><p>80180016</p></td>
</tr>
<tr class="odd">
<td><p>InMaintenance</p></td>
<td><p>MENROLL_E_INMAINTENANCE</p></td>
<td><p>The Mobile Device Management (MDM) server states your account is in maintenance, try again later.</p></td>
<td><p>80180017</p></td>
</tr>
<tr class="even">
<td><p>UserLicense</p></td>
<td><p>MENROLL_E_USER_LICENSE</p></td>
<td><p>There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.</p></td>
<td><p>80180018</p></td>
</tr>
<tr class="odd">
<td><p>InvalidEnrollmentData</p></td>
<td><p>MENROLL_E_ENROLLMENTDATAINVALID</p></td>
<td><p>The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>80180019</p></td>
</tr>
</tbody>
</table>
**Sample error messages**
- **Subcode**: DeviceCapReached
- **Error**: MENROLL_E_DEVICECAPREACHED
- **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.
- **HRESULT**: 80180013
- **Subcode**: DeviceNotSupported
- **Error**: MENROLL_E_DEVICENOTSUPPORTED
- **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.
- **HRESULT**: 80180014
- **Subcode**: NotSupported
- **Error**: MENROLL_E_NOT_SUPPORTED
- **Description**: Mobile Device Management (MDM) is generally not supported for this device.
- **HRESULT**: 80180015
- **Subcode**: NotEligibleToRenew
- **Error**: MENROLL_E_NOTELIGIBLETORENEW
- **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.
- **HRESULT**: 80180016
- **Subcode**: InMaintenance
- **Error**: MENROLL_E_INMAINTENANCE
- **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later.
- **HRESULT**: 80180017
- **Subcode**: UserLicense
- **Error**: MENROLL_E_USER_LICENSE
- **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.
- **HRESULT**: 80180018
- **Subcode**: InvalidEnrollmentData
- **Error**: MENROLL_E_ENROLLMENTDATAINVALID
- **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.
- **HRESULT**: 80180019
TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
@ -280,4 +230,4 @@ TraceID is a freeform text node which is logged. It should identify the server s
- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)

55
windows/client-management/mdm/nap-csp.md
View File

@ -14,17 +14,16 @@ ms.date: 06/26/2017
# NAP CSP
The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections.
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
> [!Note]
> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
For the NAP CSP, you cannot use the Replace command unless the node already exists.
The following shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
```
```console
./Vendor/MSFT
NAP
----*
@ -61,6 +60,7 @@ NAP
----------------Secure
----------------SecureLevel
```
<a href="" id="--vendor-msft-nap"></a>**./Vendor/MSFT/NAP**
Root node.
@ -87,34 +87,11 @@ Required. Specifies the type of address used to identify the destination network
The following table shows some commonly used ADDRTYPE values and the types of connection that corresponds with each value.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>ADDRTYPE Value</th>
<th>Connection Type</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>E164</p></td>
<td><p>RAS connections</p></td>
</tr>
<tr class="even">
<td><p>APN</p></td>
<td><p>GPRS connections</p></td>
</tr>
<tr class="odd">
<td><p>ALPHA</p></td>
<td><p>Wi-Fi-based connections</p></td>
</tr>
</tbody>
</table>
 
|ADDRTYPE Value|Connection Type|
|--- |--- |
|E164|RAS connections|
|APN|GPRS connections|
|ALPHA|Wi-Fi-based connections|
<a href="" id="napx-authinfo"></a>***NAPX*/AuthInfo**
Optional node. Specifies the authentication information, including the protocol, user name, and password.
@ -136,17 +113,7 @@ Node.
<a href="" id="napx-bearer-bearertype"></a>***NAPX*/Bearer/BearerType**
Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

68
windows/client-management/mdm/napdef-csp.md
View File

@ -14,16 +14,12 @@ ms.date: 06/26/2017
# NAPDEF CSP
The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
> **Note**  You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
> [!Note]
> You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
@ -77,9 +73,8 @@ Specifies the protocol used to authenticate the user.
The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
> **Note**  **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change.
> [!Note]
> **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change.
<a href="" id="bearer"></a>**BEARER**
Specifies the type of bearer.
@ -124,54 +119,15 @@ The name of the *NAPID* element is the same as the value passed during initial b
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Parm-query</p></td>
<td><p>Yes</p>
<p>Note that some GPRS parameters will not necessarily contain the exact same value as was set.</p></td>
</tr>
<tr class="even">
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
## Related topics
|Elements|Available|
|--- |--- |
|Parm-query|Yes <br>Note that some GPRS parameters will not necessarily contain the exact same value as was set.|
|Noparm|Yes|
|Nocharacteristic|Yes|
|Characteristic-query|Yes|
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

164
windows/client-management/mdm/office-csp.md
View File

@ -18,10 +18,11 @@ The Office configuration service provider (CSP) enables a Microsoft Office clien
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).
For more information, see [Office DDF](office-ddf.md).
The following shows the Office configuration service provider in tree format.
```
```console
./Vendor/MSFT
Office
----Installation
@ -46,6 +47,7 @@ Office
------------Install
------------Status
```
<a href="" id="office"></a>**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
The root node for the Office configuration service provider.</p>
@ -78,7 +80,7 @@ Behavior:
- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
- When status = 0: 70 (succeeded)
- When status != 0: 60 (failed)
- When status!= 0: 60 (failed)
<a href="" id="currentstatus"></a>**Installation/CurrentStatus**
Returns an XML of current Office 365 installation status on the device.
@ -151,140 +153,22 @@ To get the current status of Office 365 on the device.
## Status code
<table>
<colgroup>
<col width="30%" />
<col width="50%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>Status</th>
<th>Description</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>Installation succeeded</td>
<td>OK</td>
</tr>
<tr>
<td>997</td>
<td>Installation in progress</td>
<td></td>
</tr>
<tr>
<td>13</td>
<td>ERROR_INVALID_DATA
<p>Cannot verify signature of the downloaded Office Deployment Tool (ODT)<p></td>
<td>Failure</td>
</tr>
<tr>
<td>1460</td>
<td>ERROR_TIMEOUT
<p>Failed to download ODT</p></td>
<td>Failure</td>
</tr>
<tr>
<td>1602 </td>
<td>ERROR_INSTALL_USEREXIT
<p>User cancelled the installation </p></td>
<td>Failure</td>
</tr>
<tr>
<td>1603</td>
<td>ERROR_INSTALL_FAILURE
<p>Failed any pre-req check.</p>
<ul>
<li>SxS (Tried to install when 2016 MSI is installed)</li>
<li>Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)</li>
</ul>
</td>
<td>Failure</td>
</tr>
<tr>
<td>17000</td>
<td>ERROR_PROCESSPOOL_INITIALIZATION
<p>Failed to start C2RClient </p></td>
<td>Failure</td>
</tr>
<tr>
<td>17001</td>
<td>ERROR_QUEUE_SCENARIO
<p>Failed to queue installation scenario in C2RClient</p></td>
<td>Failure</td>
</tr>
<tr>
<td>17002</td>
<td>ERROR_COMPLETING_SCENARIO
<p>Failed to complete the process. Possible reasons:</p>
<ul>
<li>Installation cancelled by user</li>
<li>Installation cancelled by another installation</li>
<li>Out of disk space during installation </li>
<li>Unknown language ID</li>
</ul></td>
<td>Failure</td>
</tr>
<tr>
<td>17003</td>
<td>ERROR_ANOTHER_RUNNING_SCENARIO
<p>Another scenario is running</p></td>
<td>Failure</td>
</tr>
<tr>
<td>17004</td>
<td>ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
<p>Possible reasons:</p>
<ul>
<li>Unknown SKUs</li>
<li>Content does't exist on CDN
<ul><li>such as trying to install an unsupported LAP, like zh-sg</li>
<li>CDN issue that content is not available</li></ul>
</li>
<li>Signature check issue, such as failed the signature check for Office content</li>
<li>User cancelled
</ul>
</td>
<td>Failure</td>
</tr>
<tr>
<td>17005</td>
<td>ERROR_SCENARIO_CANCELLED_AS_PLANNED</td>
<td>Failure</td>
</tr>
<tr>
<td>17006</td>
<td>ERROR_SCENARIO_CANCELLED
<p>Blocked update by running apps</p></td>
<td>Failure</td>
</tr>
<tr>
<td>17007</td>
<td>ERROR_REMOVE_INSTALLATION_NEEDED
<p>The client is requesting client clean up in a "Remove Installation" scenario</p></td>
<td>Failure</td>
</tr>
<tr>
<td>17100</td>
<td>ERROR_HANDLING_COMMAND_LINE
<p>C2RClient command line error </p></td>
<td>Failure</td>
</tr>
<tr>
<td>0x80004005</td>
<td>E_FAIL
<p>ODT cannot be used to install Volume license</p></td>
<td>Failure</td>
</tr>
<tr>
<td>0x8000ffff </td>
<td>E_UNEXPECTED
<p>Tried to uninstall when there is no C2R Office on the machine.</p></td>
<td>Failure</td>
</tr>
</tbody>
</table>
|Status|Description|Comment|
|--- |--- |--- |
|0|Installation succeeded|OK|
|997|Installation in progress||
|13|ERROR_INVALID_DATA <br>Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure|
|1460|ERROR_TIMEOUT <br>Failed to download ODT|Failure|
|1602|ERROR_INSTALL_USEREXIT <br>User canceled the installation|Failure|
|1603|ERROR_INSTALL_FAILURE<br>Failed any pre-req check.<li>SxS (Tried to install when 2016 MSI is installed)<li>Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
|17000|ERROR_PROCESSPOOL_INITIALIZATION <br/>Failed to start C2RClient|Failure|
|17001|ERROR_QUEUE_SCENARIO <br/>Failed to queue installation scenario in C2RClient|Failure|
|17002|ERROR_COMPLETING_SCENARIO <br>Failed to complete the process. Possible reasons:<li>Installation canceled by user<li>Installation canceled by another installation<li>Out of disk space during installation <li>Unknown language ID|Failure|
|17003|ERROR_ANOTHER_RUNNING_SCENARIO <br>Another scenario is running|Failure|
|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP<br>Possible reasons:<li>Unknown SKUs<li>Content does't exist on CDN<ul><li>Such as trying to install an unsupported LAP, like zh-sg<li>CDN issue that content is not available</li></ul><li>Signature check issue, such as failed the signature check for Office content<li>User canceled|Failure|
|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure|
|17006|ERROR_SCENARIO_CANCELLED<br>Blocked update by running apps|Failure|
|17007|ERROR_REMOVE_INSTALLATION_NEEDED<br>The client is requesting client clean-up in a "Remove Installation" scenario|Failure|
|17100|ERROR_HANDLING_COMMAND_LINE<br>C2RClient command-line error|Failure|
|0x80004005|E_FAIL <br>ODT cannot be used to install Volume license|Failure|
|0x8000ffff|E_UNEXPECTED<br>Tried to uninstall when there is no C2R Office on the machine.|Failure|

380
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -17,131 +17,21 @@ ms.date: 06/26/2017
The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf).
## In this topic
- [OMA DM standards](#oma-dm-standards)
- [OMA DM protocol common elements](#protocol-common-elements)
- [Device management session](#device-management-session)
- [User targeted vs. Device targeted configuration](#user-targeted-vs-device-targeted-configuration)
- [SyncML response codes](#syncml-response-codes)
## OMA DM standards
The following table shows the OMA DM standards that Windows uses.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>General area</th>
<th>OMA DM standard that is supported</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Data transport and session</p></td>
<td><ul>
<li><p>Client-initiated remote HTTPS DM session over SSL.</p></li>
<li><p>Remote HTTPS DM session over SSL.</p></li>
<li><p>Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.</p></li>
<li><p>Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.</p></li>
</ul></td>
</tr>
<tr class="even">
<td><p>Bootstrap XML</p></td>
<td><ul>
<li><p>OMA Client Provisioning XML.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td><p>DM protocol commands</p></td>
<td><p>The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see &quot;SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)&quot; available from the <a href="https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/" data-raw-source="[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)">OMA website</a>.</p>
<ul>
<li><p>Add (Implicit Add supported)</p></li>
<li><p>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.</p></li>
<li><p>Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.</p></li>
<li><p>Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists</p></li>
<li><p>Exec: Invokes an executable on the client device</p></li>
<li><p>Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format</p></li>
<li><p>Replace: Overwrites data on the client device</p></li>
<li><p>Result: Returns the data results of a Get command to the DM server</p></li>
<li><p>Sequence: Specifies the order in which a group of commands must be processed</p></li>
<li><p>Status: Indicates the completion status (success or failure) of an operation</p></li>
</ul>
<p>If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:</p>
<ul>
<li><p>SyncBody</p></li>
<li><p>Atomic</p></li>
<li><p>Sequence</p></li>
</ul>
<p>If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.</p>
<p>If Atomic elements are nested, the following status codes are returned:</p>
<ul>
<li><p>The nested Atomic command returns 500.</p></li>
<li><p>The parent Atomic command returns 507.</p></li>
</ul>
<p>For more information about the Atomic command, see OMA DM protocol common elements.</p>
<p>Performing an Add command followed by Replace on the same node within an Atomic element is not supported.</p>
<p>LocURI cannot start with &quot;/&quot;.</p>
<p>Meta XML tag in SyncHdr is ignored by the device.</p></td>
</tr>
<tr class="even">
<td><p>OMA DM standard objects</p></td>
<td><ul>
<li><p>DevInfo</p></li>
<li><p>DevDetail</p></li>
<li><p>OMA DM DMS account objects (OMA DM version 1.2)</p></li>
</ul></td>
</tr>
<tr class="odd">
<td><p>Security</p></td>
<td><ul>
<li><p>Authenticate DM server initiation notification SMS message (not used by enterprise management)</p></li>
<li><p>Application layer Basic and MD5 client authentication</p></li>
<li><p>Authenticate server with MD5 credential at application level</p></li>
<li><p>Data integrity and authentication with HMAC at application level</p></li>
<li><p>SSL level certificate based client/server authentication, encryption, and data integrity check</p></li>
</ul></td>
</tr>
<tr class="even">
<td><p>Nodes</p></td>
<td><p>In the OMA DM tree, the following rules apply for the node name:</p>
<ul>
<li><p>&quot;.&quot; can be part of the node name.</p></li>
<li><p>The node name cannot be empty.</p></li>
<li><p>The node name cannot be only the asterisk (*) character.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td><p>Provisioning Files</p></td>
<td><p>Provisioning XML must be well formed and follow the definition in <a href="https://go.microsoft.com/fwlink/p/?LinkId=526905" data-raw-source="[SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905)">SyncML Representation Protocol</a> specification.</p>
<p>If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.</p>
<div class="alert">
<strong>Note</strong><br/><p>To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.</p>
</div>
<div>
</div></td>
</tr>
<tr class="even">
<td><p>WBXML support</p></td>
<td><p>Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the <a href="https://go.microsoft.com/fwlink/p/?LinkId=526905" data-raw-source="[SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905)">SyncML Representation Protocol</a> specification.</p></td>
</tr>
<tr class="odd">
<td><p>Handling of large objects</p></td>
<td><p>In Windows 10, version 1511, client support for uploading large objects to the server was added.</p></td>
</tr>
</tbody>
</table>
|General area|OMA DM standard that is supported|
|--- |--- |
|Data transport and session|<li>Client-initiated remote HTTPS DM session over SSL.<li>Remote HTTPS DM session over SSL.<li>Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.<li>Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
|Bootstrap XML|OMA Client Provisioning XML.|
|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.<br/><li>Add (Implicit Add supported)<li>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.<li>Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.<li>Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists<li>Exec: Invokes an executable on the client device<li>Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format<li>Replace: Overwrites data on the client device<li>Result: Returns the data results of a Get command to the DM server<li>Sequence: Specifies the order in which a group of commands must be processed<li>Status: Indicates the completion status (success or failure) of an operation<br/><br/>If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:<br/><li>SyncBody<li>Atomic<li>Sequence<br><br/>If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.<br/><br/>If Atomic elements are nested, the following status codes are returned:<br/><li>The nested Atomic command returns 500.<li>The parent Atomic command returns 507.<br/><br/>For more information about the Atomic command, see OMA DM protocol common elements.<br>Performing an Add command followed by Replace on the same node within an Atomic element is not supported.<br><br/>LocURI cannot start with `/`.<br/><br/>Meta XML tag in SyncHdr is ignored by the device.|
|OMA DM standard objects|DevInfo<li>DevDetail<li>OMA DM DMS account objects (OMA DM version 1.2)|
|Security|<li>Authenticate DM server initiation notification SMS message (not used by enterprise management)<li>Application layer Basic and MD5 client authentication<li>Authenticate server with MD5 credential at application level<li>Data integrity and authentication with HMAC at application level<li>SSL level certificate-based client/server authentication, encryption, and data integrity check|
|Nodes|In the OMA DM tree, the following rules apply for the node name:<br/><li>"." can be part of the node name.<li>The node name cannot be empty.<li>The node name cannot be only the asterisk (*) character.|
|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).<br/><br/>If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.<div class="alert">**Note**<br>To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.</div>|
|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
<a href="" id="protocol-common-elements"></a>
@ -149,99 +39,26 @@ The following table shows the OMA DM standards that Windows uses.
Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Chal</p></td>
<td><p>Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.</p></td>
</tr>
<tr class="even">
<td><p>Cmd</p></td>
<td><p>Specifies the name of an OMA DM command referenced in a Status element.</p></td>
</tr>
<tr class="odd">
<td><p>CmdID</p></td>
<td><p>Specifies the unique identifier for an OMA DM command.</p></td>
</tr>
<tr class="even">
<td><p>CmdRef</p></td>
<td><p>Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.</p></td>
</tr>
<tr class="odd">
<td><p>Cred</p></td>
<td><p>Specifies the authentication credential for the originator of the message.</p></td>
</tr>
<tr class="even">
<td><p>Final</p></td>
<td><p>Indicates that the current message is the last message in the package.</p></td>
</tr>
<tr class="odd">
<td><p>LocName</p></td>
<td><p>Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.</p></td>
</tr>
<tr class="even">
<td><p>LocURI</p></td>
<td><p>Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.</p></td>
</tr>
<tr class="odd">
<td><p>MsgID</p></td>
<td><p>Specifies a unique identifier for an OMA DM session message.</p></td>
</tr>
<tr class="even">
<td><p>MsgRef</p></td>
<td><p>Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.</p></td>
</tr>
<tr class="odd">
<td><p>RespURI</p></td>
<td><p>Specifies the URI that the recipient must use when sending a response to this message.</p></td>
</tr>
<tr class="even">
<td><p>SessionID</p></td>
<td><p>Specifies the identifier of the OMA DM session associated with the containing message.</p>
<div class="alert">
<strong>Note</strong> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
</div>
<div>
</div></td>
</tr>
<tr class="odd">
<td><p>Source</p></td>
<td><p>Specifies the message source address.</p></td>
</tr>
<tr class="even">
<td><p>SourceRef</p></td>
<td><p>Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.</p></td>
</tr>
<tr class="odd">
<td><p>Target</p></td>
<td><p>Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.</p></td>
</tr>
<tr class="even">
<td><p>TargetRef</p></td>
<td><p>Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.</p></td>
</tr>
<tr class="odd">
<td><p>VerDTD</p></td>
<td><p>Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.</p></td>
</tr>
<tr class="even">
<td><p>VerProto</p></td>
<td><p>Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.</p></td>
</tr>
</tbody>
</table>
|Element|Description|
|--- |--- |
|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.|
|Cmd|Specifies the name of an OMA DM command referenced in a Status element.|
|CmdID|Specifies the unique identifier for an OMA DM command.|
|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.|
|Cred|Specifies the authentication credential for the originator of the message.|
|Final|Indicates that the current message is the last message in the package.|
|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.|
|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.|
|MsgID|Specifies a unique identifier for an OMA DM session message.|
|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
|RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.</div>|
|Source|Specifies the message source address.|
|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|
|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.|
|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.|
|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.|
## Device management session
@ -255,56 +72,25 @@ A DM session can be divided into two phases:
1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
The following table shows the sequence of events during a typical DM session.
The following information shows the sequence of events during a typical DM session.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Step</th>
<th>Action</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>1</p></td>
<td><p>DM client is invoked to call back to the management server</p>
<p>Enterprise scenario The device task schedule invokes the DM client.</p></td>
<td><p>The MO server sends a server trigger message to invoke the DM client.</p>
<p>The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.</p>
<p>Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.</p></td>
</tr>
<tr class="even">
<td><p>2</p></td>
<td><p>The device sends a message, over an IP connection, to initiate the session.</p></td>
<td><p>This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.</p></td>
</tr>
<tr class="odd">
<td><p>3</p></td>
<td><p>The DM server responds, over an IP connection (HTTPS).</p></td>
<td><p>The server sends initial device management commands, if any.</p></td>
</tr>
<tr class="even">
<td><p>4</p></td>
<td><p>The device responds to server management commands.</p></td>
<td><p>This message includes the results of performing the specified device management operations.</p></td>
</tr>
<tr class="odd">
<td><p>5</p></td>
<td><p>The DM server terminates the session or sends another command.</p></td>
<td><p>The DM session ends, or Step 4 is repeated.</p></td>
</tr>
</tbody>
</table>
1. DM client is invoked to call back to the management server<br><br>Enterprise scenario The device task schedule invokes the DM client.
The MO server sends a server trigger message to invoke the DM client.
The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.<br><br>Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
2. The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any.
4. The device responds to server management commands. This message includes the results of performing the specified device management operations.
5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated.
The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
@ -319,24 +105,24 @@ For CSPs and policies that support per user configuration, the MDM server can se
The data part of this alert could be one of following strings:
- user the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
- others another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device.
- none no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login).
- User the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration
- Others another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
- None no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login).
Below is an alert example:
```
```xml
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>user</Data>
</Item>
</Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>user</Data>
</Item>
</Alert>
```
The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management nodes LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration.
@ -351,37 +137,27 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
| Status code | Description |
|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 200 | The SyncML command completed successfully. |
| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. |
| Status code | Description |
|---|----|
| 200 | The SyncML command completed successfully. |
| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. |
| 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. |
| 214 | Operation cancelled. The SyncML command completed successfully, but no more commands will be processed within the session. |
| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. |
| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. |
| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. |
| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. |
| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. |
| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. |
| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. |
| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. |
| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. |
| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. |
| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. |
| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. |
| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. |
| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. |
| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. |
| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. |
| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. |
| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. |
| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. |
| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. |
| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. |
| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. |
| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. |
| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. |
| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. |
| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. |
| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. |
| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. |
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

61
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -38,33 +38,13 @@ manager: dansimp
<a href="" id="abovelock-allowcortanaabovelock"></a>**AboveLock/AllowCortanaAboveLock**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -105,28 +85,13 @@ The following list shows the supported values:
<a href="" id="abovelock-allowtoasts"></a>**AboveLock/AllowToasts**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td><td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes, starting in Windows 10, version 1607</td><td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes, starting in Windows 10, version 1607</td><td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes, starting in Windows 10, version 1607</td><td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes, starting in Windows 10, version 1607|Yes|
|Enterprise|Yes, starting in Windows 10, version 1607|Yes|
|Education|Yes, starting in Windows 10, version 1607|Yes|
<!--/SupportedSKUs-->
<hr/>

150
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -40,43 +40,15 @@ manager: dansimp
<a href="" id="accounts-allowaddingnonmicrosoftaccountsmanually"></a>**Accounts/AllowAddingNonMicrosoftAccountsManually**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -114,48 +86,16 @@ The following list shows the supported values:
<a href="" id="accounts-allowmicrosoftaccountconnection"></a>**Accounts/AllowMicrosoftAccountConnection**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -190,48 +130,16 @@ The following list shows the supported values:
<a href="" id="accounts-allowmicrosoftaccountsigninassistant"></a>**Accounts/AllowMicrosoftAccountSignInAssistant**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

32
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -40,31 +40,13 @@ manager: dansimp
<a href="" id="activexcontrols-approvedinstallationsites"></a>**ActiveXControls/ApprovedInstallationSites**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td><td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

33
windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
View File

@ -40,31 +40,14 @@ manager: dansimp
<a href="" id="admx-activexinstallservice-axisurlzonepolicies"></a>**ADMX_ActiveXInstallService/AxISURLZonePolicies**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

411
windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
View File

@ -70,20 +70,10 @@ manager: dansimp
<a href="" id="admx-addremoveprograms-defaultcategory"></a>**ADMX_AddRemovePrograms/DefaultCategory**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
<!--/SupportedSKUs-->
<hr/>
@ -135,34 +125,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddfromcdorfloppy"></a>**ADMX_AddRemovePrograms/NoAddFromCDorFloppy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|||
|Enterprise|Yes|Yes|
|Education|||
<!--/SupportedSKUs-->
<hr/>
@ -212,38 +182,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddfrominternet"></a>**ADMX_AddRemovePrograms/NoAddFromInternet**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -294,38 +240,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddfromnetwork"></a>**ADMX_AddRemovePrograms/NoAddFromNetwork**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -377,38 +299,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddpage"></a>**ADMX_AddRemovePrograms/NoAddPage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -456,38 +354,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddremoveprograms"></a>**ADMX_AddRemovePrograms/NoAddRemovePrograms**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -535,38 +409,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-nochooseprogramspage"></a>**ADMX_AddRemovePrograms/NoChooseProgramsPage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -615,37 +465,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noremovepage"></a>**ADMX_AddRemovePrograms/NoRemovePage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -693,38 +520,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noservices"></a>**ADMX_AddRemovePrograms/NoServices**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -775,38 +578,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-nosupportinfo"></a>**ADMX_AddRemovePrograms/NoSupportInfo**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -856,38 +635,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-nowindowssetuppage"></a>**ADMX_AddRemovePrograms/NoWindowsSetupPage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>