deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into sheshachary-5859198-2

Browse Source
This commit is contained in:
Shesh
2022-05-18 00:51:38 +05:30
parent 142a42091d 996211e4c1
commit 4750c8b84a
85 changed files with 2603 additions and 3119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement CSP
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
> [!NOTE]
@ -41,7 +40,9 @@ Interior node.
<a href="" id="accountmanagement-userprofilemanagement-deletionpolicy"></a>**UserProfileManagement/EnableProfileManager**
Enable profile lifetime management for shared or communal device scenarios. Default value is false.
Supported operations are Add, Get, Replace, and Delete. Value type is bool.
Supported operations are Add, Get, Replace, and Delete.
Value type is bool.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystartdeletion"></a>**UserProfileManagement/DeletionPolicy**
Configures when profiles will be deleted. Default value is 1.
@ -52,19 +53,29 @@ Valid values:
- 1 - delete at storage capacity threshold
- 2 - delete at both storage capacity threshold and profile inactivity threshold
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStartDeletion**
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStopDeletion**
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-profileinactivitythreshold"></a>**UserProfileManagement/ProfileInactivityThreshold**
Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

7
windows/client-management/mdm/accountmanagement-ddf.md
View File

@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement DDF file
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803.
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Enable profile lifetime mangement for shared or communal device scenarios.</Description>
<Description>Enable profile lifetime management for shared or communal device scenarios.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -198,3 +197,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[AccountManagement configuration service provider](accountmanagement-csp.md)

22
windows/client-management/mdm/accounts-csp.md
View File

@ -11,15 +11,23 @@ ms.reviewer:
manager: dansimp
---
# Accounts Configuration Service Provider
# Accounts CSP
The table below shows the applicability of Windows:
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later.
The following syntax shows the Accounts configuration service provider in tree format.
```
```console
./Device/Vendor/MSFT
Accounts
----Domain
@ -55,10 +63,10 @@ Supported operation is Add.
Interior node for the user account information.
<a href="" id="users-username"></a>**Users/_UserName_**
This node specifies the username for a new local user account. This setting can be managed remotely.
This node specifies the username for a new local user account. This setting can be managed remotely.
<a href="" id="users-username-password"></a>**Users/_UserName_/Password**
This node specifies the password for a new local user account. This setting can be managed remotely.
This node specifies the password for a new local user account. This setting can be managed remotely.
Supported operation is Add.
GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager.
@ -67,3 +75,7 @@ GET operation isn't supported. This setting will report as failed when deployed
This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
Supported operation is Add.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

13
windows/client-management/mdm/accounts-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: Accounts DDF file
description: XML file containing the device description framework (DDF) for the Accounts configuration service provider.
description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -11,12 +11,11 @@ ms.reviewer:
manager: dansimp
---
# Accounts CSP
# Accounts DDF file
This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider.
The XML below is for Windows 10, version 1803.
The XML below is for Windows 10, version 1803 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -157,7 +156,7 @@ The XML below is for Windows 10, version 1803.
<Add />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<Description>This optional node specifies the local user group that a local user account should be joined. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<DFFormat>
<int />
</DFFormat>
@ -177,3 +176,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[Accounts configuration service provider](accounts-csp.md)

33
windows/client-management/mdm/activesync-csp.md
View File

@ -14,23 +14,30 @@ ms.date: 06/26/2017
# ActiveSync CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term.
The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
```
```console
./Vendor/MSFT
ActiveSync
----Accounts
@ -66,13 +73,11 @@ ActiveSync
The root node for the ActiveSync configuration service provider.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term.
The supported operation is Get.
@ -264,7 +269,6 @@ Required. A character string that specifies the name of the content type.
> [!NOTE]
> In Windows 10, this node is currently not working.
Supported operations are Get, Replace, and Add (can't Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
@ -275,7 +279,9 @@ Node for mail body type and email age filter.
<a href="" id="policies-mailbodytype"></a>**Policies/MailBodyType**
Required. Specifies the email body type: HTML or plain.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policies-maxmailagefilter"></a>**Policies/MaxMailAgeFilter**
Required. Specifies the time window used for syncing mail items to the device.
@ -284,7 +290,6 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

14
windows/client-management/mdm/activesync-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# ActiveSync DDF file
This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -533,7 +532,7 @@ The XML below is the current version for this CSP.
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<Description>Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<DFFormat>
<node />
</DFFormat>
@ -679,15 +678,4 @@ The XML below is the current version for this CSP.
## Related topics
[ActiveSync configuration service provider](activesync-csp.md)
 
 

18
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -14,21 +14,18 @@ ms.date: 06/26/2017
# AllJoynManagement CSP
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (`com.microsoft.alljoynmanagement.config`). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> [!NOTE]
> The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
The following example shows the AllJoynManagement configuration service provider in tree format
```
```console
./Vendor/MSFT
AllJoynManagement
----Configurations
@ -64,7 +61,7 @@ The following list describes the characteristics and parameters.
The root node for the AllJoynManagement configuration service provider.
<a href="" id="services"></a>**Services**
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "`com.microsoft.alljoynmanagement.config`" are included.
<a href="" id="services-node-name"></a>**Services/**<strong>*Node name*</strong>
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
@ -81,7 +78,7 @@ The set of configurable interfaces that are available on the port of the AllJoyn
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/**<strong>*Node name*</strong>
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "`\\FabrikamService\\BridgeConfig`" would be specified in the URI as: `%2FFabrikamService%2FBridgeConfig`.
<a href="" id="credentials"></a>**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
@ -105,7 +102,6 @@ Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enable
## Examples
Set adapter configuration
```xml
@ -167,7 +163,9 @@ Get the firewall PrivateProfile
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

14
windows/client-management/mdm/alljoynmanagement-ddf.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# AllJoynManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -238,7 +237,7 @@ It is typically implemented as a GUID.</Description>
<Get />
<Replace />
</AccessType>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard</Description>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -328,15 +327,4 @@ It is typically implemented as a GUID.</Description>
## Related topics
[AllJoynManagement configuration service provider](alljoynmanagement-csp.md)
 
 

31
windows/client-management/mdm/application-csp.md
View File

@ -1,5 +1,5 @@
---
title: APPLICATION configuration service provider
title: APPLICATION CSP
description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
@ -12,16 +12,27 @@ author: dansimp
ms.date: 06/26/2017
---
# APPLICATION configuration service provider
# APPLICATION CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider.
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
The following list shows the supported transports:
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md).
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md).
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
@ -29,15 +40,5 @@ For the device to decode correctly, provisioning XML that contains the APPLICATI
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

29
windows/client-management/mdm/applicationcontrol-csp-ddf.md
View File

@ -11,13 +11,10 @@ ms.date: 07/10/2019
# ApplicationControl CSP DDF
This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
### ApplicationControl CSP
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -32,7 +29,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Root Node of the ApplicationControl CSP</Description>
<Description>Root Node of the ApplicationControl CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -73,7 +70,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The GUID of the Policy</Description>
<Description>The GUID of the Policy.</Description>
<DFFormat>
<node />
</DFFormat>
@ -97,7 +94,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<Delete />
<Replace />
</AccessType>
<Description>The policy binary encoded as base64</Description>
<Description>The policy binary encoded as base64.</Description>
<DFFormat>
<b64 />
</DFFormat>
@ -119,7 +116,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Information Describing the Policy indicated by the GUID</Description>
<Description>Information Describing the Policy indicated by the GUID.</Description>
<DFFormat>
<node />
</DFFormat>
@ -140,7 +137,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type</Description>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -162,7 +159,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)</Description>
<Description>Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -184,7 +181,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)</Description>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -206,7 +203,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system </Description>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. </Description>
<DFFormat>
<bool />
</DFFormat>
@ -228,7 +225,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The Current Status of the Policy Indicated by the Policy GUID</Description>
<Description>The Current Status of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<int />
</DFFormat>
@ -250,7 +247,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID</Description>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -271,4 +268,8 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
</Node>
</Node>
</MgmtTree>
```
```
## Related topics
[ApplicationControl configuration service provider](applicationcontrol-csp.md)

40
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -13,12 +13,23 @@ ms.date: 09/10/2020
# ApplicationControl CSP
Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and hence doesn't schedule a reboot.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The following example shows the ApplicationControl CSP in tree format.
```
```console
./Vendor/MSFT
ApplicationControl
----Policies
@ -43,6 +54,7 @@ ApplicationControl
----TenantID
----DeviceID
```
<a href="" id="vendor-msft-applicationcontrol"></a>**./Vendor/MSFT/ApplicationControl**
Defines the root node for the ApplicationControl CSP.
@ -73,7 +85,7 @@ An interior node that contains the nodes that describe the policy indicated by t
Scope is dynamic. Supported operation is Get.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-version"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version**
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type.
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type.
Scope is dynamic. Supported operation is Get.
@ -113,7 +125,7 @@ The following table provides the result of this policy based on different values
|IsAuthorized | IsDeployed | IsEffective | Resultant |
|------------ | ---------- | ----------- | --------- |
|True|True|True|Policy is currently running and in effect.|
|True|True|True|Policy is currently running and is in effect.|
|True|True|False|Policy requires a reboot to take effect.|
|True|False|True|Policy requires a reboot to unload from CI.|
|False|True|True|Not Reachable.|
@ -122,14 +134,14 @@ The following table provides the result of this policy based on different values
|False|False|True|Not Reachable.|
|False|False|False|*Not Reachable.|
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-status"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
Scope is dynamic. Supported operation is Get.
Value type is integer. Default value is 0 == OK.
Value type is integer. Default value is 0 = OK.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-friendlyname"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName**
This node provides the friendly name of the policy indicated by the policy GUID.
@ -140,15 +152,15 @@ Value type is char.
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
For customers using Intune standalone or hybrid management with Microsoft Endpoint Manager Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
In order to use the ApplicationControl CSP without using Intune, you must:
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>` or `<PolicyTypeID>` for pre-1903 systems.
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool.
2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the `certutil -encode` command-line tool.
Below is a sample certutil invocation:
@ -293,8 +305,8 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi
### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64
2. Open PowerShell in Local System context (through PSExec or something similar)
1. Convert your WDAC policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:
```powershell
@ -315,4 +327,8 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa
```powershell
Get-CimInstance -Namespace $namespace -ClassName $policyClassName
```
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

50
windows/client-management/mdm/applocker-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 11/19/2019
# AppLocker CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.
@ -74,13 +83,11 @@ Defines restrictions for applications.
> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
> [!NOTE]
> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
Additional information:
> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
<a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
@ -96,14 +103,14 @@ Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is string.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
@ -206,22 +213,25 @@ Data type is Base64.
Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
<a href="" id="applocker-enterprisedataprotection"></a>**AppLocker/EnterpriseDataProtection**
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
You can set the allowed list using the following URI:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy
You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy
Exempt examples:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy
@ -259,15 +269,15 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
The **Device Portal** page opens on your browser.
![device portal screenshot.](images/applocker-screenshot1.png)
3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
![device portal app manager.](images/applocker-screenshot3.png)
@ -279,7 +289,7 @@ The following table shows the mapping of information to the AppLocker publisher
|Device portal data|AppLocker publisher rule field|
|--- |--- |
|PackageFullName|ProductName<br><br> The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|Publisher|Publisher|
|Version|Version<br> <br>The version can be used either in the HighSection or LowSection of the BinaryVersionRange.<br> <br>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
@ -293,13 +303,13 @@ Here's an example AppLocker publisher rule:
You can get the publisher name and product name of apps using a web API.
**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
**To find publisher and product name for Microsoft apps in Microsoft Store for Business:**
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
Request URI:
@ -359,17 +369,13 @@ The product name is first part of the PackageFullName followed by the version nu
| SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 |
## <a href="" id="inboxappsandcomponents"></a>Inbox apps and components
The following list shows the apps that may be included in the inbox.
> [!NOTE]
> This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
|App|Product ID|Product name|
|--- |--- |--- |
|3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)|
@ -1277,6 +1283,7 @@ The following example for Windows 10 Holographic for Business denies all apps an
```
## Recommended blocklist for Windows Information Protection
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
In this example, Contoso is the node name. We recommend using a GUID for this node.
@ -1460,5 +1467,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

14
windows/client-management/mdm/applocker-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# AppLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -672,15 +671,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
## Related topics
[AppLocker configuration service provider](applocker-csp.md)
 
 
[AppLocker configuration service provider](applocker-csp.md)

27
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -13,7 +13,17 @@ ms.date: 05/03/2022
# AssignedAccess CSP
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user sign in that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
@ -23,14 +33,14 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider (
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!Note]
> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following example shows the AssignedAccess configuration service provider in tree format
```
```console
./Vendor/MSFT
AssignedAccess
----KioskModeApp
@ -44,14 +54,14 @@ AssignedAccess
Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app).
For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
>
> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
> [!Note]
> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
@ -453,7 +463,7 @@ The schema below is for AssignedAccess Configuration up to Windows 10 20H2 relea
</xs:schema>);
```
Here's the schema for new features introduced in Windows 10 1809 release
Here's the schema for new features introduced in Windows 10 1809 release:
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -500,6 +510,7 @@ Here's the schema for new features introduced in Windows 10 1809 release
```
Schema for Windows 10 prerelease
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -675,7 +686,7 @@ XML encoding (escaped) and CDATA of the XML in the Data node will both ensure th
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, youll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
Escape and CDATA are mechanisms when handling xml in xml. Consider its a transportation channel to send the configuration xml as payload from server to client. Its transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
Escape and CDATA are mechanisms used when handling xml in xml. Consider that its a transportation channel to send the configuration xml as payload from server to client. Its transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
This example shows escaped XML of the Data node.

18
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -1,6 +1,6 @@
---
title: AssignedAccess DDF
description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
description: Learn about the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.reviewer:
manager: dansimp
@ -14,7 +14,6 @@ ms.date: 02/22/2018
# AssignedAccess DDF
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@ -22,7 +21,8 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is for Windows 10, version 1909.
The XML below is for Windows 10, version 1803 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -118,7 +118,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
<AccessType>
<Get />
</AccessType>
<Description>This read only node contains kiosk health event in xml</Description>
<Description>This read only node contains kiosk health event in xml.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -196,14 +196,4 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
## Related topics
[AssignedAccess configuration service provider](assignedaccess-csp.md)
 
 

4
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -937,3 +937,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI
</Node>
</MgmtTree>
```
## Related topics
[BitLocker configuration service provider](bitlocker-csp.md)

12
windows/client-management/mdm/cellularsettings-csp.md
View File

@ -14,10 +14,20 @@ ms.date: 06/26/2017
# CellularSettings CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
> Starting in Windows 10, version 1703, the CellularSettings CSP is supported in Windows 10 and Windows 11 Home, Pro, Enterprise, and Education editions.
The following example shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.

23
windows/client-management/mdm/certificatestore-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 02/28/2020
# CertificateStore CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
> [!Note]
@ -24,7 +34,7 @@ For the CertificateStore CSP, you can't use the Replace command unless the node
The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
```
```console
./Vendor/MSFT
CertificateStore
----ROOT
@ -259,7 +269,7 @@ Optional. OID of certificate template name.
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-keylength"></a>**My/SCEP/*UniqueID*/Install/KeyLength**
Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Required for enrollment. Specifies private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Supported operations are Get, Add, Delete, and Replace.
@ -343,7 +353,7 @@ Required. Returns the URL of the SCEP server that responded to the enrollment re
Supported operation is Get.
<a href="" id="my-wstep"></a>**My/WSTEP**
Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Required for MDM enrolled device. Specifies the parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Supported operation is Get.
@ -358,8 +368,6 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't
> [!NOTE]
> The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="my-wstep-renew-renewalperiod"></a>**My/WSTEP/Renew/RenewalPeriod**
@ -414,7 +422,7 @@ Optional. If certificate renewal fails, this integer value indicates the HRESULT
Supported operation is Get.
<a href="" id="my-wstep-renew-lastrenewalattempttime"></a>**My/WSTEP/Renew/LastRenewalAttemptTime**
Added in Windows 10, version 1607. Time of the last attempted renewal.
Added in Windows 10, version 1607. Specifies the time of the last attempted renewal.
Supported operation is Get.
@ -424,7 +432,7 @@ Added in Windows 10, version 1607. Initiates a renewal now.
Supported operation is Execute.
<a href="" id="my-wstep-renew-retryafterexpiryinterval"></a>**My/WSTEP/Renew/RetryAfterExpiryInterval**
Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew.
Added in Windows 10, version 1703. Specifies how long after the enrollment certificate has expired before trying to renew.
Supported operations are Add, Get, and Replace.
@ -698,7 +706,6 @@ Configure the device to automatically renew an MDM client certificate with the s
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

26
windows/client-management/mdm/certificatestore-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# CertificateStore DDF file
This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -458,7 +457,7 @@ The XML below is the current version for this CSP.
<Get />
<Replace />
</AccessType>
<Description>The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.</Description>
<Description>The base64 Encoded X.509 certificate. Note that during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node and properly enroll a client certificate including private needs a cert enroll protocol to handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.</Description>
<DFFormat>
<b64 />
</DFFormat>
@ -585,7 +584,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment.</Description>
<Description>This store holds the SCEP portion of the MY store and handles operations related to SCEP certificate enrollment.</Description>
<DFFormat>
<node />
</DFFormat>
@ -627,7 +626,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>The group to represent the install request</Description>
<Description>The group to represent the install request.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1241,7 +1240,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>If certificate renew fails, this node provide the last hresult code during renew process.</Description>
<Description>If certificate renew fails, this node provides the last hresult code during renew process.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1262,7 +1261,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Time of last attempted renew</Description>
<Description>Time of last attempted renew.</Description>
<DFFormat>
<time />
</DFFormat>
@ -1283,7 +1282,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Exec />
</AccessType>
<Description>Initiate a renew now</Description>
<Description>Initiate a renew now.</Description>
<DFFormat>
<null />
</DFFormat>
@ -1305,7 +1304,7 @@ The XML below is the current version for this CSP.
<Get />
<Set />
</AccessType>
<Description>How long after the enrollment cert has expiried to keep trying to renew</Description>
<Description>How long after the enrollment cert has expired to keep trying to renew.</Description>
<DFFormat>
<null />
</DFFormat>
@ -1372,7 +1371,7 @@ The XML below is the current version for this CSP.
<Get />
<Replace />
</AccessType>
<Description>The base64 Encoded X.509 certificate</Description>
<Description>The base64 Encoded X.509 certificate.</Description>
<DFFormat>
<b64 />
</DFFormat>
@ -1667,11 +1666,6 @@ The XML below is the current version for this CSP.
</MgmtTree>
```
 
 
## Related topics
[CertificateStore configuration service provider](certificatestore-csp.md)

10
windows/client-management/mdm/cleanpc-csp.md
View File

@ -13,6 +13,16 @@ manager: dansimp
# CleanPC CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following shows the CleanPC configuration service provider in tree format.

16
windows/client-management/mdm/cleanpc-ddf.md
View File

@ -34,7 +34,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Allow removal of user installed and pre-installed applications, with option to persist user data</Description>
<Description>Allow removal of user installed and pre-installed applications, with option to persist user data.</Description>
<DFFormat>
<node />
</DFFormat>
@ -54,7 +54,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation without any retention of User data</Description>
<Description>CleanPC operation without any retention of User data.</Description>
<DFFormat>
<int />
</DFFormat>
@ -75,7 +75,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation with retention of User data</Description>
<Description>CleanPC operation with retention of User data.</Description>
<DFFormat>
<int />
</DFFormat>
@ -94,12 +94,6 @@ The XML below is the current version for this CSP.
</MgmtTree>
```
 
 
## Related topics
[CleanPC configuration service provider](cleanpc-csp.md)

34
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -1,6 +1,6 @@
---
title: ClientCertificateInstall CSP
description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
description: Learn how the ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
ms.reviewer:
manager: dansimp
@ -14,18 +14,28 @@ ms.date: 07/30/2021
# ClientCertificateInstall CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|---|---|---|
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> [!Note]
> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store, both certificates are sent to the device in the same MDM payload and the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following example shows the ClientCertificateInstall configuration service provider in tree format.
```
```console
./Vendor/MSFT
ClientCertificateInstall
----PFXCertInstall
@ -99,7 +109,7 @@ The data type is an integer corresponding to one of the following values:
| 1 | Install to TPM if present, fail if not present. |
| 2 | Install to TPM if present. If not present, fall back to software. |
| 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail.
@ -119,7 +129,7 @@ If a blob already exists, the Add operation will fail. If Replace is called on t
If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in <a href="/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)" data-raw-source="[CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85))">CRYPT_INTEGER_BLOB</a>.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)).
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
Password that protects the PFX blob. This is required if the PFX is password protected.
@ -133,9 +143,9 @@ Optional. Used to specify whether the PFX certificate password is encrypted with
The data type is int. Valid values:
- 0 - Password isn't encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
- 0 - Password isn't encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
@ -322,9 +332,9 @@ Data type is string.
Valid values are:
- Days (Default)
- Months
- Years
- Days (Default)
- Months
- Years
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
@ -608,7 +618,7 @@ Enroll a client certificate through SCEP.
</SyncML>
```
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store.
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store.
```xml
<SyncML>

53
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -107,7 +107,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha
<Get />
<Replace />
</AccessType>
<Description>Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. Supported operations are Get, Add
<Description>Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation. Supported operations are Get, Add.
Datatype will be int
1- Install to TPM, fail if not present
2 Install to TPM if present, if not present fallback to Software
@ -138,8 +138,8 @@ Calling Delete on the this node, should delete the certificates and the keys tha
</AccessType>
<Description>Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
Format is chr
Supported operations are Get, Add, Delete and Replace
Format is chr.
Supported operations are Get, Add, Delete and Replace.
</Description>
<DFFormat>
<chr />
@ -165,8 +165,8 @@ Supported operations are Get, Add, Delete and Replace
</AccessType>
<Description>Required.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
Format is Binary64
Supported operations are Get, Add, Replace
Format is Binary64.
Supported operations are Get, Add, Replace.
If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
@ -197,7 +197,7 @@ CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windo
<Description>
Required if PFX is password protected.
Password that protects the PFX blob.
Format is chr. Supported operations are Add, Get
Format is chr. Supported operations are Add, Get.
</Description>
<DFFormat>
<chr />
@ -228,7 +228,7 @@ If the value is
1- Password is encrypted using the MDM certificate by the MDM server
2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
The datatype for this node is int.
Supported operations are Add, Replace
Supported operations are Add, Replace.
</Description>
<DFFormat>
<int />
@ -254,7 +254,7 @@ Supported operations are Add, Replace
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>Optional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool.
Supported operations are Add, Get
Supported operations are Add, Get.
</Description>
<DFFormat>
<bool />
@ -299,7 +299,7 @@ Supported operations are Add, Get
<Get />
</AccessType>
<Description>Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int.
Support operations are Get
Support operations are Get.
</Description>
<DFFormat>
<int />
@ -374,7 +374,7 @@ Support operation are Add, Get and Replace.
</AccessType>
<Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
Format is node.
Supported operations are Get, Add, Delete
Supported operations are Get, Add, Delete.
Calling Delete on the this node, should delete the corresponding SCEP certificate</Description>
<DFFormat>
<node />
@ -401,7 +401,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
</AccessType>
<Description>Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete.
NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.</Description>
NOTE: Though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.</Description>
<DFFormat>
<node />
</DFFormat>
@ -570,7 +570,7 @@ SCEP enrolled cert doesnt support TPM PIN protection. Supported values:
Format is int.
Supported operations are Get, Add, Delete, Replace
Supported operations are Get, Add, Delete, Replace.
</Description>
<DFFormat>
@ -604,7 +604,7 @@ The min value is 1.
Format is int.
Supported operations are Get, Add, Delete noreplace</Description>
Supported operations are Get, Add, Delete noreplace.</Description>
<DFFormat>
<int />
</DFFormat>
@ -654,7 +654,7 @@ The min value is 0 which means no retry. Supported operations are Get, Add, Dele
<Get />
<Replace />
</AccessType>
<Description>Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesnt need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace</Description>
<Description>Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesnt need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -819,7 +819,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
Format is int.
@ -852,9 +852,9 @@ NOTE: The device only sends the MDM server expected certificate validation perio
<Description>Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
Format is chr
Format is chr.
Supported operations are Get, Add, Delete and Replace</Description>
Supported operations are Get, Add, Delete and Replace.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -880,9 +880,9 @@ Supported operations are Get, Add, Delete and Replace</Description>
</AccessType>
<Description>Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
Format is chr
Format is chr.
Supported operations are Get, Add, Delete and Replace</Description>
Supported operations are Get, Add, Delete and Replace.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1029,9 +1029,9 @@ Supported operation is Get.</Description>
</AccessType>
<Description>Required. Returns the URL of the SCEP server that responded to the enrollment request.
Format is String
Format is String.
Supported operation is Get</Description>
Supported operation is Get.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1054,15 +1054,4 @@ Supported operation is Get</Description>
## Related topics
[ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md)
 
 

30
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 08/02/2017
# CM\_CellularEntries CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
@ -76,13 +86,13 @@ Optional. Type: String. Specifies the type of connection used for the APN. The f
|Cdma|Used for CDMA type connections (1XRTT + EVDO).|
|Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.|
|Legacy|Used for GPRS + GSM + EDGE + UMTS connections.|
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi|
|Iwlan|Used for connections that are implemented over WiFi offload only|
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi.|
|Iwlan|Used for connections that are implemented over WiFi offload only.|
<a href="" id="desc-langid"></a>**Desc.langid**
Optional. Specifies the UI display string used by the defined language ID.
A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as <code>Desc.0409</code> with a value of <code>"GPRS Connection"</code> will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no <strong>Desc</strong> parameter is provisioned for a given language, the system will default to the name used to create the entry.
A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
<a href="" id="enabled"></a>**Enabled**
Specifies if the connection is enabled.
@ -131,7 +141,7 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which
- 5 - Roaming only.
<a href="" id="oemconnectionid"></a>**OEMConnectionID**
Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<a href="" id="apnid"></a>**ApnId**
Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices.
@ -174,7 +184,7 @@ Optional. Type: Int. Specifies how long an on-demand connection can be unused be
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
<a href="" id="simiccid"></a>**SimIccId**
For single SIM phones, this parm isOptional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
For single SIM phones, this parm is Optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
<a href="" id="purposegroups"></a>**PurposeGroups**
Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
@ -271,17 +281,7 @@ The following table shows the Microsoft custom elements that this configuration
|Characteristic-query|Yes|
|Parm-query|Yes|
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

17
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -14,13 +14,21 @@ ms.date: 06/26/2017
# CMPolicy CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
@ -134,7 +142,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@ -180,7 +187,9 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
Adding a host-based mapping policy:
In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
<wap-provisioningdoc>
@ -364,7 +373,6 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
|Element|Available|
|--- |--- |
|parm-query|Yes|
@ -373,7 +381,6 @@ Adding a host-based mapping policy:
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

76
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -438,18 +438,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
@ -544,18 +532,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Messaging CSP](messaging-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[MultiSIM CSP](multisim-csp.md)
@ -748,18 +724,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[RemoteRing CSP](remotering-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[RemoteWipe CSP](remotewipe-csp.md)
@ -856,18 +820,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[SurfaceHub](surfacehub-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
||||||
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[TenantLockdown CSP](tenantlockdown-csp.md)
@ -952,18 +904,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[W4 Application CSP](w4-application-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
||||||
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[WiFi CSP](wifi-csp.md)
@ -1019,7 +959,7 @@ Additional lists:
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|Yes|Yes|Yes|Yes|
|No|No|No|Yes|Yes|
<!--EndSKU-->
<!--EndCSP-->
@ -1049,18 +989,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[w7 Application CSP](w7-application-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
||||||
<!--EndSKU-->
<!--EndCSP-->
<hr/>
<!--EndCSPs-->
@ -1078,7 +1006,6 @@ You can download the DDF files for various CSPs from the links below:
## <a href="" id="hololens"></a>CSPs supported in HoloLens devices
The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
@ -1163,7 +1090,6 @@ The following list shows the CSPs supported in HoloLens devices:
- [DiagnosticLog CSP](diagnosticlog-csp.md)
- [DMAcc CSP](dmacc-csp.md)
- [DMClient CSP](dmclient-csp.md)
- [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [Policy CSP](policy-configuration-service-provider.md)

66
windows/client-management/mdm/enrollmentstatustracking-csp.md
View File

@ -11,14 +11,23 @@ ms.date: 05/21/2019
# EnrollmentStatusTracking CSP
During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device usage until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar, to configure ESP for blocking the device usage until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. For more information, see [DMClient CSP](dmclient-csp.md).
The EnrollmentStatusTracking CSP was added in Windows 10, version 1903.
The following example shows the EnrollmentStatusTracking CSP in tree format.
The following shows the EnrollmentStatusTracking CSP in tree format.
```
./User/Vendor/MSFT
EnrollmentStatusTracking
@ -59,6 +68,7 @@ EnrollmentStatusTracking
------------------------RebootRequired
--------HasProvisioningCompleted
```
<a href="" id="vendor-msft"></a>**./Vendor/MSFT**
For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path.
@ -93,10 +103,11 @@ Communicates the policy provider installation state back to ESP.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1 — NotInstalled
- 2 — NotRequired
- 3 — Completed
- 4 — Error
- 1—NotInstalled
- 2—NotRequired
- 3—Completed
- 4—Error
<a href="" id="enrollmentstatustracking-devicepreparation-policyproviders-providername-lasterror"></a>**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/LastError**
Required. This node is supported only in device context.
@ -127,8 +138,9 @@ This node specifies if the policy provider is registered for app provisioning.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. Expected values are as follows:
- false — Indicates that the policy provider is not registered for app provisioning. This is the default.
- true — Indicates that the policy provider is registered for app provisioning.
- false—Indicates that the policy provider isn't registered for app provisioning. This is the default.
- true—Indicates that the policy provider is registered for app provisioning.
<a href="" id="enrollmentstatustracking-setup"></a>**EnrollmentStatusTracking/Setup**
Required. This node is supported in both user context and device context.
@ -150,7 +162,7 @@ Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-setup-apps-policyproviders-providername"></a>**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName***
Optional. This node is supported in both user context and device context.
Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true.
Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it shouldn't show the tracking status message until the TrackingPoliciesCreated node has been set to true.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@ -161,8 +173,9 @@ Indicates if the provider has created the required policies for the ESP to use f
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. The expected values are as follows:
- true — Indicates that the provider has created the required policies.
- false — Indicates that the provider has not created the required policies. This is the default.
- true—Indicates that the provider has created the required policies.
- false—Indicates that the provider hasn't created the required policies. This is the default.
<a href="" id="enrollmentstatustracking-setup-apps-tracking"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking**
Required. This node is supported in both user context and device context.
@ -178,7 +191,7 @@ Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="enrollmentstatustracking-setup-apps-tracking-providername-appname"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_**
Optional. This node is supported in both user context and device context.
Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP does not use the app name directly.
Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP doesn't use the app name directly.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@ -189,21 +202,23 @@ Represents the installation state for the app. The policy providers (not the MDM
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1 — NotInstalled
- 2 — InProgress
- 3 — Completed
- 4 — Error
- 1—NotInstalled
- 2—InProgress
- 3—Completed
- 4—Error
<a href="" id="enrollmentstatustracking-setup-apps-tracking-providername-appname-rebootrequired"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired**
Optional. This node is supported in both user context and device context.
Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers do not set this node, the ESP will not reboot the device for the app installation.
Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers don't set this node, the ESP won't reboot the device for the app installation.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1 — NotRequired
- 2 — SoftReboot
- 3 — HardReboot
- 1—NotRequired
- 2—SoftReboot
- 3—HardReboot
<a href="" id="enrollmentstatustracking-setup-hasprovisioningcompleted"></a>**EnrollmentStatusTracking/Setup/HasProvisioningCompleted**
Required. This node is supported in both user context and device context.
@ -212,5 +227,10 @@ ESP sets this node when it completes. Providers can query this node to determine
Scope is permanent. Supported operation is Get.
Value type is boolean. Expected values are as follows:
- true — Indicates that ESP has completed. This is the default.
- false — Indicates that ESP is displayed, and provisioning is still going.
- true—Indicates that ESP has completed. This is the default.
- false—Indicates that ESP is displayed, and provisioning is still going.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

131
windows/client-management/mdm/enterpriseapn-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAPN CSP
description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
description: Learn how the EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2
ms.reviewer:
manager: dansimp
@ -14,10 +14,17 @@ ms.date: 09/22/2017
# EnterpriseAPN CSP
The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet.
The table below shows the applicability of Windows:
> [!Note]
> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet.
The following example shows the EnterpriseAPN configuration service provider in tree format.
```
@ -39,111 +46,112 @@ EnterpriseAPN
--------HideView
```
<a href="" id="enterpriseapn"></a>**EnterpriseAPN**
<p>The root node for the EnterpriseAPN configuration service provider.</p>
The root node for the EnterpriseAPN configuration service provider.
<a href="" id="enterpriseapn-connectionname"></a>**EnterpriseAPN/**<strong>*ConnectionName*</strong>
<p>Name of the connection as seen by Windows Connection Manager.</p>
Name of the connection as seen by Windows Connection Manager.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-apnname"></a>**EnterpriseAPN/*ConnectionName*/APNName**
<p>Enterprise APN name.</p>
Enterprise APN name.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-iptype"></a>**EnterpriseAPN/*ConnectionName*/IPType**
<p>This value can be one of the following values:</p>
This value can be one of the following:
- IPv4 - only IPV4 connection type
- IPv6 - only IPv6 connection type
- IPv4v6 (default)- IPv4 and IPv6 concurrently.
- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat
- IPv4 - only IPV4 connection type.
- IPv6 - only IPv6 connection type.
- IPv4v6 (default)- IPv4 and IPv6 concurrently.
- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-isattachapn"></a>**EnterpriseAPN/*ConnectionName*/IsAttachAPN**
<p>Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.</p>
Boolean value that indicates whether this APN should be requested as part of an LTE Attach.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Default value is false.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-classid"></a>**EnterpriseAPN/*ConnectionName*/ClassId**
<p>GUID that defines the APN class to the modem. This GUID is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.</p>
GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-authtype"></a>**EnterpriseAPN/*ConnectionName*/AuthType**
<p>Authentication type. This value can be one of the following values:</p>
Authentication type. This value can be one of the following:
- None (default)
- Auto
- PAP
- CHAP
- MSCHAPv2
- None (default)
- Auto
- PAP
- CHAP
- MSCHAPv2
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-username"></a>**EnterpriseAPN/*ConnectionName*/UserName**
<p>User name for use with PAP, CHAP, or MSCHAPv2 authentication.</p>
User name for use with PAP, CHAP, or MSCHAPv2 authentication.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-password"></a>**EnterpriseAPN/*ConnectionName*/Password**
<p>Password corresponding to the username.</p>
Password corresponding to the username.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-iccid"></a>**EnterpriseAPN/*ConnectionName*/IccId**
<p>Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.</p>
Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-alwayson"></a>**EnterpriseAPN/*ConnectionName*/AlwaysOn**
<p>Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.</p>
Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
<p>The default value is true.</p>
The default value is true.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-enabled"></a>**EnterpriseAPN/*ConnectionName*/Enabled**
<p>Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.</p>
Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
<p>The default value is true.</p>
The default value is true.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-roaming"></a>**EnterpriseAPN/*ConnectionName*/Roaming**
<p>Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:</p>
Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values are:
<ul>
<li>0 - Disallowed</li>
<li>1 - Allowed</li>
<li>2 - DomesticRoaming</li>
<li>3 - UseOnlyForDomesticRoaming</li>
<li>4 - UseOnlyForNonDomesticRoaming</li>
<li>5 - UseOnlyForRoaming</li>
</ul>
- 0 - Disallowed
- 1 - Allowed
- 2 - DomesticRoaming
- 3 - UseOnlyForDomesticRoaming
- 4 - UseOnlyForNonDomesticRoaming
- 5 - UseOnlyForRoaming
<p>Default is 1 (all roaming allowed).</p>
Default is 1 (all roaming allowed).
<p>Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-settings"></a>**EnterpriseAPN/Settings**
<p>Added in Windows 10, version 1607. Node that contains global settings.</p>
Added in Windows 10, version 1607. Node that contains global settings.
<a href="" id="enterpriseapn-settings-allowusercontrol"></a>**EnterpriseAPN/Settings/AllowUserControl**
<p>Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.</p>
Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
<p>The default value is false.</p>
The default value is false.
<p>Supported operations are Get and Replace.</p>
Supported operations are Get and Replace.
<a href="" id="enterpriseapn-settings-hideview"></a>**EnterpriseAPN/Settings/HideView**
<p>Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.</p>
Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
<p>The default value is false.</p>
The default value is false.
<p>Supported operations are Get and Replace.</p>
Supported operations are Get and Replace.
## Examples
@ -290,15 +298,4 @@ atomicZ
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

534
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -1,534 +0,0 @@
---
title: EnterpriseAppManagement CSP
description: Handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP).
ms.assetid: 698b8bf4-652e-474b-97e4-381031357623
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# EnterpriseAppManagement CSP
The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment.
> [!NOTE]
> The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core.
The following example shows the EnterpriseAppManagement configuration service provider in tree format.
```console
./Vendor/MSFT
EnterpriseAppManagement
----EnterpriseID
--------EnrollmentToken
--------StoreProductID
--------StoreUri
--------CertificateSearchCriteria
--------Status
--------CRLCheck
--------EnterpriseApps
------------Inventory
----------------ProductID
--------------------Version
--------------------Title
--------------------Publisher
--------------------InstallDate
------------Download
----------------ProductID
--------------------Version
--------------------Name
--------------------URL
--------------------Status
--------------------LastError
--------------------LastErrorDesc
--------------------DownloadInstall
```
<a href="" id="enterpriseid"></a>***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications.
Supported operations are Add, Delete, and Get.
<a href="" id="enterpriseid-enrollmenttoken"></a>***EnterpriseID*/EnrollmentToken**
Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="enterpriseid-storeproductid"></a>***EnterpriseID*/StoreProductID**
Required. The node to host the ProductId node. Scope is dynamic.
Supported operation is Get.
<a href="" id="-storeproductid-productid"></a>**/StoreProductID/ProductId**
The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic.
Supported operations are Get and Add.
<a href="" id="enterpriseid-storeuri"></a>***EnterpriseID*/StoreUri**
Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic.
Supported operations are Get and Add.
<a href="" id="enterpriseid-certificatesearchcriteria"></a>***EnterpriseID*/CertificateSearchCriteria**
Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](/windows/win32/api/wincrypt/nf-wincrypt-certstrtonamea) function. This search parameter is case sensitive. Scope is dynamic.
Supported operations are Get and Add.
> [!NOTE]
> Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00
<a href="" id="enterpriseid-status"></a>***EnterpriseID*/Status**
Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic.
Supported operation is Get.
<a href="" id="enterpriseid-crlcheck"></a>***EnterpriseID*/CRLCheck**
Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="enterpriseid-enterpriseapps"></a>***EnterpriseID*/EnterpriseApps**
Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
Supported operation is Get.
<a href="" id="-enterpriseapps-inventory"></a>**/EnterpriseApps/Inventory**
Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
Supported operation is Get.
<a href="" id="-inventory-productid"></a>**/Inventory/**<strong>*ProductID*</strong>
Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-version"></a>**/Inventory/*ProductID*/Version**
Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-title"></a>**/Inventory/*ProductID*/Title**
Required. The character string that contains the name of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-publisher"></a>**/Inventory/*ProductID*/Publisher**
Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-installdate"></a>**/Inventory/*ProductID*/InstallDate**
Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic.
Supported operation is Get.
<a href="" id="-enterpriseapps-download"></a>**/EnterpriseApps/Download**
Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid"></a>**/Download/**<strong>*ProductID*</strong>
Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-version"></a>**/Download/*ProductID*/Version**
Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-name"></a>**/Download/*ProductID*/Name**
Required. The character string that contains the name of the installed application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid-url"></a>**/Download/*ProductID*/URL**
Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-status"></a>**/Download/*ProductID*/Status**
Required. The integer value that indicates the status of the current download process. The following table shows the possible values.
|Value|Description|
|--- |--- |
|0: CONFIRM|Waiting for confirmation from user.|
|1: QUEUED|Waiting for download to start.|
|2: DOWNLOADING|In the process of downloading.|
|3: DOWNLOADED|Waiting for installation to start.|
|4: INSTALLING|Handed off for installation.|
|5: INSTALLED|Successfully installed|
|6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)|
|7:DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.|
Scope is dynamic. Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-lasterror"></a>**/Download/*ProductID*/LastError**
Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid-lasterrordesc"></a>**/Download/*ProductID*/LastErrorDesc**
Required. The character string that contains the human readable description of the last error code.
<a href="" id="-download-productid-downloadinstall"></a>**/Download/*ProductID*/DownloadInstall**
Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic.
Supported operation is Exec.
## Remarks
### Install and Update Line of Business (LOB) applications
A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section.
### Uninstall Line of Business (LOB) applications
A workplace can also remotely uninstall Line of Business applications on the device. It's not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section.
### Query installed Store application
You can determine if a Store application is installed on a system. First, you need the Store application GUID. You can get the Store application GUID by going to the URL for the Store application.
The Microsoft Store application has a GUID of d5dc1ebb-a7f1-df11-9264-00237de2db9e.
Use the following SyncML format to query to see if the application is installed on a managed device:
```xml
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D</LocURI>
</Target>
</Item>
</Get>
```
Response from the device (it contains list of subnodes if this app is installed in the device).
```xml
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
<Data>Version/Title/Publisher/InstallDate</Data>
</Item>
</Results>
```
### Node Values
All node values under the ProviderID interior node represent the policy values that the management server wants to set.
- An Add or Replace command on those nodes returns success in both of the following cases:
- The value is applied to the device.
- The value isnt applied to the device because the device has a more secure value set already.
From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
- A Get command on those nodes returns the value that the server pushes down to the device.
- If a Replace command fails, the node value is set to be the previous value before Replace command was applied.
- If an Add command fails, the node isn't created.
The value applied to the device can be queried via the nodes under the DeviceValue interior node.
## OMA DM examples
Enroll enterprise ID “4000000001” for the first time:
```xml
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>InsertTokenHere</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/CertificateSearchCriteria
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SearchCriteriaInsertedHere</Data>
</Item>
</Add>
```
Update the enrollment token (for example, to update an expired application enrollment token):
```xml
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>InsertUpdaedTokenHere</Data>
</Item>
</Replace>
```
Query all installed applications that belong to enterprise ID “4000000001”:
```xml
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory?list=StructData
</LocURI>
</Target>
</Item>
</Get>
```
Response from the device (that contains two installed applications):
```xml
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version
</LocURI>
</Source>
<Data>1.0.0.0</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title
</LocURI>
</Source>
<Data>Sample1</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher
</LocURI>
</Source>
<Data>ExamplePublisher</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate
</LocURI>
</Source>
<Data>2012-10-30T21:09:52Z</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version
</LocURI>
</Source>
<Data>1.0.0.0</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title
</LocURI>
</Source>
<Data>Sample2</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher
</LocURI>
</Source>
<Data>Contoso</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate
</LocURI>
</Source>
<Data>2012-10-31T21:23:31Z</Data>
</Item>
</Results>
```
## Install and update an enterprise application
Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”.
To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application doesn't exist, the application will be silently installed without any user interaction. If the application can't be installed, the user will be notified with an Alert dialog.
> [!NOTE]
> - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
>
> - The application product ID curly braces need to be escaped where { is %7B and } is %7D.
```xml
<Atomic>
<CmdID>2</CmdID>
<!-- The Add command can be used if the download node does not have a matching product ID
node in it or if the application was installer 7 or more days old. Otherwise, use the Replace command. -->
<Add>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Name
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>ContosoApp1</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/URL
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>http://contoso.com/enterpriseapps/ContosoApp1.xap</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Version</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>2.0.0.0</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall
</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Exec>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Exec>
</Atomic>
```
## Uninstall enterprise application
Uninstall an installed enterprise application with product ID “{7BB316008A-141D-4A79-810F-8B764C4CFDFB }”:
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

139
windows/client-management/mdm/enterpriseappvmanagement-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement CSP
description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions).
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -13,7 +13,17 @@ manager: dansimp
# EnterpriseAppVManagement CSP
The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 or Windows 11 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
```
@ -45,68 +55,98 @@ EnterpriseAppVManagement
------------Policy
```
**./Vendor/MSFT/EnterpriseAppVManagement**
<p>Root node for the EnterpriseAppVManagement configuration service provider.</p>
Root node for the EnterpriseAppVManagement configuration service provider.
**AppVPackageManagement**
<p>Used to query App-V package information (post-publish).</p>
Used to query App-V package information (post-publish).
**AppVPackageManagement/EnterpriseID**
<p>Used to query package information. Value is always &quot;HostedInstall&quot;.</p>
Used to query package information. Value is always &quot;HostedInstall&quot;.
**AppVPackageManagement/EnterpriseID/PackageFamilyName**
<p>Package ID of the published App-V package.</p>
Package ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName***
<p>Version ID of the published App-V package.</p>
Version ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name**
<p>Name specified in the published AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Name specified in the published AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version**
<p>Version specified in the published AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Version specified in the published AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher**
<p>Publisher as specified in the published asset information of the AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Publisher as specified in the published asset information of the AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation**
<p>Local package path specified in the published asset information of the AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Local package path specified in the published asset information of the AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate**
<p>Date the app was installed, as specified in the published asset information of the AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Date the app was installed, as specified in the published asset information of the AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users**
<p>Registered users for app, as specified in the published asset information of the AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Registered users for app, as specified in the published asset information of the AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId**
<p> Package ID of the published App-V package.</p>
<p>Value type is string. Supported operation is Get.</p>
Package ID of the published App-V package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId**
<p>Version ID of the published App-V package.</p>
<p>Value type is string. Supported operation is Get.</p>
Version ID of the published App-V package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri**
<p>Package URI of the published App-V package.</p>
<p>Value type is string. Supported operation is Get.</p>
Package URI of the published App-V package.
Value type is string.
Supported operation is Get.
**AppVPublishing**
<p>Used to monitor publishing operations on App-V.</p>
Used to monitor publishing operations on App-V.
**AppVPublishing/LastSync**
<p>Used to monitor publishing status of last sync operation.</p>
Used to monitor publishing status of last sync operation.
**AppVPublishing/LastSync/LastError**
<p>Error code and error description of last sync operation.</p>
<p>Value type is string. Supported operation is Get.</p>
Error code and error description of last sync operation.
Value type is string.
Supported operation is Get.
**AppVPublishing/LastSync/LastErrorDescription**
<p>Last sync error status. One of the following values may be returned:</p>
Last sync error status. One of the following values may be returned:
- SYNC\_ERR_NONE (0) - No errors during publish.
- SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish.
@ -116,10 +156,12 @@ EnterpriseAppVManagement
- SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish.
- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish.
<p>Value type is string. Supported operation is Get.</p>
Value type is string.
Supported operation is Get.
**AppVPublishing/LastSync/SyncStatusDescription**
<p>Latest sync in-progress stage. One of the following values may be returned:</p>
Latest sync in-progress stage. One of the following values may be returned:
- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle.
- SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress.
@ -127,9 +169,12 @@ EnterpriseAppVManagement
- SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress.
- SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress.
<p>Value type is string. Supported operation is Get.</p>
Value type is string.
<strong>AppVPublishing/LastSync/SyncProgress</strong><br/><p>Latest sync state. One of the following values may be returned:</p>
Supported operation is Get.
**AppVPublishing/LastSync/SyncProgress**
Latest sync state. One of the following values may be returned:
- SYNC\_STATUS_IDLE (0) - App-V Sync is idle.
- SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing.
@ -137,22 +182,30 @@ EnterpriseAppVManagement
- SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete.
- SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot.
<p>Value type is string. Supported operation is Get.</p>
Value type is string.
Supported operation is Get.
**AppVPublishing/Sync**
<p>Used to perform App-V synchronization.</p>
Used to perform App-V synchronization.
**AppVPublishing/Sync/PublishXML**
<p>Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see <a href="/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8" data-raw-source="[[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8)">[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol</a>.</p>
<p>Supported operations are Get, Delete, and Execute.</p>
Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol,, see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8).
Supported operations are Get, Delete, and Execute.
**AppVDynamicPolicy**
<p>Used to set App-V Policy Configuration documents for publishing packages.</p>
Used to set App-V Policy Configuration documents for publishing packages.
**AppVDynamicPolicy/*ConfigurationId***
<p>ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).</p>
ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
**AppVDynamicPolicy/*ConfigurationId*/Policy**
<p>XML for App-V Policy Configuration documents for publishing packages.</p>
<p>Value type is xml. Supported operations are Add, Get, Delete, and Replace.</p>
XML for App-V Policy Configuration documents for publishing packages.
Value type is xml.
Supported operations are Add, Get, Delete, and Replace.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

81
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseDataProtection CSP
description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
ms.reviewer:
manager: dansimp
@ -14,20 +14,27 @@ ms.date: 08/09/2017
# EnterpriseDataProtection CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
> [!Note]
> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
> - This CSP was added in Windows 10, version 1607.
While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
To learn more about WIP, see the following articles:
- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
The following example shows the EnterpriseDataProtection CSP in tree format.
@ -53,19 +60,22 @@ The root node for the CSP.
The root node for the Windows Information Protection (WIP) configuration settings.
<a href="" id="settings-edpenforcementlevel"></a>**Settings/EDPEnforcementLevel**
Set the WIP enforcement level. Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
Set the WIP enforcement level.
> [!Note]
> Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
The following list shows the supported values:
- 0 (default) Off / No protection (decrypts previously protected data).
- 1 Silent mode (encrypt and audit only).
- 2 Allow override mode (encrypt, prompt and allow overrides, and audit).
- 3 Hides overrides (encrypt, prompt but hide overrides, and audit).
- 0 (default) Off / No protection (decrypts previously protected data).
- 1 Silent mode (encrypt and audit only).
- 2 Allow override mode (encrypt, prompt and allow overrides, and audit).
- 3 Hides overrides (encrypt, prompt but hide overrides, and audit).
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-enterpriseprotecteddomainnames"></a>**Settings/EnterpriseProtectedDomainNames**
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;).The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
@ -75,9 +85,9 @@ Changing the primary enterprise ID isn't supported and may cause unexpected beha
Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0).
1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0).
Supported operations are Add, Get, Replace, and Delete. Value type is string.
@ -89,8 +99,8 @@ Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the us
The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
- 0 Not allowed.
- 1 (default) Allowed.
Most restricted value is 0.
@ -235,16 +245,16 @@ This policy controls whether to revoke the WIP keys when a device unenrolls from
The following list shows the supported values:
- 0 Don't revoke keys.
- 1 (default) Revoke keys.
- 0 Don't revoke keys.
- 1 (default) Revoke keys.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys
- 1 (default) - Revoke keys
- 0 - Don't revoke keys.
- 1 (default) - Revoke keys.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
@ -256,13 +266,13 @@ Supported operations are Add, Get, Replace, and Delete. Value type is string (GU
<a href="" id="settings-allowazurermsforedp"></a>**Settings/AllowAzureRMSForEDP**
Specifies whether to allow Azure RMS encryption for WIP.
- 0 (default) Don't use RMS.
- 1 Use RMS.
- 0 (default) Don't use RMS.
- 1 Use RMS.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions**
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for <a href="policy-configuration-service-provider.md#networkisolation-enterpriseiprange" data-raw-source="[NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange)">NetworkIsolation/EnterpriseIPRange</a> and <a href="policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames" data-raw-source="[NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames)">NetworkIsolation/EnterpriseNetworkDomainNames</a>. Use semicolon (;) delimiter in the list.
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list.
When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
Supported operations are Add, Get, Replace and Delete. Value type is string.
@ -270,8 +280,8 @@ Supported operations are Add, Get, Replace and Delete. Value type is string.
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
The following list shows the supported values:
- 0 (default) - No WIP overlays on icons or tiles.
- 1 - Show WIP overlays on protected files and apps that can only create enterprise content.
- 0 (default) - No WIP overlays on icons or tiles.
- 1 - Show WIP overlays on protected files and apps that can only create enterprise content.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
@ -284,25 +294,26 @@ Suggested values:
|--- |--- |--- |--- |--- |
|4|3|2|1|0|
Bit 0 indicates whether WIP is on or off.
Bit 1 indicates whether AppLocker WIP policies are set.
Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
Here&#39;s the list of mandatory WIP policies:
Here's the list of mandatory WIP policies:
- EDPEnforcementLevel in EnterpriseDataProtection CSP
- DataRecoveryCertificate in EnterpriseDataProtection CSP
- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP
- NetworkIsolation/EnterpriseIPRange in Policy CSP
- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP
- EDPEnforcementLevel in EnterpriseDataProtection CSP
- DataRecoveryCertificate in EnterpriseDataProtection CSP
- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP
- NetworkIsolation/EnterpriseIPRange in Policy CSP
- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP
Bits 2 and 4 are reserved for future use.
Supported operation is Get. Value type is integer.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

45
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseDesktopAppManagement CSP
description: The EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
ms.reviewer:
manager: dansimp
@ -14,6 +14,15 @@ ms.date: 07/11/2017
# EnterpriseDesktopAppManagement CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
@ -96,8 +105,6 @@ Status of the application. Value type is string. Supported operation is Get.
| Enforcement Failed | 60 |
| Enforcement Completed | 70 |
<a href="" id="msi-productid-lasterror"></a>**MSI/*ProductID*/LastError**
The last error code during the application installation process. This error code is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this error could be the result of executing MSIExec.exe or the error result from an API that failed.
@ -116,10 +123,8 @@ Added in the March service release of Windows 10, version 1607. A gateway (or de
Value type is string. Supported operation is Get.
## Examples
**SyncML to request CSP version information**
```xml
@ -146,9 +151,7 @@ The following table describes the fields in the previous sample:
| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor. |
**SyncML to perform MSI operations for application uninstall**
**SyncML to perform MSI operations for application uninstall:**
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
@ -202,8 +205,6 @@ The following table describes the fields in the previous sample:
| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
```xml
@ -268,9 +269,7 @@ The following table describes the fields in the previous sample:
> [!Note]
> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation)**
**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation):**
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
@ -339,8 +338,6 @@ The following table MsiInstallJob describes the schema elements.
|RetryCount|The number of times the download and installation operation will be retried before the installation will be marked as failed.|
|RetryInterval|Amount of time, in minutes between retry operations.|
Here's an example of a common response to a request
```xml
@ -369,7 +366,6 @@ Here's an example of a common response to a request
## How to determine which installation context to use for an MSI package
The following tables show how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client.
For Intune standalone environment, the MSI package will determine the MSI execution context.
@ -388,22 +384,20 @@ The following table applies to SCCM hybrid environment.
## How to determine the package type from the MSI package
- ALLUSERS="" - per-user package type
- ALLUSERS=1 - per-machine package type
- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type
- ALLUSERS="" - per-user package type
- ALLUSERS=1 - per-machine package type
- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type
Properties can be specified in the package, passed through the command line, modified by a transform, or (more commonly) selected through a user interface dialog.
Here's a list of references:
- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10))
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10))
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
## Alert example
```xml
<Alert>
<CmdID>4</CmdID>
@ -421,3 +415,6 @@ Here's a list of references:
</Item>
</Alert>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

143
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 11/19/2021
# EnterpriseModernAppManagement CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
> [!Note]
@ -65,6 +75,7 @@ EnterpriseModernAppManagement
----------------AddLicense
----------------GetLicenseFromStore
```
<a href="" id="device-or-user-context"></a>**Device or User context**
For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
@ -212,16 +223,19 @@ Added in Windows 10, version 1809. Interior node for the managing updates throug
<a href="" id="appmanagement-releasemanagement-releasemanagementkey"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it's for a set of apps, it's the PackageFamilyName of the main app.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-channelid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
Added in Windows 10, version 1809. Specifies the app channel ID.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-releasemanagementid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
@ -229,12 +243,16 @@ Added in Windows 10, version 1809. Interior node used to specify the effective a
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease-channelid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
Added in Windows 10, version 1809. Returns the last user channel ID on the device.
Value type is string. Supported operation is Get.
Value type is string.
Supported operation is Get.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease-releasemanagementid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
Added in Windows 10, version 1809. Returns the last user release ID on the device.
Value type is string. Supported operation is Get.
Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname"></a>**.../**<strong>*PackageFamilyName*</strong>
Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
@ -244,7 +262,6 @@ Supported operations are Get and Delete.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
Here's an example for uninstalling an app:
```xml
@ -274,22 +291,30 @@ Supported operations are Get and Delete.
<a href="" id="----packagefamilyname-packagefullname-name"></a>**.../*PackageFamilyName*/*PackageFullName*/Name**
Required. Name of the app. Value type is string.
Required. Name of the app.
Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-version"></a>**.../*PackageFamilyName*/*PackageFullName*/Version**
Required. Version of the app. Value type is string.
Required. Version of the app.
Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-publisher"></a>**.../*PackageFamilyName*/*PackageFullName*/Publisher**
Required. Publisher name of the app. Value type is string.
Required. Publisher name of the app.
Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-architecture"></a>**.../*PackageFamilyName*/*PackageFullName*/Architecture**
Required. Architecture of installed package. Value type is string.
Required. Architecture of installed package.
Value type is string.
> [!Note]
> Not applicable to XAP files.
@ -297,7 +322,9 @@ Required. Architecture of installed package. Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-installlocation"></a>**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
Required. Install location of the app on the device. Value type is string.
Required. Install location of the app on the device.
Value type is string.
> [!Note]
> Not applicable to XAP files.
@ -313,12 +340,16 @@ Required. Whether or not the app is a framework package. Value type is int. The
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-isbundle"></a>**.../*PackageFamilyName*/*PackageFullName*/IsBundle**
Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases.
Value type is int.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-installdate"></a>**.../*PackageFamilyName*/*PackageFullName*/InstallDate**
Required. Date the app was installed. Value type is string.
Required. Date the app was installed.
Value type is string.
Supported operation is Get.
@ -331,13 +362,15 @@ Required. Resource ID of the app. This value is null for the main app, ~ for a b
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-packagestatus"></a>**.../*PackageFamilyName*/*PackageFullName*/PackageStatus**
Required. Provides information about the status of the package. Value type is int. Valid values are:
Required. Provides information about the status of the package.
- OK (0) - The package is usable.
- LicenseIssue (1) - The license of the package isn't valid.
- Modified (2) - The package payload was modified by an unknown source.
- Tampered (4) - The package payload was tampered intentionally.
- Disabled (8) - The package isn't available for use. It can still be serviced.
Value type is int. Valid values are:
- OK (0) - The package is usable.
- LicenseIssue (1) - The license of the package isn't valid.
- Modified (2) - The package payload was modified by an unknown source.
- Tampered (4) - The package payload was tampered intentionally.
- Disabled (8) - The package isn't available for use. It can still be serviced.
> [!Note]
> Not applicable to XAP files.
@ -355,15 +388,17 @@ Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-users"></a>**.../*PackageFamilyName*/*PackageFullName*/Users**
Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
- Not Installed = 0
- Staged = 1
- Installed = 2
- Paused = 6
- Not Installed = 0
- Staged = 1
- Installed = 2
- Paused = 6
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-isprovisioned"></a>**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned**
Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
Required. The value is 0 or 1 that indicates if the app is provisioned on the device.
The value type is int.
Supported operation is Get.
@ -371,7 +406,9 @@ Supported operation is Get.
Added in Windows 10, version 2004.
Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int.
The value is 1 if the package is a stub package and 0 (zero) for all other cases.
Value type is int.
Supported operation is Get.
@ -388,7 +425,9 @@ Added in Windows 10, version 1511. The *SettingValue* and data represent a key v
This setting only works for apps that support the feature and it's only supported in the user context.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
The following example sets the value for the 'Server'
@ -425,7 +464,9 @@ The following example gets all managed app settings for a specific app.
<a href="" id="----packagefamilyname-maintainprocessorarchitectureonupdate"></a>**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate**
Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
Supported operations are Add, Get, Delete, and Replace. Value type is integer.
Supported operations are Add, Get, Delete, and Replace.
Value type is integer.
Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
@ -443,11 +484,14 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to
NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
Value type is integer. Supported operations are Add, Get, and Replace.
Value type is integer.
Supported operations are Add, Get, and Replace.
Valid values:
- 0 app isn't in the nonremovable app policy list
- 1 app is included in the nonremovable app policy list
- 0 app isn't in the nonremovable app policy list
- 1 app is included in the nonremovable app policy list
**Examples:**
@ -526,7 +570,6 @@ Supported operations are Get and Add.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
<a href="" id="appinstallation-packagefamilyname-storeinstall"></a>**AppInstallation/*PackageFamilyName*/StoreInstall**
Required. Command to perform an install of an app and a license from the Microsoft Store.
@ -535,7 +578,8 @@ Supported operation is Execute, Add, Delete, and Get.
<a href="" id="appinstallation-packagefamilyname-hostedinstall"></a>**AppInstallation/*PackageFamilyName*/HostedInstall**
Required. Command to perform an install of an app package from a hosted location (this location can be a local drive, a UNC, or https data source).
The following list shows the supported deployment options:
The following list shows the supported deployment options:
- ForceApplicationShutdown
- DevelopmentMode 
- InstallAllResources
@ -557,8 +601,6 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
<a href="" id="appinstallation-packagefamilyname-lasterrordescription"></a>**AppInstallation/*PackageFamilyName*/LastErrorDesc**
Required. Description of last error relating to the app installation.
@ -567,14 +609,13 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
<a href="" id="appinstallation-packagefamilyname-status"></a>**AppInstallation/*PackageFamilyName*/Status**
Required. Status of app installation. The following values are returned:
- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed.
- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear.
- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed.
- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear.
Supported operation is Get.
@ -590,7 +631,6 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
<a href="" id="applicenses"></a>**AppLicenses**
Required node. Used to manage licenses for app scenarios.
@ -603,23 +643,23 @@ Optional node. License ID for a store installed app. The license ID is generally
Supported operations are Add, Get, and Delete.
<a href="" id="applicenses-storelicenses-licenseid-licensecategory"></a>**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory**
Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value:
Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid values are:
- Unknown - unknown license category
- Retail - license sold through retail channels, typically from the Microsoft Store
- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business
- OEM - license issued to an OEM
- Developer - developer license, typically installed during the app development or side-loading scenarios.
- Unknown - unknown license category
- Retail - license sold through retail channels, typically from the Microsoft Store
- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business
- OEM - license issued to an OEM
- Developer - developer license, typically installed during the app development or side-loading scenarios.
Supported operation is Get.
<a href="" id="applicenses-storelicenses-licenseid-licenseusage"></a>**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage**
Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values:
Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values are:
- Unknown - usage is unknown
- Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
- Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
- Enterprise Root -
- Unknown - usage is unknown.
- Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
- Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
- Enterprise Root -
Supported operation is Get.
@ -640,7 +680,6 @@ Supported operation is Execute.
## Examples
For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
Query the device for a specific app subcategory, such as nonStore apps.

63
windows/client-management/mdm/euiccs-csp.md
View File

@ -13,10 +13,20 @@ manager: dansimp
# eUICCs CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709.
The following example shows the eUICCs configuration service provider in tree format.
The following shows the eUICCs configuration service provider in tree format.
```
./Device/Vendor/MSFT
eUICCs
@ -44,8 +54,9 @@ eUICCs
------------ResetToFactoryState
------------Status
```
<a href="" id="--vendor-msft-euiccs"></a>**./Vendor/MSFT/eUICCs**
Root node.
Root node for the eUICCs CSP.
<a href="" id="euicc"></a>**_eUICC_**
Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this association could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
@ -65,12 +76,16 @@ Supported operation is Get. Value type is boolean.
<a href="" id="euicc-ppr1allowed"></a>**_eUICC_/PPR1Allowed**
Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed.
Supported operation is Get. Value type is boolean.
Supported operation is Get.
Value type is boolean.
<a href="" id="euicc-ppr1alreadyset"></a>**_eUICC_/PPR1AlreadySet**
Required. Indicates whether the eUICC already has a profile with PPR1.
Supported operation is Get. Value type is boolean.
Supported operation is Get.
Value type is boolean.
<a href="" id="euicc-downloadservers"></a>**_eUICC_/DownloadServers**
Interior node. Represents default SM-DP+ discovery requests.
@ -85,12 +100,16 @@ Supported operations are Add, Get, and Delete.
<a href="" id="euicc-downloadservers-servername-discoverystate"></a>**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
Supported operation is Get. Value type is integer. Default value is 1.
Supported operation is Get.
Value type is integer. Default value is 1.
<a href="" id="euicc-downloadservers-servername-autoenable"></a>**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
Required. Indicates whether the discovered profile must be enabled automatically after install. This setting must be defined by the MDM when the ServerName subtree is created.
Supported operations are Add, Get, and Replace. Value type is bool.
Supported operations are Add, Get, and Replace.
Value type is bool.
<a href="" id="euicc-profiles"></a>**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.
@ -105,22 +124,30 @@ Supported operations are Add, Get, and Delete.
<a href="" id="euicc-profiles-iccid-servername"></a>**_eUICC_/Profiles/_ICCID_/ServerName**
Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
Supported operations are Add and Get. Value type is string.
Supported operations are Add and Get.
Value type is string.
<a href="" id="euicc-profiles-iccid-matchingid"></a>**_eUICC_/Profiles/_ICCID_/MatchingID**
Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
Supported operations are Add and Get. Value type is string.
Supported operations are Add and Get.
Value type is string.
<a href="" id="euicc-profiles-iccid-state"></a>**_eUICC_/Profiles/_ICCID_/State**
Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
Supported operation is Get. Value type is integer. Default value is 1.
Supported operation is Get.
Value type is integer. Default value is 1.
<a href="" id="euicc-profiles-iccid-isenabled"></a>**_eUICC_/Profiles/_ICCID_/IsEnabled**
Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once its successfully downloaded and installed on the device. Can also be queried and updated by the CSP.
Supported operations are Add, Get, and Replace. Value type is bool.
Supported operations are Add, Get, and Replace.
Value type is bool.
<a href="" id="euicc-policies"></a>**_eUICC_/Policies**
Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile).
@ -130,7 +157,9 @@ Supported operation is Get.
<a href="" id="euicc-policies-localuienabled"></a>**_eUICC_/Policies/LocalUIEnabled**
Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
Supported operations are Get and Replace. Value type is boolean. Default value is true.
Supported operations are Get and Replace.
Value type is boolean. Default value is true.
<a href="" id="euicc-actions"></a>**_eUICC_/Actions**
Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active).
@ -140,9 +169,17 @@ Supported operation is Get.
<a href="" id="euicc-actions-resettofactorystate"></a>**_eUICC_/Actions/ResetToFactoryState**
Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
Supported operation is Execute. Value type is string.
Supported operation is Execute.
Value type is string.
<a href="" id="euicc-actions-status"></a>**_eUICC_/Actions/Status**
Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
Supported value is Get. Value type is integer. Default is 0.
Supported value is Get.
Value type is integer. Default is 0.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

402
windows/client-management/mdm/firewall-csp.md
View File

@ -13,6 +13,17 @@ manager: dansimp
# Firewall configuration service provider (CSP)
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
@ -101,141 +112,145 @@ Firewall
----------------Status
----------------Name
```
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/Firewall**
<p>Root node for the Firewall configuration service provider.</p>
Root node for the Firewall configuration service provider.
<a href="" id="mdmstore"></a>**MdmStore**
<p>Interior node.</p>
<p>Supported operation is Get.</p>
Interior node.
Supported operation is Get.
<a href="" id="global"></a>**MdmStore/Global**
<p>Interior node.</p>
<p>Supported operations are Get. </p>
Interior node.
Supported operations are Get.
<a href="" id="policyversionsupported"></a>**MdmStore/Global/PolicyVersionSupported**
<p>Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
<p>Value type in integer. Supported operation is Get.</p>
Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.
Value type in integer. Supported operation is Get.
<a href="" id="currentprofiles"></a>**MdmStore/Global/CurrentProfiles**
<p>Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See <a href="/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc" data-raw-source="[FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc)">FW_PROFILE_TYPE</a> for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.</p>
<p>Value type in integer. Supported operation is Get.</p>
Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See <a href="/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc" data-raw-source="[FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc)">FW_PROFILE_TYPE</a> for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.
Value type in integer. Supported operation is Get.
<a href="" id="disablestatefulftp"></a>**MdmStore/Global/DisableStatefulFtp**
<p>Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let &quot;true&quot; values win.</p>
<p>Default value is false.</p>
<p>Data type is bool. Supported operations are Add, Get, Replace, and Delete. </p>
Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
Default value is false.
Data type is bool. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="saidletime"></a>**MdmStore/Global/SaIdleTime**
<p>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.</p>
<p>Default value is 300.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
Default value is 300.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/PresharedKeyEncoding**
<p>Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the <a href="/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909" data-raw-source="[PRESHARED_KEY_ENCODING_VALUES enumeration](/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909)">PRESHARED_KEY_ENCODING_VALUES enumeration</a>. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.</p>
<p>Default value is 1.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the <a href="/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909" data-raw-source="[PRESHARED_KEY_ENCODING_VALUES enumeration](/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909)">PRESHARED_KEY_ENCODING_VALUES enumeration</a>. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
Default value is 1.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="ipsecexempt"></a>**MdmStore/Global/IPsecExempt**
<p>This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in <a href="/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191" data-raw-source="[IPSEC_EXEMPT_VALUES](/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191)">IPSEC_EXEMPT_VALUES</a>; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.</p>
<p>Default value is 0.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in <a href="/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191" data-raw-source="[IPSEC_EXEMPT_VALUES](/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191)">IPSEC_EXEMPT_VALUES</a>; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
Default value is 0.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="crlcheck"></a>**MdmStore/Global/CRLcheck**
<p>This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:</p>
<ul>
<li>0 disables CRL checking</li>
<li>1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.</li>
<li>2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing</li>
</ul>
<p>Default value is 0.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:
- 0 disables CRL checking
- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.
- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
Default value is 0.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policyversion"></a>**MdmStore/Global/PolicyVersion**
<p>This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.</p>
<p>Value type is string. Supported operation is Get.</p>
This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.
Value type is string. Supported operation is Get.
<a href="" id="binaryversionsupported"></a>**MdmStore/Global/BinaryVersionSupported**
<p>This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component&#39;s software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.</p>
<p>Value type is string. Supported operation is Get.</p>
This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component&#39;s software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
Value type is string. Supported operation is Get.
<a href="" id="opportunisticallymatchauthsetperkm"></a>**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
<p>This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p>Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
Boolean value. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="enablepacketqueue"></a>**MdmStore/Global/EnablePacketQueue**
<p>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:</p>
This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
<ul>
<li>0x00 indicates that all queuing is to be disabled</li>
<li>0x01 specifies that inbound encrypted packets are to be queued</li>
<li>0x02 specifies that packets are to be queued after decryption is performed for forwarding</li>
</ul>
- 0x00 indicates that all queuing is to be disabled
- 0x01 specifies that inbound encrypted packets are to be queued
- 0x02 specifies that packets are to be queued after decryption is performed for forwarding
<p>Default value is 0.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Default value is 0.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="domainprofile"></a>**MdmStore/DomainProfile**
<p>Interior node. Supported operation is Get.</p>
Interior node. Supported operation is Get.
<a href="" id="privateprofile"></a>**MdmStore/PrivateProfile**
<p>Interior node. Supported operation is Get.</p>
Interior node. Supported operation is Get.
<a href="" id="publicprofile"></a>**MdmStore/PublicProfile**
<p>Interior node. Supported operation is Get.</p>
Interior node. Supported operation is Get.
<a href="" id="enablefirewall"></a>**/EnableFirewall**
<p>Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="disablestealthmode"></a>**/DisableStealthMode**
<p>Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is false.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is false.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="shielded"></a>**/Shielded**
<p>Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let &quot;true&quot; values win.</p>
<p>Default value is false.</p>
<p>Value type is bool. Supported operations are Get and Replace.</p>
Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
Default value is false.
Value type is bool. Supported operations are Get and Replace.
<a href="" id="disableunicastresponsestomulticastbroadcast"></a>**/DisableUnicastResponsesToMulticastBroadcast**
<p>Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is false.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is false.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="disableinboundnotifications"></a>**/DisableInboundNotifications**
<p>Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is false.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is false.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="authappsallowuserprefmerge"></a>**/AuthAppsAllowUserPrefMerge**
<p>Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="globalportsallowuserprefmerge"></a>**/GlobalPortsAllowUserPrefMerge**
<p>Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="allowlocalpolicymerge"></a>**/AllowLocalPolicyMerge**
<p>Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="allowlocalipsecpolicymerge"></a>**/AllowLocalIpsecPolicyMerge**
<p>Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
<p>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
</ul>
<p>Default value is 0 (allow).</p>
<p>Value type is integer. Supported operations are Add, Get and Replace.</p>
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.
- 0x00000000 - allow
- 0x00000001 - block
Default value is 0 (allow).
Value type is integer. Supported operations are Add, Get and Replace.
Sample syncxml to provision the firewall settings to evaluate
@ -261,163 +276,168 @@ Sample syncxml to provision the firewall settings to evaluate
</SyncML>
```
<a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
<p>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
</ul>
<p>Default value is 1 (block).</p>
<p>Value type is integer. Supported operations are Add, Get and Replace.</p>
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.
- 0x00000000 - allow
- 0x00000001 - block
Default value is 1 (block).
Value type is integer. Supported operations are Add, Get and Replace.
<a href="" id="disablestealthmodeipsecsecuredpacketexemption"></a>**/DisableStealthModeIpsecSecuredPacketExemption**
<p>Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall&#39;s stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall&#39;s stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="firewallrules"></a>**FirewallRules**
<p>A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR&#39;ed. Within each rule ID each Filter type is AND&#39;ed.</p>
A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR&#39;ed. Within each rule ID each Filter type is AND&#39;ed.
<a href="" id="firewallrulename"></a>**FirewallRules/_FirewallRuleName_**
<p>Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</p>
<p>Supported operations are Add, Get, Replace, and Delete.</p>
Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="app"></a>**FirewallRules/_FirewallRuleName_/App**
<p>Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:</p>
<ul>
<li>PackageFamilyName</li>
<li>FilePath</li>
<li>FQBN</li>
<li>ServiceName</li>
</ul>
<p>If not specified, the default is All.</p>
<p>Supported operation is Get.</p>
Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
- PackageFamilyName
- FilePath
- FQBN
- ServiceName
If not specified, the default is All.
Supported operation is Get.
<a href="" id="packagefamilyname"></a>**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
<p>This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="filepath"></a>**FirewallRules/_FirewallRuleName_/App/FilePath**
<p>This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="fqbn"></a>**FirewallRules/_FirewallRuleName_/App/Fqbn**
<p>Fully Qualified Binary Name</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Fully Qualified Binary Name
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="servicename"></a>**FirewallRules/_FirewallRuleName_/App/ServiceName**
<p>This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="protocol"></a>**FirewallRules/_FirewallRuleName_/Protocol**
<p>0-255 number representing the ip protocol (TCP = 6, UDP = 17)</p>
<p>If not specified, the default is All.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
0-255 number representing the ip protocol (TCP = 6, UDP = 17)
If not specified, the default is All.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="localportranges"></a>**FirewallRules/_FirewallRuleName_/LocalPortRanges**
<p>Comma separated list of ranges. For example, 100-120,200,300-320.</p>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Comma separated list of ranges. For example, 100-120,200,300-320.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="remoteportranges"></a>**FirewallRules/_FirewallRuleName_/RemotePortRanges**
<p>Comma separated list of ranges, For example, 100-120,200,300-320.</p>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Comma separated list of ranges, For example, 100-120,200,300-320.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="localaddressranges"></a>**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
<p>Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:</p>
<ul>
<li>"*" indicates any local address. If present, the local address must be the only token included.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>
<li>An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
<li>An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
</ul>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
- "*" indicates any local address. If present, the local address must be the only token included.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address.
- An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.
- An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="remoteaddressranges"></a>**FirewallRules/*FirewallRuleName*/RemoteAddressRanges**
<p>List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:</p>
<ul>
<li>"*" indicates any remote address. If present, the address must be the only token included.</li>
<li>&quot;Defaultgateway&quot;</li>
<li>&quot;DHCP&quot;</li>
<li>&quot;DNS&quot;</li>
<li>&quot;WINS&quot;</li>
<li>&quot;Intranet&quot;</li>
<li>&quot;RmtIntranet&quot;</li>
<li>&quot;Internet&quot;</li>
<li>&quot;Ply2Renders&quot;</li>
<li>&quot;LocalSubnet&quot; indicates any local address on the local subnet. This token isn't case-sensitive.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>
<li>An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
<li>An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
</ul>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<p>The tokens &quot;Intranet&quot;, &quot;RmtIntranet&quot;, &quot;Internet&quot; and &quot;Ply2Renders&quot; are supported on Windows 10, version 1809, and later.</p>
List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
- "*" indicates any remote address. If present, the address must be the only token included.
- &quot;Defaultgateway&quot;
- &quot;DHCP&quot;
- &quot;DNS&quot;
- &quot;WINS&quot;
- &quot;Intranet&quot;
- &quot;RmtIntranet&quot;
- &quot;Internet&quot;
- &quot;Ply2Renders&quot;
- &quot;LocalSubnet&quot; indicates any local address on the local subnet. This token isn't case-sensitive.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address.
- An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.
- An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
The tokens &quot;Intranet&quot;, &quot;RmtIntranet&quot;, &quot;Internet&quot; and &quot;Ply2Renders&quot; are supported on Windows 10, version 1809, and later.
<a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
<p>Specifies the description of the rule.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Specifies the description of the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="enabled"></a>**FirewallRules/_FirewallRuleName_/Enabled**
<p>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
<p>If not specified - a new rule is enabled by default.</p>
<p>Boolean value. Supported operations are Get and Replace.</p>
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is enabled by default.
Boolean value. Supported operations are Get and Replace.
<a href="" id="profiles"></a>**FirewallRules/_FirewallRuleName_/Profiles**
<p>Specifies the profiles to which the rule belongs: Domain, Private, Public. . See <a href="/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc" data-raw-source="[FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc)">FW_PROFILE_TYPE</a> for the bitmasks that are used to identify profile types.</p>
<p>If not specified, the default is All.</p>
<p>Value type is integer. Supported operations are Get and Replace.</p>
Specifies the profiles to which the rule belongs: Domain, Private, or Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types.
If not specified, the default is All.
Value type is integer. Supported operations are Get and Replace.
<a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
<p>Specifies the action for the rule.</p>
<p>Supported operation is Get.</p>
Specifies the action for the rule.
Supported operation is Get.
<a href="" id="type"></a>**FirewallRules/_FirewallRuleName_/Action/Type**
<p>Specifies the action the rule enforces. Supported values:</p>
<ul>
<li>0 - Block</li>
<li>1 - Allow</li>
</ul>
<p>If not specified, the default is allow.</p>
<p>Value type is integer. Supported operations are Get and Replace.</p>
Specifies the action the rule enforces. Supported values:
- 0 - Block
- 1 - Allow
If not specified, the default is allow.
Value type is integer. Supported operations are Get and Replace.
<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
<p>The rule is enabled based on the traffic direction as following. Supported values:</p>
<ul>
<li>IN - the rule applies to inbound traffic.</li>
<li>OUT - the rule applies to outbound traffic.</li>
<li>If not specified, the default is Out.</li>
</ul>
<p>Value type is string. Supported operations are Get and Replace.</p>
The rule is enabled based on the traffic direction as following. Supported values:
- IN - the rule applies to inbound traffic.
- OUT - the rule applies to outbound traffic.
- If not specified, the default is Out.
Value type is string. Supported operations are Get and Replace.
<a href="" id="interfacetypes"></a>**FirewallRules/_FirewallRuleName_/InterfaceTypes**
<p>Comma separated list of interface types. Valid values:</p>
<ul>
<li>RemoteAccess</li>
<li>Wireless</li>
<li>Lan</li>
</ul>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Get and Replace.</p>
Comma separated list of interface types. Valid values:
- RemoteAccess
- Wireless
- Lan
If not specified, the default is All.
Value type is string. Supported operations are Get and Replace.
<a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
<p>Indicates whether edge traversal is enabled or disabled for this rule.</p>
<p>The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
<p>New rules have the EdgeTraversal property disabled by default.</p>
<p>Value type is bool. Supported operations are Add, Get, Replace, and Delete.</p>
Indicates whether edge traversal is enabled or disabled for this rule.
The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
New rules have the EdgeTraversal property disabled by default.
Value type is bool. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**
<p>Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="status"></a>**FirewallRules/_FirewallRuleName_/Status**
<p>Provides information about the specific version of the rule in deployment for monitoring purposes.</p>
<p>Value type is string. Supported operation is Get.</p>
Provides information about the specific version of the rule in deployment for monitoring purposes.
Value type is string. Supported operation is Get.
<a href="" id="name"></a>**FirewallRules/_FirewallRuleName_/Name**
<p>Name of the rule.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Name of the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

202
windows/client-management/mdm/healthattestation-csp.md
View File

@ -14,14 +14,24 @@ ms.date:
# Device HealthAttestation CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
The following list is a description of the functions performed by the Device HealthAttestation CSP:
- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device
- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device
- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
## Windows 11 Device health attestation
@ -63,6 +73,7 @@ Attestation flow can be broadly in three main steps:
For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol).
### Configuration Service Provider Nodes
Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service.
```console
@ -249,7 +260,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo
```
> [!NOTE]
> > MAA CSP nodes are available on arm64 but isn't currently supported.
> MAA CSP nodes are available on arm64 but isn't currently supported.
### MAA CSP Integration Steps
@ -574,12 +585,12 @@ Provides the current status of the device health request.
The supported operation is Get.
The following list shows some examples of supported values. For the complete list of status, see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.
The following list shows some examples of supported values. For the complete list of status, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
<a href="" id="forceretrieve"></a>**ForceRetrieve** (Optional)
@ -623,14 +634,14 @@ Value type is integer. The supported operation is Get.
The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM):
1. [Verify HTTPS access](#verify-access)
2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service)
3. [Instruct client to prepare DHA-data for verification](#prepare-health-data)
4. [Take action based on the clients response](#take-action-client-response)
5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation)
6. [Post DHA-data to DHA-service](#forward-data-to-has)
7. [Receive response from DHA-service](#receive-has-response)
8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action)
1. [Verify HTTPS access](#verify-access)
2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service)
3. [Instruct client to prepare DHA-data for verification](#prepare-health-data)
4. [Take action based on the clients response](#take-action-client-response)
5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation)
6. [Post DHA-data to DHA-service](#forward-data-to-has)
7. [Receive response from DHA-service](#receive-has-response)
8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action)
Each step is described in detail in the following sections of this topic.
@ -688,6 +699,7 @@ SSL-Session:
### <a href="" id="assign-trusted-dha-service"></a>Step 2: Assign an enterprise trusted DHA-Service
There are three types of DHA-Service:
- Device Health Attestation Cloud (owned and operated by Microsoft)
- Device Health Attestation On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
- Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud)
@ -738,7 +750,6 @@ The following example shows a sample call that triggers collection and verificat
### <a href="" id="take-action-client-response"></a>Step 4: Take action based on the client's response
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
@ -762,11 +773,11 @@ Here's a sample alert that is issued by DHA_CSP:
</Item>
</Alert>
```
- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
### <a href="" id="forward-health-attestation"></a>Step 5: Instruct the client to forward health attestation data for verification
Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
Here's an example:
@ -823,24 +834,24 @@ When the MDM-Server receives the above data, it must:
- Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on:
- DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3
- DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
- DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: [https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3)
- DHA-OnPrem or DHA-EMC: [https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3)
### <a href="" id="receive-has-response"></a>Step 7: Receive response from the DHA-service
When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
- Decrypts the encrypted data it receives.
- Validates the data it has received
- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format
- Validates the data it has received.
- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format.
### <a href="" id="take-policy-action"></a>Step 8: Take appropriate policy action based on evaluation results
After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be:
- Allow the device access.
- Allow the device to access the resources, but flag the device for further investigation.
- Prevent a device from accessing resources.
- Allow the device access.
- Allow the device to access the resources, but flag the device for further investigation.
- Prevent a device from accessing resources.
The following list of data points is verified by the DHA-Service in DHA-Report version 3:
@ -890,8 +901,8 @@ If AIKPresent = True (1), then allow access.
If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
@ -911,21 +922,21 @@ Data Execution Prevention (DEP) Policy defines a set of hardware and software te
DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
If DEPPolicy = 1 (On), then allow access.
If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bitlockerstatus"></a>**BitLockerStatus** (at boot time)
When BitLocker is reported &quot;on&quot; at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen.
@ -935,10 +946,10 @@ If BitLockerStatus = 1 (On), then allow access.
If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bootmanagerrevlistversion"></a>**BootManagerRevListVersion**
@ -946,12 +957,12 @@ This attribute indicates the version of the Boot Manager that is running on the
If BootManagerRevListVersion = [CurrentVersion], then allow access.
If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
If `BootManagerRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
- Disallow all access.
- Disallow access to HBI and MBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="codeintegrityrevlistversion"></a>**CodeIntegrityRevListVersion**
@ -959,12 +970,12 @@ This attribute indicates the version of the code that is performing integrity ch
If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
- Disallow all access.
- Disallow access to HBI and MBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="securebootenabled"></a>**SecureBootEnabled**
@ -974,10 +985,10 @@ If SecureBootEnabled = 1 (True), then allow access.
If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bootdebuggingenabled"></a>**BootDebuggingEnabled**
@ -985,17 +996,17 @@ Boot debug-enabled points to a device that is used in development and testing. D
Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**
- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**
- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**.
- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**.
If BootdebuggingEnabled = 0 (False), then allow access.
If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
- Disallow all access.
- Disallow access to HBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
<a href="" id="oskerneldebuggingenabled"></a>**OSKernelDebuggingEnabled**
@ -1005,10 +1016,10 @@ If OSKernelDebuggingEnabled = 0 (False), then allow access.
If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
- Disallow all access.
- Disallow access to HBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="codeintegrityenabled"></a>**CodeIntegrityEnabled**
@ -1022,10 +1033,10 @@ If CodeIntegrityEnabled = 1 (True), then allow access.
If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="testsigningenabled"></a>**TestSigningEnabled**
@ -1033,17 +1044,17 @@ When test signing is enabled, the device doesn't enforce signature validation du
Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**
- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**
- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**.
- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**.
If TestSigningEnabled = 0 (False), then allow access.
If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
- Disallow all access.
- Disallow access to HBI and MBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
<a href="" id="safemode"></a>**SafeMode**
@ -1053,9 +1064,9 @@ If SafeMode = 0 (False), then allow access.
If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
- Disallow all access.
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="winpe"></a>**WinPE**
@ -1067,7 +1078,7 @@ If WinPE = 1 (True), then limit access to remote resources that are required for
<a href="" id="elamdriverloaded"></a>**ELAMDriverLoaded** (Windows Defender)
To use this reporting feature, you must disable &quot;Hybrid Resume&quot; on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.
@ -1077,9 +1088,9 @@ If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True),
If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
- Disallow all access.
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**Bcdedit.exe /set {current} vsmlaunchtype auto**
@ -1087,9 +1098,9 @@ If ELAMDriverLoaded = 1 (True), then allow access.
If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
- Disallow all access.
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="vsmenabled"></a>**VSMEnabled**
@ -1102,8 +1113,8 @@ VSM can be enabled by using the following command in WMI or a PowerShell script:
If VSMEnabled = 1 (True), then allow access.
If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue
<a href="" id="pcrhashalgorithmid"></a>**PCRHashAlgorithmID**
@ -1118,7 +1129,7 @@ If reported BootAppSVN equals an accepted value, then allow access.
If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="bootmanagersvn"></a>**BootManagerSVN**
@ -1129,7 +1140,7 @@ If reported BootManagerSVN equals an accepted value, then allow access.
If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="tpmversion"></a>**TPMVersion**
@ -1153,13 +1164,12 @@ The measurement that is captured in PCR[0] typically represents a consistent vie
Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison.
If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action.
If PCR[0] equals an accepted allowlist value, then allow access.
If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="sbcphash"></a>**SBCPHash**
@ -1169,7 +1179,7 @@ If SBCPHash isn't present, or is an accepted allow-listed value, then allow acce
If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="cipolicy"></a>**CIPolicy**
@ -1180,7 +1190,7 @@ If CIPolicy isn't present, or is an accepted allow-listed value, then allow acce
If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bootrevlistinfo"></a>**BootRevListInfo**
@ -1191,7 +1201,7 @@ If reported BootRevListInfo version equals an accepted value, then allow access.
If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="osrevlistinfo"></a>**OSRevListInfo**
@ -1202,7 +1212,7 @@ If reported OSRevListInfo version equals an accepted value, then allow access.
If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="healthstatusmismatchflags"></a>**HealthStatusMismatchFlags**

113
windows/client-management/mdm/messaging-csp.md
View File

@ -1,113 +0,0 @@
---
title: Messaging CSP
description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
ms.reviewer:
manager: dansimp
---
# Messaging CSP
The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
The following shows the Messaging configuration service provider in tree format.
```console
./User/Vendor/MSFT
Messaging
----AuditingLevel
----Auditing
--------Messages
----------Count
----------RevisionId
----------Data
```
<a href="" id="--user-msft-applocker"></a>**./User/Vendor/MSFT/Messaging**
<p>Root node for the Messaging configuration service provider.</p>
<a href="" id="auditinglevel"></a>**AuditingLevel**
<p>Turns on the &quot;Text&quot; auditing feature.</p>
<p>The following list shows the supported values:</p>
<ul>
<li>0 (Default) - Off</li>
<li>1 - On</li>
</ul>
<p>Supported operations are Get and Replace.</p>
<a href="" id="auditing"></a>**Auditing**
<p>Node for auditing.</p>
<p>Supported operation is Get.</p>
<a href="" id="messages"></a>**Messages**
<p>Node for messages.</p>
<p>Supported operation is Get.</p>
<a href="" id="count"></a>**Count**
<p>The number of messages to return in the Data setting. The default is 100.</p>
<p>Supported operations are Get and Replace.</p>
<a href="" id="revisionid"></a>**RevisionId**
<p>Retrieves messages whose revision ID is greater than RevisionId.</p>
<p>Supported operations are Get and Replace.</p>
<a href="" id="data"></a>**Data**
<p>The JSON string of text messages on the device.</p>
<p>Supported operations are Get and Replace.</p>
**SyncML example**
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./User/Vendor/MSFT/Messaging/Auditing/Messages/Count
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>100</Data>
</Item>
</Replace>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./User/Vendor/MSFT/Messaging/Auditing/Messages/RevisionId
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Get>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./User/Vendor/MSFT/Messaging/Auditing/Messages/Data
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```

182
windows/client-management/mdm/messaging-ddf.md
View File

@ -1,182 +0,0 @@
---
title: Messaging DDF file
description: Utilize the OMA DM device description framework (DDF) for the Messaging configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
ms.reviewer:
manager: dansimp
---
# Messaging DDF file
This topic shows the OMA DM device description framework (DDF) for the Messaging configuration service provider. This CSP was added in Windows 10, version 1703.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Messaging</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AuditingLevel</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Turns on the 'Text' auditing feature. 0 = off, 1 = on</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Auditing</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Messages</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Count</NodeName>
<DFProperties>
<AccessType>
<Replace />
<Get />
</AccessType>
<DefaultValue>100</DefaultValue>
<Description>Number of messages to return in the 'Data' element</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RevisionId</NodeName>
<DFProperties>
<AccessType>
<Replace />
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Retrieves messages whose revision id is greater than the 'RevisionId'</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Data</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>JSON string of 'text' messages on the device</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```

4
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 05/09/2022
ms.date: 05/16/2022
ms.reviewer:
manager: dansimp
---
@ -73,7 +73,7 @@ manager: dansimp
<hr/>
> [!Important]
> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types)).
> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
<!--Policy-->
<a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**

45
windows/client-management/mdm/reboot-csp.md
View File

@ -14,10 +14,20 @@ ms.date: 06/26/2017
# Reboot CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Reboot configuration service provider is used to configure reboot settings.
The following shows the Reboot configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
```
./Device/Vendor/MSFT
Reboot
@ -26,41 +36,44 @@ Reboot
--------Single
--------DailyRecurrent
```
<a href="" id="--vendor-msft-reboot"></a>**./Vendor/MSFT/Reboot**
<p>The root node for the Reboot configuration service provider.</p>
<p>The supported operation is Get.</p>
<a href="" id="--vendor-msft-reboot"></a>**./Vendor/MSFT/Reboot**
The root node for the Reboot configuration service provider.
The supported operation is Get.
<a href="" id="rebootnow"></a>**RebootNow**
<p>This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.</p>
This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.
> [!NOTE]
> If this node is set to execute during a sync session, the device will reboot at the end of the sync session.
<p>The supported operations are Execute and Get.</p>
The supported operations are Execute and Get.
<a href="" id="schedule"></a>**Schedule**
<p>The supported operation is Get.</p>
The supported operation is Get.
<a href="" id="schedule-single"></a>**Schedule/Single**
<p>This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required. </br>
Example to configure: 2018-10-25T18:00:00</p>
This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
Example to configure: 2018-10-25T18:00:00
Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00.
<p>The supported operations are Get, Add, Replace, and Delete.</p>
<p>The supported data type is "String".</p>
- The supported operations are Get, Add, Replace, and Delete.
- The supported data type is "String".
<a href="" id="schedule-dailyrecurrent"></a>**Schedule/DailyRecurrent**
<p>This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. </br>
Example to configure: 2018-10-25T18:00:00</p>
<p>The supported operations are Get, Add, Replace, and Delete.</p>
This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
Example to configure: 2018-10-25T18:00:00
<p>The supported data type is "String".</p>
- The supported operations are Get, Add, Replace, and Delete.
- The supported data type is "String".
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

4
windows/client-management/mdm/reboot-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# Reboot DDF file
This topic shows the OMA DM device description framework (DDF) for the **Reboot** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -147,8 +146,7 @@ The XML below is the current version for this CSP.
## Related topics
[Reboot configuration service provider](reboot-csp.md)
[Reboot CSP](reboot-csp.md)
 

21
windows/client-management/mdm/remotefind-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# RemoteFind CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The RemoteFind configuration service provider retrieves the location information for a particular device.
@ -37,21 +46,24 @@ Optional. The node accepts the requested radius value in meters. Valid values fo
The default value is 50. Replacing this value only replaces it for the current session. The value isn't retained.
Supported operations are Replace and Get. The Add command isn't supported.
- Supported operations are Replace and Get.
- The Add command isn't supported.
<a href="" id="timeout"></a>**Timeout**
Optional. Value is DWORD in seconds.
The default value is 7, and the range is 0 to 1800 seconds. Replacing this value only replaces it for the current session. The value isn't retained.
Supported operations are Replace and Get. The Add command isn't supported.
- Supported operations are Replace and Get.
- The Add command isn't supported.
<a href="" id="maximumage"></a>**MaximumAge**
Optional. The value represents the desired time window in minutes that the server will accept a successful location retrieval. The node enables the server to set the requested age value in 100 nanoseconds. Valid values for accuracy include any integer value between 0 and 1440 minutes.
The default value is 60. Replacing this value only replaces it for the current session. The value isn't retained.
Supported operations are Replace and Get. The Add command isn't supported.
- Supported operations are Replace and Get.
- The Add command isn't supported.
<a href="" id="location"></a>**Location**
Required. Nodes under this path must be queried atomically in order to succeed. This condition is to prevent servers from querying incomplete sets of data.
@ -102,7 +114,7 @@ The default value is 0.
Supported operation is Get.
<a href="" id="age"></a>**Age**
Required. Provides the age in 100 nanoseconds for current location data.
Required. Provides the age in 100 nanoseconds for the current location data.
The value returned is an integer.
@ -176,7 +188,6 @@ Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 

5
windows/client-management/mdm/remotefind-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# RemoteFind DDF file
This topic shows the OMA DM device description framework (DDF) for the **RemoteFind** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -298,7 +297,9 @@ The XML below is the current version for this CSP.
</MgmtTree>
```
 
## Related topics
[RemoteFind CSP](remotefind-csp.md) 
 

65
windows/client-management/mdm/remotering-csp.md
View File

@ -1,65 +0,0 @@
---
title: RemoteRing CSP
description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device.
ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# RemoteRing CSP
You can use the RemoteRing configuration service provider to remotely trigger a device to produce an audible ringing sound, regardless of the volume that is set on the device.
The following DDF format shows the RemoteRing configuration service provider in tree format.
```
./User/Vendor/MSFT
RemoteRing
----Ring
./Device/Vendor/MSFT
Root
./User/Vendor/MSFT
./Device/Vendor/MSFT
RemoteRing
----Ring
```
<a href="" id="ring"></a>**Ring**
Required. The node accepts requests to ring the device.
The supported operation is Exec.
## Examples
The following sample shows how to initiate a remote ring on the device.
```xml
<Exec>
<CmdID>5</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteRing/Ring </LocURI>
</Target>
</Item>
</Exec>
```
 
 

105
windows/client-management/mdm/remotering-ddf-file.md
View File

@ -1,105 +0,0 @@
---
title: RemoteRing DDF file
description: This topic shows the OMA DM device description framework (DDF) for the RemoteRing configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid: 6815267F-212B-4370-8B72-A457E8000F7B
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# RemoteRing DDF file
This topic shows the OMA DM device description framework (DDF) for the **RemoteRing** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>RemoteRing</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Ring</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Required. The node accepts requests to ring the device. The supported operation is Exec</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Root</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</MgmtTree>
```
 
 

19
windows/client-management/mdm/remotewipe-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 08/13/2018
# RemoteWipe CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
@ -39,10 +49,10 @@ Supported operation is Exec.
<a href="" id="dowipepersistprovisioneddata"></a>**doWipePersistProvisionedData**
Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed.
Supported operation is Exec.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
<a href="" id="doWipeProtected"></a>**doWipeProtected**
@ -53,7 +63,7 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which
Supported operation is Exec.
<a href="" id="doWipePersistUserData"></a>**doWipePersistUserData**
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
<a href="" id="automaticredeployment"></a>**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
@ -70,7 +80,7 @@ Added in Windows 10, version 1809. Status value indicating current state of an A
Supported values:
- 0: Never run (not started). The default state.
- 1: Complete.
- 1: Complete.
- 10: Reset has been scheduled.
- 20: Reset is scheduled and waiting for a reboot.
- 30: Failed during CSP Execute ("Exec" in SyncML).
@ -79,7 +89,6 @@ Supported values:
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 

7
windows/client-management/mdm/remotewipe-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 08/13/2018
# RemoteWipe DDF file
This topic shows the OMA DM device description framework (DDF) for the **RemoteWipe** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -109,7 +108,7 @@ The XML below is the DDF for Windows 10, version 1809.
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command.</Description>
<Description>Exec on this node will perform a remote wipe on the device, and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command.</Description>
</DFProperties>
</Node>
<Node>
@ -221,3 +220,7 @@ The XML below is the DDF for Windows 10, version 1809.
</Node>
</MgmtTree>
```
## Related topics
[RemoteWipe CSP](remotewipe-csp.md)

42
windows/client-management/mdm/reporting-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# Reporting CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. This CSP was added in Windows 10, version 1511.
@ -36,7 +45,7 @@ Reporting
```
<a href="" id="reporting"></a>**Reporting**
Root node.
The root node for the reporting configuration service provider.
<a href="" id="reporting-enterprisedataprotection"></a>**Reporting/EnterpriseDataProtection**
Interior node for retrieving the Windows Information Protection (formerly known as Enterprise Data Protection) logs.
@ -62,37 +71,32 @@ Interior node for retrieving a specified number of logs from the StartTime. The
<a href="" id="logs"></a>**Logs**
Contains the reporting logs.
Value type is XML.
Supported operation is Get.
- Value type is XML.
- Supported operation is Get.
<a href="" id="starttime"></a>**StartTime**
Specifies the starting time for retrieving logs.
Value type is string. Use ISO 8601 format.
Supported operations are Get and Replace.
- Value type is string. Use ISO 8601 format.
- Supported operations are Get and Replace.
<a href="" id="stoptime"></a>**StopTime**
Specifies the ending time for retrieving logs.
Value type is string. Use ISO 8601 format.
Supported operations are Get and Replace.
- Value type is string. Use ISO 8601 format.
- Supported operations are Get and Replace.
<a href="" id="type"></a>**Type**
Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the WIP learning logs.
Value type is integer.
Supported operations are Get and Replace.
- Value type is integer.
- Supported operations are Get and Replace.
<a href="" id="logcount"></a>**LogCount**
Specifies the number of logs to retrieve from the StartTime.
Value type is int.
Supported operations are Get and Replace.
- Value type is int.
- Supported operations are Get and Replace.
## Example
@ -170,4 +174,8 @@ Retrieve a specified number of security auditing logs starting from the specifie
</SyncBody>
</SyncML>
```
-->
-->
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

20
windows/client-management/mdm/reporting-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# Reporting DDF file
This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -73,7 +72,7 @@ The XML below is the current version for the desktop CSP.
<AccessType>
<Get />
</AccessType>
<Description>A time range is supported by setting a start and stop time in ISO 8601 format. If the start/stop value is not preset and a GetValue is called to RetrieveByTimeRange then the missing values will be interpreted as either the first existing or the last existing. For example, not setting a start date and setting an end date will return all known logs that exist before the end date. Setting a start date but not an end date will return all the logs that exist from the start date. Not setting a start and end date will return all logs.</Description>
<Description>A time range is supported by setting a start and stop time in ISO 8601 format. If the start/stop value is not preset and a GetValue is called to RetrieveByTimeRange, then the missing values will be interpreted as either the first existing or the last existing. For example, not setting a start date, and setting an end date will return all known logs that exist before the end date. Setting a start date but not an end date will return all the logs that exist from the start date. Not setting a start and end date will return all logs.</Description>
<DFFormat>
<node />
</DFFormat>
@ -159,7 +158,7 @@ The XML below is the current version for the desktop CSP.
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Specifies the type of logs to retrieve</Description>
<Description>Specifies the type of logs to retrieve.</Description>
<DFFormat>
<int />
</DFFormat>
@ -181,7 +180,7 @@ The XML below is the current version for the desktop CSP.
<AccessType>
<Get />
</AccessType>
<Description>The count range will return the configured number of logs starting from the StartTime value. The start time is expressed in ISO8601 formt. The caller will configure the number of desired logs by calling set on the LogCount and StartTime, then retrieve the logs by calling get on Logs node. The call will return the number of desired logs or less if the total number of logs are less than the desired number of logs. The logs are returned from StartTime forward.</Description>
<Description>The count range will return the configured number of logs starting from the StartTime value. The start time is expressed in ISO8601 format. The caller will configure the number of desired logs by calling set on the LogCount and StartTime, and then retrieve the logs by calling get on Logs node. The call will return the number of desired logs or less, if the total number of logs are less than the desired number of logs. The logs are returned from StartTime forward.</Description>
<DFFormat>
<node />
</DFFormat>
@ -266,7 +265,7 @@ The XML below is the current version for the desktop CSP.
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Specifies the type of logs to retrieve</Description>
<Description>Specifies the type of logs to retrieve.</Description>
<DFFormat>
<int />
</DFFormat>
@ -286,13 +285,8 @@ The XML below is the current version for the desktop CSP.
</Node>
</MgmtTree>
```
 
## Related topics
 
[Reporting CSP](reporting-csp.md)
 

38
windows/client-management/mdm/rootcacertificates-csp.md
View File

@ -14,13 +14,21 @@ ms.date: 03/06/2018
# RootCATrustedCertificates CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates.
> [!Note]
> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**.
 
The following example shows the RootCATrustedCertificates configuration service provider in tree format.
Detailed specification of the principal root nodes:
@ -61,13 +69,13 @@ RootCATrustedCertificates
------------TemplateName
```
<a href="" id="device-or-user"></a>**Device or User**
For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path.
For device certificates, use **./Device/Vendor/MSFT** path, and for user certificates use **./User/Vendor/MSFT** path.
<a href="" id="rootcatrustedcertificates"></a>**RootCATrustedCertificates**
The root node for the RootCATrustedCertificates configuration service provider.
<a href="" id="rootcatrustedcertificates-root-"></a>**RootCATrustedCertificates/Root/**
Defines the certificate store that contains root, or self-signed certificates, in this case, the computer store.
Defines the certificate store that contains root or self-signed certificates, in this case, the computer store.
> [!Note]
> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**.
@ -89,34 +97,24 @@ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certifi
The following nodes are all common to the **_CertHash_** node:
<a href="" id="-encodedcertificate"></a>**/EncodedCertificate**
Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace.
- <a href="" id="-encodedcertificate"></a>**/EncodedCertificate**
Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace.
<a href="" id="-issuedby"></a>**/IssuedBy**
- <a href="" id="-issuedby"></a>**/IssuedBy**
Returns the name of the certificate issuer. This name is equivalent to the **Issuer** member in the CERT\_INFO data structure. The only supported operation is Get.
<a href="" id="-issuedto"></a>**/IssuedTo**
- <a href="" id="-issuedto"></a>**/IssuedTo**
Returns the name of the certificate subject. This name is equivalent to the **Subject** member in the CERT\_INFO data structure. The only supported operation is Get.
<a href="" id="-validfrom"></a>**/ValidFrom**
- <a href="" id="-validfrom"></a>**/ValidFrom**
Returns the starting date of the certificate's validity. This date is equivalent to the **NotBefore** member in the CERT\_INFO data structure. The only supported operation is Get.
<a href="" id="-validto"></a>**/ValidTo**
- <a href="" id="-validto"></a>**/ValidTo**
Returns the expiration date of the certificate. This date is equivalent to the **NotAfter** member in the CERT\_INFO data structure. The only supported operation is Get.
<a href="" id="-templatename"></a>**/TemplateName**
- <a href="" id="-templatename"></a>**/TemplateName**
Returns the certificate template name. The only supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

65
windows/client-management/mdm/rootcacertificates-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 03/07/2018
# RootCATrustedCertificates DDF file
This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -77,7 +76,7 @@ The XML below is for Windows 10, version 1803.
<Delete />
<Get />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -127,7 +126,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -199,7 +198,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -272,7 +271,7 @@ The XML below is for Windows 10, version 1803.
<Delete />
<Get />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -319,7 +318,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -382,7 +381,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -449,7 +448,7 @@ The XML below is for Windows 10, version 1803.
<Delete />
<Get />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -499,7 +498,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -571,7 +570,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -644,7 +643,7 @@ The XML below is for Windows 10, version 1803.
<Delete />
<Get />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -694,7 +693,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -766,7 +765,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -839,7 +838,7 @@ The XML below is for Windows 10, version 1803.
<Get />
<Delete />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -889,7 +888,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -961,7 +960,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1055,7 +1054,7 @@ The XML below is for Windows 10, version 1803.
<Delete />
<Get />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1105,7 +1104,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1177,7 +1176,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1250,7 +1249,7 @@ The XML below is for Windows 10, version 1803.
<Delete />
<Get />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1297,7 +1296,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1360,7 +1359,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1427,7 +1426,7 @@ The XML below is for Windows 10, version 1803.
<Delete />
<Get />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1477,7 +1476,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1549,7 +1548,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1622,7 +1621,7 @@ The XML below is for Windows 10, version 1803.
<Delete />
<Get />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1672,7 +1671,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1744,7 +1743,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1817,7 +1816,7 @@ The XML below is for Windows 10, version 1803.
<Get />
<Delete />
</AccessType>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
<Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1867,7 +1866,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<Description>Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1939,7 +1938,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
<Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1986,3 +1985,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[RootCATrustedCertificates CSP](rootcacertificates-csp.md)

12
windows/client-management/mdm/secureassessment-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 06/26/2017
# SecureAssessment CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The SecureAssessment configuration service provider is used to provide configuration information for the secure assessment browser.
The following example shows the SecureAssessment configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
@ -29,7 +39,7 @@ The root node for the SecureAssessment configuration service provider.
The supported operation is Get.
<a href="" id="launchuri"></a>**LaunchURI**
URI Link to an assessment that's automatically loaded when the secure assessment browser is launched.
URI link to an assessment that's automatically loaded when the secure assessment browser is launched.
The supported operations are Add, Delete, Get, and Replace.

10
windows/client-management/mdm/secureassessment-ddf-file.md
View File

@ -184,12 +184,6 @@ The XML below is the current version for this CSP.
</MgmtTree>
```
 
 
## Related topics
[SecureAssessment CSP](secureassessment-csp.md)

22
windows/client-management/mdm/securitypolicy-csp.md
View File

@ -14,15 +14,22 @@ ms.date: 06/26/2017
# SecurityPolicy CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The SecurityPolicy configuration service provider is used to configure security policy settings for WAP push, OMA Client Provisioning, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_SECURITY\_POLICIES capabilities to be accessed from a network configuration application.
 
For the SecurityPolicy CSP, you can't use the Replace command unless the node already exists.
For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists.
The following example shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
@ -112,7 +119,6 @@ The following security policies are supported.
## Remarks
Security roles allow or restrict access to device resources. The security role is based on the message origin and how the message is signed. You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE\_KNOWN\_PPG and SECROLE\_OPERATOR\_TPS roles, use the decimal value 384 (256+128).
The following security roles are supported.
@ -123,11 +129,8 @@ The following security roles are supported.
|SECROLE_KNOWN_PPG|256|Known Push Proxy Gateway.<br>Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway.|
|SECROLE_ANY_PUSH_SOURCE|4096|Push Router.<br>Messages received by the push router will be assigned to this role.|
 
## OMA Client Provisioning examples
Setting a security policy:
```xml
@ -150,7 +153,6 @@ Querying a security policy:
## OMA DM examples
Setting a security policy:
```xml
@ -195,7 +197,6 @@ Querying a security policy:
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this Configuration Service Provider supports for OMA Client Provisioning.
|Elements|Available|
@ -203,9 +204,6 @@ The following table shows the Microsoft custom elements that this Configuration
|parm-query|Yes|
|noparm|Yes. If this element is used, then the policy is set to 0 by default (corresponding to the most restrictive of policy values).|
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

31
windows/client-management/mdm/sharedpc-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 01/16/2019
# SharedPC CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The SharedPC configuration service provider is used to configure settings for Shared PC usage.
@ -57,7 +66,9 @@ A boolean value that specifies whether the policies for education environment ar
The supported operations are Add, Get, Replace, and Delete.
The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
@ -140,9 +151,9 @@ For Windows 10, version 1607, here's the list shows the supported values:
For Windows 10, version 1703, here's the list of supported values:
- 0 - Delete immediately
- 1 - Delete at disk space threshold
- 2 - Delete at disk space threshold and inactive threshold
- 0 - Delete immediately.
- 1 - Delete at disk space threshold.
- 2 - Delete at disk space threshold and inactive threshold.
The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
@ -181,7 +192,8 @@ The default value is Not Configured and behavior is no such restriction applied.
<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
- Value type is string.
- Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@ -197,7 +209,9 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="inactivethreshold"></a>**InactiveThreshold**
Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
The default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- The default value is Not Configured.
- Value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 30.
@ -207,13 +221,14 @@ Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applie
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- Default value is Not Configured.
- Value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 1024.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 

4
windows/client-management/mdm/sharedpc-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# SharedPC DDF file
This topic shows the OMA DM device description framework (DDF) for the **SharedPC** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -176,7 +175,7 @@ The XML below is the DDF for Windows 10, version 1703.
<Replace />
</AccessType>
<DefaultValue>300</DefaultValue>
<Description>The amount of time before the PC sleeps, giving in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<Description>The amount of time before the PC sleeps, given in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.</Description>
<DFFormat>
<int />
</DFFormat>
@ -436,7 +435,6 @@ The XML below is the DDF for Windows 10, version 1703.
## Related topics
[SharedPC configuration service provider](sharedpc-csp.md)
 

316
windows/client-management/mdm/surfacehub-csp.md
View File

@ -17,6 +17,7 @@ ms.date: 07/28/2017
The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511.
The following example shows the SurfaceHub CSP management objects in tree format.
```
./Vendor/MSFT
SurfaceHub
@ -72,13 +73,14 @@ SurfaceHub
--------WorkspaceID
--------WorkspaceKey
```
<a href="" id="--vendor-msft-surfacehub"></a>**./Vendor/MSFT/SurfaceHub**
<p>The root node for the Surface Hub configuration service provider.
The root node for the Surface Hub configuration service provider.
<a href="" id="deviceaccount"></a>**DeviceAccount**
<p>Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
<p>To use a device account from Azure Active Directory
To use a device account from Azure Active Directory
1. Set the UserPrincipalName (for Azure AD).
2. Set a valid Password.
@ -89,7 +91,7 @@ SurfaceHub
> If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress.
<p>Here&#39;s a SyncML example.
Here&#39;s a SyncML example.
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
@ -139,7 +141,7 @@ SurfaceHub
</SyncML>
```
<p>To use a device account from Active Directory
To use a device account from Active Directory:
1. Set the DomainName.
2. Set the UserName.
@ -147,207 +149,268 @@ SurfaceHub
4. Execute the ValidateAndCommit node.
<a href="" id="deviceaccount-domainname"></a>**DeviceAccount/DomainName**
<p>Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
<p>The data type is string. Supported operation is Get and Replace.
Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="deviceaccount-username"></a>**DeviceAccount/UserName**
<p>Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
<p>The data type is string. Supported operation is Get and Replace.
Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="deviceaccount-userprincipalname"></a>**DeviceAccount/UserPrincipalName**
<p>User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
<p>The data type is string. Supported operation is Get and Replace.
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="deviceaccount-sipaddress"></a>**DeviceAccount/SipAddress**
<p>Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
<p>The data type is string. Supported operation is Get and Replace.
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="deviceaccount-password"></a>**DeviceAccount/Password**
<p>Password for the device account.
<p>The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
Password for the device account.
- The data type is string.
- Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
<a href="" id="deviceaccount-validateandcommit"></a>**DeviceAccount/ValidateAndCommit**
<p>This method validates the data provided and then commits the changes.
<p>The data type is string. Supported operation is Execute.
This method validates the data provided and then commits the changes.
- The data type is string.
- Supported operation is Execute.
<a href="" id="deviceaccount-email"></a>**DeviceAccount/Email**
<p>Email address of the device account.
<p>The data type is string.
Email address of the device account. The data type is string.
<a href="" id="deviceaccount-passwordrotationenabled"></a>**DeviceAccount/PasswordRotationEnabled**
<p>Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
<a href="" id="deviceaccount-passwordrotationenabled"></a>**DeviceAccount/
PasswordRotationEnabled**
<p>Valid values:
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
Valid values:
- 0 - password rotation enabled
- 1 - disabled
<p>The data type is integer. Supported operation is Get and Replace.
It performs the following:
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="deviceaccount-exchangeserver"></a>**DeviceAccount/ExchangeServer**
<p>Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
<p>The data type is string. Supported operation is Get and Replace.
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="deviceaccount-exchangemodernauthenabled"></a>**DeviceAccount/ExchangeModernAuthEnabled**
<p>Added in <a href="https://support.microsoft.com/help/4598291" data-raw-source="[KB4598291](https://support.microsoft.com/help/4598291)">KB4598291</a> for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
<p>The data type is boolean. Supported operation is Get and Replace.
Added in <a href="https://support.microsoft.com/help/4598291" data-raw-source="[KB4598291](https://support.microsoft.com/help/4598291)">KB4598291</a> for Windows 10, version 20H2. Specifies, whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="deviceaccount-calendarsyncenabled"></a>**DeviceAccount/CalendarSyncEnabled**
<p>Specifies whether calendar sync and other Exchange server services is enabled.
<p>The data type is boolean. Supported operation is Get and Replace.
Specifies, whether calendar sync and other Exchange server services is enabled.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="deviceaccount-errorcontext"></a>**DeviceAccount/ErrorContext**
If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values:
| ErrorContext value | Stage where error occurred | Description and suggestions |
| **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
| --- | --- | --- |
| 1 | Unknown | |
| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/>-For Azure AD accounts, ensure that UserPrincipalName and Password are valid.<br/>-For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/>-Ensure that the specified account has an Exchange server mailbox. |
| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Azure AD accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
| 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure that the ExchangeServer field is valid. |
| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
| 5 | Saving account information | Unable to save account details to the system. |
| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. |
The data type is integer. Supported operation is Get.
It performs the following:
- The data type is integer.
- Supported operation is Get.
<a href="" id="maintenancehourssimple-hours"></a>**MaintenanceHoursSimple/Hours**
<p>Node for maintenance schedule.
Node for maintenance schedule.
<a href="" id="maintenancehourssimple-hours-starttime"></a>**MaintenanceHoursSimple/Hours/StartTime**
<p>Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
<p>The data type is integer. Supported operation is Get and Replace.
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="maintenancehourssimple-hours-duration"></a>**MaintenanceHoursSimple/Hours/Duration**
<p>Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
<p>The data type is integer. Supported operation is Get and Replace.
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="inboxapps"></a>**InBoxApps**
<p>Node for the in-box app settings.
Node for the in-box app settings.
<a href="" id="inboxapps-skypeforbusiness"></a>**InBoxApps/SkypeForBusiness**
<p>Added in Windows 10, version 1703. Node for the Skype for Business settings.
Added in Windows 10, version 1703. Node for the Skype for Business settings.
<a href="" id="inboxapps-skypeforbusiness-domainname"></a>**InBoxApps/SkypeForBusiness/DomainName**
<p>Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see <a href="/SkypeForBusiness/set-up-skype-for-business-online" data-raw-source="[Set up Skype for Business Online](/SkypeForBusiness/set-up-skype-for-business-online)">Set up Skype for Business Online</a>.
<p>The data type is string. Supported operation is Get and Replace.
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see <a href="/SkypeForBusiness/set-up-skype-for-business-online" data-raw-source="[Set up Skype for Business Online](/SkypeForBusiness/set-up-skype-for-business-online)">Set up Skype for Business Online</a>.
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-welcome"></a>**InBoxApps/Welcome**
<p>Node for the welcome screen.
Node for the welcome screen.
<a href="" id="inboxapps-welcome-autowakescreen"></a>**InBoxApps/Welcome/AutoWakeScreen**
<p>Automatically turn on the screen using motion sensors.
<p>The data type is boolean. Supported operation is Get and Replace.
Automatically turn on the screen using motion sensors.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-welcome-currentbackgroundpath"></a>**InBoxApps/Welcome/CurrentBackgroundPath**
<p>Download location for image to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub, otherwise it may not be able to load the image.
<p>The data type is string. Supported operation is Get and Replace.
Download location for image, to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub. Otherwise, it may not be able to load the image.
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-welcome-meetinginfooption"></a>**InBoxApps/Welcome/MeetingInfoOption**
<p>Meeting information displayed on the welcome screen.
<p>Valid values:
Meeting information displayed on the welcome screen.
Valid values:
- 0 - Organizer and time only
- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
<p>The data type is integer. Supported operation is Get and Replace.
It performs the following:
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-whiteboard"></a>**InBoxApps/Whiteboard**
<p>Node for the Whiteboard app settings.
Node for the Whiteboard app settings.
<a href="" id="inboxapps-whiteboard-sharingdisabled"></a>**InBoxApps/Whiteboard/SharingDisabled**
<p>Invitations to collaborate from the Whiteboard app aren't allowed.
<p>The data type is boolean. Supported operation is Get and Replace.
Invitations to collaborate from the Whiteboard app aren't allowed.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-whiteboard-signindisabled"></a>**InBoxApps/Whiteboard/SigninDisabled**
<p>Sign-ins from the Whiteboard app aren't allowed.
<p>The data type is boolean. Supported operation is Get and Replace.
Sign-in from the Whiteboard app aren't allowed.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-whiteboard-telemetrydisabled"></a>**InBoxApps/Whiteboard/TelemeteryDisabled**
<p>Telemetry collection from the Whiteboard app isn't allowed.
<p>The data type is boolean. Supported operation is Get and Replace.
Telemetry collection from the Whiteboard app isn't allowed.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-wirelessprojection"></a>**InBoxApps/WirelessProjection**
<p>Node for the wireless projector app settings.
Node for the wireless projector app settings.
<a href="" id="inboxapps-wirelessprojection-pinrequired"></a>**InBoxApps/WirelessProjection/PINRequired**
<p>Users must enter a PIN to wirelessly project to the device.
<p>The data type is boolean. Supported operation is Get and Replace.
Users must enter a PIN to wireless project to the device.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-wirelessprojection-enabled"></a>**InBoxApps/WirelessProjection/Enabled**
<p>Enables wireless projection to the device.
<p>The data type is boolean. Supported operation is Get and Replace.
Enables wireless projection to the device.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-wirelessprojection-channel"></a>**InBoxApps/WirelessProjection/Channel**
<p>Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
|Compatibility|Values|
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
|**Compatibility**|**Values**|
|--- |--- |
|Works with all Miracast senders in all regions|1, 3, 4, 5, 6, 7, 8, 9, 10, 11|
|Works with all 5ghz band Miracast senders in all regions|36, 40, 44, 48|
|Works with all 5ghz band Miracast senders in all regions except Japan|149, 153, 157, 161, 165|
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won&#39;t be looking for).
<p>The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won&#39;t be looking for).
<p>The data type is integer. Supported operation is Get and Replace.
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="inboxapps-connect"></a>**InBoxApps/Connect**
<p>Added in Windows 10, version 1703. Node for the Connect app.
Added in Windows 10, version 1703. Node for the Connect app.
<a href="" id="inboxapps-welcome-autowakescreen"></a>**InBoxApps/Connect/AutoLaunch**
<p>Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated.
<p>If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hubs settings.
Added in Windows 10, version 1703. Specifies, whether to automatically launch the Connect app whenever a projection is initiated.
<p>The data type is boolean. Supported operation is Get and Replace.
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hubs settings.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="properties"></a>**Properties**
<p>Node for the device properties.
Node for the device properties.
<a href="" id="properties-friendlyname"></a>**Properties/FriendlyName**
<p>Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.
<p>The data type is string. Supported operation is Get and Replace.
Friendly name of the device. Specifies the name that users see when they want wireless project to the device.
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="properties-defaultvolume"></a>**Properties/DefaultVolume**
<p>Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
<p>The data type is integer. Supported operation is Get and Replace.
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="properties-defaultautomaticframing"></a>**Properties/DefaultAutomaticFraming**
<p>Added in <a href="https://support.microsoft.com/help/5010415" data-raw-source="[KB5010415](https://support.microsoft.com/help/5010415)">KB5010415</a> for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True.
<p>The data type is boolean. Supported operation is Get and Replace.
Added in <a href="https://support.microsoft.com/help/5010415" data-raw-source="[KB5010415](https://support.microsoft.com/help/5010415)">KB5010415</a> for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="properties-screentimeout"></a>**Properties/ScreenTimeout**
<p>Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
<p>The following table shows the permitted values.
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
|Value|Description|
The following table shows the permitted values.
|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute|
@ -361,14 +424,17 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
<p>The data type is integer. Supported operation is Get and Replace.
It performs the following:
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="properties-sessiontimeout"></a>**Properties/SessionTimeout**
<p>Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
<p>The following table shows the permitted values.
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
|Value|Description|
The following table shows the permitted values.
|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute (default)|
@ -382,14 +448,17 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
<p>The data type is integer. Supported operation is Get and Replace.
It performs the following:
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="properties-sleeptimeout"></a>**Properties/SleepTimeout**
<p>Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
<p>The following table shows the permitted values.
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
|Value|Description|
The following table shows the permitted values.
|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute|
@ -403,61 +472,80 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
<p>The data type is integer. Supported operation is Get and Replace.
It performs the following:
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="properties-sleepmode"></a>**Properties/SleepMode**
<p>Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
<p>Valid values:
Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
Valid values:
- 0 - Connected Standby (default)
- 1 - Hibernate
<p>The data type is integer. Supported operation is Get and Replace.
It performs the following:
- The data type is integer.
- Supported operation is Get and Replace.
<a href="" id="properties-allowsessionresume"></a>**Properties/AllowSessionResume**
<p>Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
<p>If this setting is true, the &quot;Resume Session&quot; feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session&quot; feature was initiated.
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
<p>The data type is boolean. Supported operation is Get and Replace.
If this setting is true, the &quot;Resume Session&quot; feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session&quot; feature was initiated.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="properties-allowautoproxyauth"></a>**Properties/AllowAutoProxyAuth**
<p>Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
<p>If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
<p>The data type is boolean. Supported operation is Get and Replace.
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="properties-proxyservers"></a>**Properties/ProxyServers**
<p>Added in <a href="https://support.microsoft.com/help/4499162" data-raw-source="[KB4499162](https://support.microsoft.com/help/4499162)">KB4499162</a> for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://).
<p>The data type is string. Supported operation is Get and Replace.
Added in <a href="https://support.microsoft.com/help/4499162" data-raw-source="[KB4499162](https://support.microsoft.com/help/4499162)">KB4499162</a> for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://).
- The data type is string.
- Supported operation is Get and Replace.
<a href="" id="properties-disablesigninsuggestions"></a>**Properties/DisableSigninSuggestions**
<p>Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
<p>If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
<p>The data type is boolean. Supported operation is Get and Replace.
If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="properties-donotshowmymeetingsandfiles"></a>**Properties/DoNotShowMyMeetingsAndFiles**
<p>Added in Windows 10, version 1703. Specifies whether to disable the &quot;My meetings and files&quot; feature in the Start menu, which shows the signed-in user&#39;s meetings and files from Office 365.
<p>If this setting is true, the “My meetings and files feature won't be shown. When false, the “My meetings and files feature will be shown.
Added in Windows 10, version 1703. Specifies whether to disable the &quot;My meetings and files&quot; feature in the Start menu, which shows the signed-in user&#39;s meetings and files from Office 365.
<p>The data type is boolean. Supported operation is Get and Replace.
If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
- The data type is boolean.
- Supported operation is Get and Replace.
<a href="" id="momagent"></a>**MOMAgent**
<p>Node for the Microsoft Operations Management Suite.
Node for the Microsoft Operations Management Suite.
<a href="" id="momagent-workspaceid"></a>**MOMAgent/WorkspaceID**
<p>GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
<p>The data type is string. Supported operation is Get and Replace.
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
<a href="" id="momagent-workspacekey"></a>**MOMAgent/WorkspaceKey**
<p>Primary key for authenticating with the workspace.
- The data type is string.
- Supported operation is Get and Replace.
<p>The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
<a href="" id="momagent-workspacekey"></a>**MOMAgent/WorkspaceKey**
Primary key for authenticating with the workspace.
- The data type is string.
- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.

27
windows/client-management/mdm/tenantlockdown-csp.md
View File

@ -13,6 +13,16 @@ manager: dansimp
# TenantLockdown CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809.
@ -28,16 +38,21 @@ TenantLockdown
----RequireNetworkInOOBE
```
<a href="" id="tenantlockdown"></a>**./Vendor/MSFT/TenantLockdown**
The root node.
The root node for the TenantLockdown configuration service provider.
<a href="" id="requirenetworkinoobe"></a>**RequireNetworkInOOBE**
Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in.
Specifies whether a network connection is required during the out-of-box experience (OOBE) at first logon.
When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option.
Value type is bool. Supported operations are Get and Replace.
- Value type is bool.
- Supported operations are Get and Replace.
- True - Require network in OOBE
- False - No network connection requirement in OOBE
- True - Require network in OOBE.
- False - No network connection requirement in OOBE.
Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they're required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There's no option to skip the network connection and create a local account.
Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

4
windows/client-management/mdm/tenantlockdown-ddf.md
View File

@ -75,3 +75,7 @@ The XML below is for Windows 10, version 1809.
</Node>
</MgmtTree>
```
## Related topics
[TenantLockdown CSP](tenantlockdown-csp.md)

16
windows/client-management/mdm/toc.yml
View File

@ -255,8 +255,6 @@ items:
items:
- name: EnterpriseAPN DDF
href: enterpriseapn-ddf.md
- name: EnterpriseAppManagement CSP
href: enterpriseappmanagement-csp.md
- name: EnterpriseAppVManagement CSP
href: enterpriseappvmanagement-csp.md
items:
@ -296,11 +294,6 @@ items:
items:
- name: HealthAttestation DDF
href: healthattestation-ddf.md
- name: Messaging CSP
href: messaging-csp.md
items:
- name: Messaging DDF file
href: messaging-ddf.md
- name: MultiSIM CSP
href: multisim-csp.md
items:
@ -853,11 +846,6 @@ items:
items:
- name: RemoteFind DDF file
href: remotefind-ddf-file.md
- name: RemoteRing CSP
href: remotering-csp.md
items:
- name: RemoteRing DDF file
href: remotering-ddf-file.md
- name: RemoteWipe CSP
href: remotewipe-csp.md
items:
@ -963,10 +951,10 @@ items:
items:
- name: WindowsAdvancedThreatProtection DDF file
href: windowsadvancedthreatprotection-ddf.md
- name: WindowsAutoPilot CSP
- name: WindowsAutopilot CSP
href: windowsautopilot-csp.md
items:
- name: WindowsAutoPilot DDF file
- name: WindowsAutopilot DDF file
href: windowsautopilot-ddf-file.md
- name: WindowsDefenderApplicationGuard CSP
href: windowsdefenderapplicationguard-csp.md

23
windows/client-management/mdm/wifi-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 06/18/2019
# WiFi CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@ -41,11 +51,10 @@ WiFi
---------WiFiCost
```
The following list shows the characteristics and parameters.
<a href="" id="wifi"></a>**Device or User profile**
For user profile, use ./User/Vendor/MSFT/Wifi path and for device profile, use ./Device/Vendor/MSFT/Wifi path.
For user profile, use .`/User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path.
<a href="" id="profile"></a>**Profile**
Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network for example, the SSID, authentication and encryption methods and passphrase if there's WEP or WPA2 networks.
@ -94,6 +103,7 @@ Supported operations are Get, Add, Delete, and Replace.
-->
<a href="" id="disableinternetconnectivitychecks"></a>**DisableInternetConnectivityChecks**
> [!Note]
> This node has been deprecated since Windows 10, version 1607.
@ -101,8 +111,8 @@ Added in Windows 10, version 1511. Optional. Disable the internet connectivity c
Value type is chr.
- True - internet connectivity check is disabled.
- False - internet connectivity check is enabled.
- True - internet connectivity check is disabled.
- False - internet connectivity check is enabled.
Supported operations are Get, Add, Delete, and Replace.
@ -139,7 +149,6 @@ Supported operations are Add, Get, Replace and Delete. Value type is integer.
## Examples
These XML examples show how to perform various tasks using OMA DM.
### Add a network
@ -241,8 +250,4 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID MyNetw
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

4
windows/client-management/mdm/wifi-ddf-file.md
View File

@ -15,11 +15,11 @@ ms.date: 06/28/2018
# WiFi DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML.
The XML below is for Windows 10, version 1809.
The XML below is for Windows 10, version 1809 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>

9
windows/client-management/mdm/win32appinventory-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# Win32AppInventory CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device.

14
windows/client-management/mdm/win32appinventory-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# Win32AppInventory DDF file
This topic shows the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -274,15 +273,4 @@ The XML below is the current version for this CSP.
## Related topics
[Win32AppInventory configuration service provider](win32appinventory-csp.md)
 
 
[Win32AppInventory configuration service provider](win32appinventory-csp.md)

154
windows/client-management/mdm/win32compatibilityappraiser-csp.md
View File

@ -11,7 +11,17 @@ ms.reviewer:
manager: dansimp
---
# Win32CompatibilityAppraiser CSP
# Win32CompatibilityAppraiser CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@ -45,52 +55,64 @@ Win32CompatibilityAppraiser
------------MostRestrictiveSetting
--------WerConnectionReport
```
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/Win32CompatibilityAppraiser**
The root node for the Win32CompatibilityAppraiser configuration service provider.
<a href="" id="compatibilityappraiser"></a>**CompatibilityAppraiser**
This represents the state of the Compatibility Appraiser.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis**
This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-commercialid"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId**
The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.
Value type is string. Supported operation is Get.
Value type is string.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosiscommercialidsetandvalid"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid**
A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-alltargetosversionsrequested"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested**
A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-osskuisvalidforappraiser"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser**
A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-appraisercodeanddataversionsaboveminimum"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum**
An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data.
The values are:
- 0 == Neither the code nor data is of a sufficient version
- 1 == The code version is insufficient but the data version is sufficient
- 2 == The code version is sufficient but the data version is insufficient
- 3 == Both the code and data are of a sufficient version
The values are:
- 0 == Neither the code nor data is of a sufficient version.
- 1 == The code version is insufficient but the data version is sufficient.
- 2 == The code version is sufficient but the data version is insufficient.
- 3 == Both the code and data are of a sufficient version.
Value type is integer. Supported operation is Get.
Value type is integer.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-rebootpending"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending**
A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserrunresultreport"></a>**CompatibilityAppraiser/AppraiserRunResultReport**
This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations.
@ -106,45 +128,58 @@ This represents various settings that affect whether the Universal Telemetry Cli
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-telemetryoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn**
An integer value representing what level of telemetry will be uploaded.
Value type is integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == Security data will be sent
- 1 == Basic telemetry will be sent
- 2 == Enhanced telemetry will be sent
- 3 == Full telemetry will be sent
Supported operation is Get.
The values are:
- 0 == Security data will be sent.
- 1 == Basic telemetry will be sent.
- 2 == Enhanced telemetry will be sent.
- 3 == Full telemetry will be sent.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-commercialdataoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn**
An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload.
Value type is integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == Setting is disabled
- 1 == Setting is enabled
- 2 == Setting is not applicable to this version of Windows
Supported operation is Get.
The values are:
- 0 == Setting is disabled.
- 1 == Setting is enabled.
- 2 == Setting is not applicable to this version of Windows.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-diagtrackservicerunning"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning**
A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-msaserviceenabled"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled**
A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-internetexplorertelemetryoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn**
An integer value representing what websites Internet Explorer will collect telemetry data for.
An integer value representing what websites Internet Explorer will collect telemetry data for.
Value type is integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == Telemetry collection is disabled
- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones
- 2 == Telemetry collection is enabled for internet websites and restricted website zones
- 3 == Telemetry collection is enabled for all websites
- 0x7FFFFFFF == Telemetry collection is not configured
Supported operation is Get.
The values are:
- 0 == Telemetry collection is disabled.
- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones.
- 2 == Telemetry collection is enabled for internet websites and restricted website zones.
- 3 == Telemetry collection is enabled for all websites.
- 0x7FFFFFFF == Telemetry collection is not configured.
<a href="" id="universaltelemetryclient-utcconnectionreport"></a>**UniversalTelemetryClient/UtcConnectionReport**
This provides an XML representation of the UTC connections during the most recent summary period.
@ -160,26 +195,31 @@ This represents various settings that affect whether the Windows Error Reporting
<a href="" id="windowserrorreporting-werconfigurationdiagnosis-wertelemetryoptin"></a>**WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn**
An integer value indicating the amount of WER data that will be uploaded.
Value type integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == Data will not send due to UTC opt-in
- 1 == Data will not send due to WER opt-in
- 2 == Basic WER data will send but not the complete set of data
- 3 == The complete set of WER data will send
Supported operation is Get.
The values are:
- 0 == Data will not send due to UTC opt-in.
- 1 == Data will not send due to WER opt-in.
- 2 == Basic WER data will send but not the complete set of data.
- 3 == The complete set of WER data will send.
<a href="" id="windowserrorreporting-werconfigurationdiagnosis-mostrestrictivesetting"></a>**WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting**
An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted.
Value type integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == System telemetry settings are restricting uploads
- 1 == WER basic policies are restricting uploads
- 2 == WER advanced policies are restricting uploads
- 3 == WER consent policies are restricting uploads
- 4 == There are no restrictive settings
Supported operation is Get.
The values are:
- 0 == System telemetry settings are restricting upload.
- 1 == WER basic policies are restricting uploads.
- 2 == WER advanced policies are restricting uploads.
- 3 == WER consent policies are restricting uploads.
- 4 == There are no restrictive settings.
<a href="" id="windowserrorreporting-werconnectionreport"></a>**WindowsErrorReporting/WerConnectionReport**
This provides an XML representation of the most recent WER connections of various types.
@ -190,7 +230,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### Appraiser run result report
```
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" >
<xs:annotation>
@ -362,7 +402,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### UTC connection report
```
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:fusion="urn:schemas-microsoft-com:asm.v1" elementFormDefault="qualified" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<xs:annotation>
@ -440,7 +480,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### Windows Error Reporting connection report
```
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:fusion="urn:schemas-microsoft-com:asm.v1" elementFormDefault="qualified" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<xs:annotation>
@ -638,3 +678,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
<xs:element name="ConnectionReport" type="ConnectionReportType"/>
</xs:schema>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

34
windows/client-management/mdm/win32compatibilityappraiser-ddf.md
View File

@ -1,6 +1,6 @@
---
title: Win32CompatibilityAppraiser DDF file
description: XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider.
description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -14,13 +14,13 @@ manager: dansimp
# Win32CompatibilityAppraiser DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Win32CompatibilityAppraiser** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is for Windows 10, version 1809.
The XML below is for Windows 10, version 1809 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -98,7 +98,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.</Description>
<Description>The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -120,7 +120,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.</Description>
<Description>A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -142,7 +142,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.</Description>
<Description>A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -186,7 +186,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version".</Description>
<Description>An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version".</Description>
<DFFormat>
<int />
</DFFormat>
@ -208,7 +208,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.</Description>
<Description>A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -296,7 +296,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent".</Description>
<Description>An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent".</Description>
<DFFormat>
<int />
</DFFormat>
@ -318,7 +318,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows".</Description>
<Description>An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows".</Description>
<DFFormat>
<int />
</DFFormat>
@ -340,7 +340,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.</Description>
<Description>A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -362,7 +362,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.</Description>
<Description>A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -384,7 +384,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured".</Description>
<Description>An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured".</Description>
<DFFormat>
<int />
</DFFormat>
@ -472,7 +472,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send".</Description>
<Description>An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send".</Description>
<DFFormat>
<int />
</DFFormat>
@ -494,7 +494,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings".</Description>
<Description>An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings".</Description>
<DFFormat>
<int />
</DFFormat>
@ -537,3 +537,7 @@ The XML below is for Windows 10, version 1809.
</Node>
</MgmtTree>
```
## Related topics
[Win32CompatibilityAppraiser configuration service provider](win32compatibilityappraiser-csp.md)

97
windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 11/01/2017
# WindowsAdvancedThreatProtection CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
@ -40,102 +49,101 @@ WindowsAdvancedThreatProtection
The following list describes the characteristics and parameters.
<a href="" id="--device-vendor-msft-windowsadvancedthreatprotection"></a>**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection**
<p>The root node for the Windows Defender Advanced Threat Protection configuration service provider.
The root node for the Windows Defender Advanced Threat Protection configuration service provider.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="onboarding"></a>**Onboarding**
<p>Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="healthstate"></a>**HealthState**
<p>Node that represents the Windows Defender Advanced Threat Protection health state.
Node that represents the Windows Defender Advanced Threat Protection health state.
<a href="" id="healthstate-lastconnected"></a>**HealthState/LastConnected**
<p>Contains the timestamp of the last successful connection.
Contains the timestamp of the last successful connection.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="healthstate-senseisrunning"></a>**HealthState/SenseIsRunning**
<p>Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
<p>The default value is false.
The default value is false.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="healthstate-onboardingstate"></a>**HealthState/OnboardingState**
<p>Represents the onboarding state.
Represents the onboarding state.
<p>Supported operation is Get.
Supported operation is Get.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Not onboarded.
- 1 Onboarded
- 0 (default) Not onboarded
- 1 Onboarded
<a href="" id="healthstate-orgid"></a>**HealthState/OrgId**
<p>String that represents the OrgID.
String that represents the OrgID.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="configuration"></a>**Configuration**
<p>Represents Windows Defender Advanced Threat Protection configuration.
Represents Windows Defender Advanced Threat Protection configuration.
<a href="" id="configuration-samplesharing"></a>**Configuration/SampleSharing**
<p>Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 None
- 1 (default) All
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="configuration-telemetryreportingfrequency"></a>**Configuration/TelemetryReportingFrequency**
<p>Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
<p>The following list shows the supported values:
The following list shows the supported values:
- 1 (default) Normal
- 2 - Expedite
- 1 (default) Normal
- 2 - Expedite
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="offboarding"></a>**Offboarding**
<p>Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="devicetagging"></a>**DeviceTagging**
<p>Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="group"></a>**DeviceTagging/Group**
<p>Added in Windows 10, version 1709. Device group identifiers.
Added in Windows 10, version 1709. Device group identifiers.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="criticality"></a>**DeviceTagging/Criticality**
<p>Added in Windows 10, version 1709. Asset criticality value. Supported values:
Added in Windows 10, version 1709. Asset criticality value. Supported values:
- 0 - Normal
- 1 - Critical
<p>The data type is an integer.
The data type is an integer.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
## Examples
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -246,15 +254,4 @@ The following list describes the characteristics and parameters.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

34
windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
View File

@ -1,6 +1,6 @@
---
title: WindowsAdvancedThreatProtection DDF file
description: Learn how the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0
ms.reviewer:
manager: dansimp
@ -14,7 +14,6 @@ ms.date: 12/05/2017
# WindowsAdvancedThreatProtection DDF file
This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -56,7 +55,7 @@ The XML below is the current version for this CSP.
<Replace />
<Get />
</AccessType>
<Description>Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection</Description>
<Description>Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -77,7 +76,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Represents Windows Defender Advanced Threat Protection Health State</Description>
<Description>Represents Windows Defender Advanced Threat Protection Health State.</Description>
<DFFormat>
<node />
</DFFormat>
@ -119,7 +118,7 @@ The XML below is the current version for this CSP.
<Get />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Return Windows Defender Advanced Threat Protection service running state</Description>
<Description>Return Windows Defender Advanced Threat Protection service running state.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -141,7 +140,7 @@ The XML below is the current version for this CSP.
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Return Windows Defender Advanced Threat Protection onboarding state: 0 not onboarded; 1 - onboarded</Description>
<Description>Return Windows Defender Advanced Threat Protection onboarding state: 0 not onboarded; 1 - onboarded.</Description>
<DFFormat>
<int />
</DFFormat>
@ -184,7 +183,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Represents Windows Defender Advanced Threat Protection Configuration</Description>
<Description>Represents Windows Defender Advanced Threat Protection Configuration.</Description>
<DFFormat>
<node />
</DFFormat>
@ -206,7 +205,7 @@ The XML below is the current version for this CSP.
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All</Description>
<Description>Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All.</Description>
<DFFormat>
<int />
</DFFormat>
@ -229,7 +228,7 @@ The XML below is the current version for this CSP.
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite</Description>
<Description>Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite.</Description>
<DFFormat>
<int />
</DFFormat>
@ -253,7 +252,7 @@ The XML below is the current version for this CSP.
<Replace />
<Get />
</AccessType>
<Description>Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding</Description>
<Description>Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -274,7 +273,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging</Description>
<Description>Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging.</Description>
<DFFormat>
<node />
</DFFormat>
@ -343,15 +342,4 @@ The XML below is the current version for this CSP.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 
[WindowsAdvancedThreatProtection configuration service provider](windowsadvancedthreatprotection-csp.md)

21
windows/client-management/mdm/windowsautopilot-csp.md
View File

@ -1,5 +1,5 @@
---
title: WindowsAutoPilot CSP
title: WindowsAutopilot CSP
description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot.
ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6
ms.reviewer:
@ -12,13 +12,22 @@ author: dansimp
ms.date: 02/07/2022
---
# WindowsAutoPilot CSP
# WindowsAutopilot CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” Because the CSP description should be more general/high level.
The WindowsAutopilot CSP exposes Windows Autopilot related device information. The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.
**./Vendor/MSFT/WindowsAutopilot**
@ -27,3 +36,7 @@ Root node. Supported operation is Get.
**HardwareMismatchRemediationData**
Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

16
windows/client-management/mdm/windowsautopilot-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: WindowsAutoPilot DDF file
description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutoPilot DDF file configuration service provider (CSP) .
title: WindowsAutopilot DDF file
description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutopilot DDF file configuration service provider (CSP) .
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -11,12 +11,12 @@ ms.reviewer:
manager: dansimp
---
# WindowsAutoPilot DDF file
# WindowsAutopilot DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the device description framework (DDF) for the **WindowsAutoPilot** configuration service provider.
This topic shows the device description framework (DDF) for the **WindowsAutopilot** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -27,7 +27,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>These settings enable configuration of Windows Autopilot</Description>
<Description>These settings enable configuration of Windows Autopilot.</Description>
<DFFormat>
<node />
</DFFormat>
@ -74,3 +74,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
</cspDefinition>
</identity>
```
## Related topics
[WindowsAutopilot configuration service provider](windowsautopilot-csp.md)

181
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -13,10 +13,21 @@ manager: dansimp
# WindowsDefenderApplicationGuard CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
```
```console
./Device/Vendor/MSFT
WindowsDefenderApplicationGuard
----Settings
@ -36,6 +47,7 @@ WindowsDefenderApplicationGuard
----Audit
--------AuditApplicationGuard
```
<a href="" id="windowsdefenderapplicationguard"></a>**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
Root node. Supported operation is Get.
@ -43,30 +55,37 @@ Root node. Supported operation is Get.
Interior node. Supported operation is Get.
<a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**
Turn on Microsoft Defender Application Guard in Enterprise Mode.
Turn on Microsoft Defender Application Guard in Enterprise Mode.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
- 0 - Disable Microsoft Defender Application Guard
- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004)
- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004)
- 0 - Disable Microsoft Defender Application Guard.
- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY.
- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004).
- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004).
<a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 1 - Allow text copying.
- 2 - Allow image copying.
- 3 - Allow text and image copying.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardFileType*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -76,21 +95,25 @@ ADMX Info:
<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**
This policy setting allows you to decide how the clipboard behaves while in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
The following list shows the supported values:
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On clipboard operation from an isolated session to the host.
- 2 - Turns On clipboard operation from the host to an isolated session.
- 3 - Turns On clipboard operation in both the directions.
> [!IMPORTANT]
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -98,13 +121,16 @@ ADMX Info:
<!--/ADMXMapped-->
<a href="" id="printingsettings"></a>**Settings/PrintingSettings**
This policy setting allows you to decide how the print functionality behaves while in Application Guard.
This policy setting allows you to decide how the print functionality behaves while in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Disables all print functionality.
- 1 - Enables only XPS printing.
- 2 - Enables only PDF printing.
@ -123,7 +149,8 @@ The following list shows the supported values:
- 15 - Enables all printing.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Configure Microsoft Defender Application Guard print settings*
- GP name: *AppHVSIPrintingSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -133,11 +160,14 @@ ADMX Info:
<a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
- 1 - Non-enterprise content embedded on enterprise sites is stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
@ -145,7 +175,8 @@ The following list shows the supported values:
> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
- GP name: *BlockNonEnterpriseContent*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -155,16 +186,18 @@ ADMX Info:
<a href="" id="allowpersistence"></a>**Settings/AllowPersistence**
This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user sign out.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard*
- GP name: *AllowPersistence*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -172,15 +205,18 @@ ADMX Info:
<!--/ADMXMapped-->
<a href="" id="allowvirtualgpu"></a>**Settings/AllowVirtualGPU**
Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
The following list shows the supported values:
- 0 (default) - Can't access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This functionality can create a faster experience when working with graphics intense websites or watching video within the container.
@ -188,7 +224,8 @@ The following list shows the supported values:
> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
- GP name: *AllowVirtualGPU*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -196,18 +233,20 @@ ADMX Info:
<!--/ADMXMapped-->
<a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**
Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container.
Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
The following list shows the supported values:
- 0 (default) - The user can't download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
- GP name: *SaveFilesToHost*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -217,9 +256,11 @@ ADMX Info:
<a href="" id="certificatethumbprints"></a>**Settings/CertificateThumbprints**
Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.
@ -229,7 +270,8 @@ b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda92
If you disable or dont configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
- GP name: *CertificateThumbprints*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -242,15 +284,18 @@ ADMX Info:
<a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the devices camera and microphone when these settings are enabled on the users device.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the users device.
If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the users device.
The following list shows the supported values:
The following list shows the supported values:
- 0 (default) - Microsoft Defender Application Guard can't access the devices camera and microphone. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the devices camera and microphone.
@ -258,7 +303,8 @@ The following list shows the supported values:
> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard*
- GP name: *AllowCameraMicrophoneRedirection*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -268,22 +314,26 @@ ADMX Info:
<a href="" id="status"></a>**Status**
Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device.
Value type is integer. Supported operation is Get.
Value type is integer.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
> [!IMPORTANT]
> If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
> [!IMPORTANT]
> If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
<a href="" id="platformstatus"></a>**PlatformStatus**
Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
Value type is integer. Supported operation is Get.
Value type is integer.
Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
@ -297,7 +347,8 @@ Initiates remote installation of Application Guard feature.
Supported operations are Get and Execute.
The following list shows the supported values:
The following list shows the supported values:
- Install - Will initiate feature install.
- Uninstall - Will initiate feature uninstall.
@ -305,20 +356,28 @@ The following list shows the supported values:
Interior node. Supported operation is Get.
<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**
This policy setting allows you to decide whether auditing events can be collected from Application Guard.
This policy setting allows you to decide whether auditing events can be collected from Application Guard.
Value type in integer. Supported operations are Add, Get, Replace, and Delete.
Value type in integer.
This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
This policy setting is supported on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard*
- GP name: *AuditApplicationGuard*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
<!--/ADMXMapped-->
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

10
windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: WindowsDefenderApplicationGuard DDF file
description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -14,13 +14,13 @@ manager: dansimp
# WindowsDefenderApplicationGuard DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
This XML is for Windows 10, version 1809.
This XML is for Windows 10, version 1809 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -481,3 +481,7 @@ This XML is for Windows 10, version 1809.
</Node>
</MgmtTree>
```
## Related topics
[WindowsDefenderApplicationGuard configuration service provider](windowsdefenderapplicationguard-csp.md)

86
windows/client-management/mdm/windowslicensing-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 08/15/2018
# WindowsLicensing CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@ -40,6 +50,7 @@ WindowsLicensing
--------SwitchFromSMode (Added in Windows 10, version 1809)
--------Status (Added in Windows 10, version 1809)
```
<a href="" id="--device-vendor-msft-windowslicensing"></a>**./Device/Vendor/MSFT/WindowsLicensing**
This node is the root node for the WindowsLicensing configuration service provider.
@ -51,21 +62,17 @@ Enters a product key for an edition upgrade of Windows 10 desktop devices.
> [!NOTE]
> This upgrade process requires a system restart.
The date type is a chr.
The supported operation is Exec.
When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or, after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart.
When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart.
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
> [!IMPORTANT]
> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail.
If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart.
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
@ -75,24 +82,22 @@ This node can also be used to activate or change a product key on a particular e
> [!IMPORTANT]
> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
The following are valid edition upgrade paths when using this node through an MDM:
- Windows 10 Enterprise to Windows 10 Education
- Windows 10 Home to Windows 10 Education
- Windows 10 Pro to Windows 10 Education
- Windows 10 Pro to Windows 10 Enterprise
- Windows 10/Windows 11 Enterprise to Windows 10/ Windows 11 Education
- Windows 10/Windows 11 Home to Windows 10/Windows 11 Education
- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Education
- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Enterprise
Activation or changing a product key can be carried out on the following editions:
- Windows 10 Education
- Windows 10 Enterprise
- Windows 10 Home
- Windows 10 Pro
- Windows 10/Windows 11 Education
- Windows 10/Windows 11 Enterprise
- Windows 10/Windows 11 Home
- Windows 10/Windows 11 Pro
<a href="" id="edition"></a>**Edition**
Returns a value that maps to the Windows 10 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
Returns a value that maps to the Windows 10 or Windows 11 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
The data type is an Int.
@ -101,11 +106,11 @@ The supported operation is Get.
<a href="" id="status"></a>**Status**
Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values:
- 0 = Failed
- 1 = Pending
- 2 = In progress
- 3 = Completed
- 4 = Unknown
- 0 = Failed
- 1 = Pending
- 2 = In progress
- 3 = Completed
- 4 = Unknown
The data type is an Int.
@ -136,23 +141,23 @@ The following are valid edition upgrade paths when using this node through an MD
-->
<a href="" id="licensekeytype"></a>**LicenseKeyType**
Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change.
Returns the parameter type used by Windows 10 or Windows 11 devices for an edition upgrade, activation, or product key change.
- Windows 10 client devices require a product key.
- Windows 10 or Windows 11 client devices require a product key.
The data type is a chr.
The supported operation is Get.
<a href="" id="checkapplicability"></a>**CheckApplicability**
Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 for desktop devices.
Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 or Windows 11 for desktop devices.
The data type is a chr.
The supported operation is Exec.
<a href="" id="changeproductkey"></a>**ChangeProductKey**
Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Doesn't reboot.
Added in Windows 10, version 1703. Installs a product key for Windows desktop devices. Doesn't reboot.
The data type is a chr.
@ -184,32 +189,37 @@ Interior node for managing S mode.
<a href="" id="smode-switchingpolicy"></a>**SMode/SwitchingPolicy**
Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
Supported values:
- 0 - No Restriction: The user is allowed to switch the device out of S mode.
- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
Supported operations are Add, Get, Replace, and Delete.
Supported values:
- 0 - No Restriction: The user is allowed to switch the device out of S mode.
- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
<a href="" id="smode-switchfromsmode"></a>**SMode/SwitchFromSMode**
Added in Windows 10, version 1809. Switches a device out of S mode if possible. Doesn't reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
Supported operation is Execute.
<a href="" id="smode-status"></a>**SMode/Status**
<a href="" id="smode-status"></a>**SMode/Status**
Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example)
Value type is integer. Supported operation is Get.
Value type is integer.
Supported operation is Get.
Values:
- Request fails with error code 404 - no SwitchFromSMode request has been made.
- 0 - The device successfully switched out of S mode
- 1 - The device is processing the request to switch out of S mode
- 3 - The device was already switched out of S mode
- 4 - The device failed to switch out of S mode
- Request fails with error code 404 - no SwitchFromSMode request has been made.
- 0 - The device successfully switched out of S mode.
- 1 - The device is processing the request to switch out of S mode.
- 3 - The device was already switched out of S mode.
- 4 - The device failed to switch out of S mode.
## SyncML examples
**CheckApplicability**
```xml
@ -235,8 +245,6 @@ Values:
> [!NOTE]
> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
**Edition**
```xml

12
windows/client-management/mdm/windowslicensing-ddf-file.md
View File

@ -15,13 +15,13 @@ ms.date: 07/16/2017
# WindowsLicensing DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is for Windows 10, version 1809.
The XML below is for Windows 10, version 1809 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -104,7 +104,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>Returns a value that maps to the Windows 10 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.</Description>
<Description>Returns a value that maps to the Windows 10 or Windows 11 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.</Description>
<DFFormat>
<int />
</DFFormat>
@ -128,7 +128,7 @@ The XML below is for Windows 10, version 1809.
<AccessType>
<Get />
</AccessType>
<Description>Returns the status of an edition upgrade on Windows 10 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown</Description>
<Description>Returns the status of an edition upgrade on Windows 10 or Windows 11 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown</Description>
<DFFormat>
<int />
</DFFormat>
@ -349,3 +349,7 @@ The XML below is for Windows 10, version 1809.
</Node>
</MgmtTree>
```
## Related topics
[WindowsLicensing configuration service provider](windowslicensing-csp.md)

22
windows/client-management/mdm/wirednetwork-csp.md
View File

@ -13,6 +13,16 @@ manager: dansimp
# WiredNetwork CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@ -39,17 +49,19 @@ WiredNetwork
----EnableBlockPeriod
```
<a href="" id="wirednetwork"></a>**./Device/Vendor/MSFT/WiredNetwork**
Root node.
The root node for the wirednetwork configuration service provider.
<a href="" id="lanxml"></a>**LanXML**
Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
- Supported operations are Add, Get, Replace, and Delete.
- Value type is string.
<a href="" id="enableblockperiod"></a>**EnableBlockPeriod**
Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
- Value type is integer.
The following example shows how to add a wired network profile:
```xml
@ -70,3 +82,7 @@ The following example shows how to add a wired network profile:
</SyncBody>
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

4
windows/client-management/mdm/wirednetwork-ddf-file.md
View File

@ -167,3 +167,7 @@ The XML below is the current version for this CSP.
</Node>
</MgmtTree>
```
## Related topics
[WiredNetwork CSP](wirednetwork-csp.md)