deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-09 11:57:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'MicrosoftDocs:master' into kk-wdac-edits-task-36429643

Browse Source
This commit is contained in:
Thomas Raya 2021-11-09 09:09:19 -08:00 committed by GitHub
commit 54c82afb26
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1051 changed files with 6548 additions and 10424 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,6 +10,7 @@ Tools/NuGet/
*.ini
_themes*/
common/
.vscode/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config

182
.openpublishing.redirection.json
View File

@ -1,5 +1,155 @@
{
"redirections": [
{
"source_path": "windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/deviceinstanceservice-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/cm-proxyentries-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/bootstrap-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-textinput.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-shell.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-rcspresence.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-otherassets.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-nfc.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-multivariant.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-modemconfigurations.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-messaging.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-internetexplorer.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-initialsetup.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-deviceinfo.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-calling.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-callandmessagingenhancement.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-automatictime.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-theme.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-embeddedlockdownprofiles.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/configure-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/lockdown-xml.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/mobile-lockdown-designer.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-configure-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-nfc.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-package-splitter.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/settings-that-can-be-locked-down.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/start-layout-xml-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-11.md",
"redirect_url": "/windows/whats-new/windows-11-whats-new",
@ -6637,22 +6787,22 @@
},
{
"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/lockdown-xml.md",
"redirect_url": "/windows/configuration/mobile-devices/lockdown-xml",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/settings-that-can-be-locked-down.md",
"redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/product-ids-in-windows-10-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -6682,7 +6832,7 @@
},
{
"source_path": "windows/manage/start-layout-xml-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -6847,7 +6997,7 @@
},
{
"source_path": "windows/deploy/provisioning-nfc.md",
"redirect_url": "/windows/configuration/provisioning-packages/provisioning-nfc",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7602,7 +7752,7 @@
},
{
"source_path": "windows/configure/configure-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/configure-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7767,7 +7917,7 @@
},
{
"source_path": "windows/configure/lockdown-xml.md",
"redirect_url": "/windows/configuration/mobile-devices/lockdown-xml",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7787,12 +7937,12 @@
},
{
"source_path": "windows/configure/mobile-lockdown-designer.md",
"redirect_url": "/windows/configuration/mobile-devices/mobile-lockdown-designer",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/product-ids-in-windows-10-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7822,7 +7972,7 @@
},
{
"source_path": "windows/configure/provisioning-configure-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-configure-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7847,12 +7997,12 @@
},
{
"source_path": "windows/configure/provisioning-nfc.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-nfc",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/provisioning-package-splitter.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-package-splitter",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7892,7 +8042,7 @@
},
{
"source_path": "windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7902,7 +8052,7 @@
},
{
"source_path": "windows/configure/settings-that-can-be-locked-down.md",
"redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7912,7 +8062,7 @@
},
{
"source_path": "windows/configure/start-layout-xml-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{

2
browsers/edge/group-policies/index.yml
View File

@ -6,7 +6,7 @@ summary: Microsoft Edge Legacy works with Group Policy and Microsoft Intune to h
metadata:
title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile
keywords: Microsoft Edge Legacy, Windows 10
ms.localizationpriority: medium
ms.prod: edge
author: shortpatti

4
browsers/edge/microsoft-edge-faq.yml
View File

@ -15,7 +15,7 @@ metadata:
title: Frequently Asked Questions (FAQ) for IT Pros
summary: |
Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
Applies to: Microsoft Edge on Windows 10
> [!NOTE]
> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/).
@ -40,7 +40,7 @@ sections:
- question: How do I customize Microsoft Edge and related settings for my organization?
answer: |
You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](./group-policies/index.yml) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.
You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](./group-policies/index.yml) for a list of policies currently available for Microsoft Edge and configuration information. The preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.
- question: Is Adobe Flash supported in Microsoft Edge?
answer: |

4
browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
View File

@ -1,7 +1,7 @@
---
ms.localizationpriority: medium
title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10.
ms.mktglfcycl: deploy
ms.prod: ie11
ms.sitesec: library
@ -18,7 +18,7 @@ ms.author: dansimp
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10.
## April 2017
|New or changed topic | Description |

4
browsers/internet-explorer/ie11-deploy-guide/index.md
View File

@ -33,7 +33,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
## In this guide
|Topic |Description |
|------|------------|
|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. |
|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for Windows 10. |
|[System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md) |IE11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. |
|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
@ -42,7 +42,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
|[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. |
|[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. |
|[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. |
|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls arent automatically updated, they can become outdated as new versions are released. Its very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called <em>out-of-date ActiveX control blocking</em>. |
|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls arent automatically updated, they can become outdated as new versions are released. Its important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called <em>out-of-date ActiveX control blocking</em>. |
|[Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md) |Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, were deprecating document modes.<p>This means that while IE11 will continue to support document modes, Microsoft Edge wont. And because of that, it also means that if you want to use Microsoft Edge, youre going to have to update your legacy webpages and apps to support modern features, browsers, and devices.<p><b>Note</b><br>For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). |
|[What is the Internet Explorer 11 Blocker Toolkit?](what-is-the-internet-explorer-11-blocker-toolkit.md) |The IE11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the <b>Automatic Updates</b> feature of Windows Update. |
|[Missing Internet Explorer Maintenance (IEM) settings for Internet Explorer 11](missing-internet-explorer-maintenance-settings-for-ie11.md) |The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 11 (IEAK 11).<p>Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy preferences, Administrative Templates (.admx), or the IEAK 11.<p>Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the <b>Security</b> settings or Group Policy Preferences within the <b>Internet Zone</b> settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. |

8
browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
View File

@ -39,7 +39,7 @@ Using Enterprise Mode means that you can continue to use Microsoft Edge as your
> [!TIP]
> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
For Windows 10, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
## What is Enterprise Mode?
@ -68,12 +68,12 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compatibility mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In IE11, the webpage can also be launched in a specific compatibility mode, so it always renders correctly. Your employees can easily view this site list by typing `about:compat` in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
### Site list xml file
This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compatibility mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
```xml
<site-list version="205">
@ -123,7 +123,7 @@ You can build and manage your Enterprise Mode Site List is by using any generic
### Enterprise Mode Site List Manager
This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
There are two versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.

5
education/includes/education-content-updates.md
View File

@ -2,8 +2,11 @@
## Week of April 26, 2021
## Week of October 25, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 10/28/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 10/28/2021 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
| 10/28/2021 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified |

16
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -20,11 +20,11 @@ manager: dansimp
- Windows 10
This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for district deployment
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when its finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when its finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
> [!NOTE]
> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
@ -126,7 +126,7 @@ Office 365 Education allows:
* Students and faculty to use Yammer to collaborate through private social networking.
* Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
@ -1577,7 +1577,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section.
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
For more information about how to configure Intune to manage your apps, see the following resources:
@ -1589,9 +1589,9 @@ For more information about how to configure Intune to manage your apps, see the
### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, Windows 10 Mobile, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, Windows 10 Mobile, iOS, and Android. You can deploy the one application to multiple device types.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, iOS, and Android. You can deploy the one application to multiple device types.
> [!NOTE]
> When you configure Configuration Manager and Intune in a hybrid model, you deploy apps by using Configuration Manager as described in this section.
@ -1607,7 +1607,7 @@ If you selected to manage updates by using Configuration Manager and Intune in a
To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune.
> [!NOTE]
> You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not Windows 10 Mobile, iOS, or Android).
> You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not iOS or Android).
For more information about how to configure Intune to manage updates and malware protection, see the following resources:
@ -1631,7 +1631,7 @@ In this section, you prepared your institution for device management. You identi
## Deploy Windows 10 to devices
Youre ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device thats eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10.
Youre ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms and for any new student devices you add in the future. You can also perform these actions for any device thats eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10.
### Prepare for deployment

876
education/windows/deploy-windows-10-in-a-school.md
View File

File diff suppressed because it is too large Load Diff

66
education/windows/index.md
View File

@ -18,29 +18,63 @@ ms.date: 10/13/2017
## ![Learn more about Windows.](images/education.png) Learn
<p><b><a href="windows-editions-for-education-customers.md" data-raw-source="[Windows 10 editions for education customers](windows-editions-for-education-customers.md)">Windows 10 editions for education customers</a></b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p>
<p><b><a href="https://www.microsoft.com/WindowsForBusiness/Compare" data-raw-source="[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)">Compare each Windows edition</a></b><br />Find out more about the features and functionality we support in each edition of Windows.</p>
<p><b><a href="https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" data-raw-source="[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)">Get Windows 10 Education or Windows 10 Pro Education</a></b><br />When you&#39;ve made your decision, find out how to buy Windows for your school.</p>
**[Windows 10 editions for education customers](windows-editions-for-education-customers.md)**
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
**[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)**
Find out more about the features and functionality we support in each edition of Windows.
**[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)**
When you've made your decision, find out how to buy Windows for your school.
## ![Plan for Windows 10 in your school.](images/clipboard.png) Plan
<p><b><a href="configure-windows-for-education.md" data-raw-source="[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)">Windows 10 configuration recommendations for education customers</a></b><br />Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.</p>
<p><b><a href="edu-deployment-recommendations.md" data-raw-source="[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)">Deployment recommendations for school IT administrators</a></b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p>
<b><a href="get-minecraft-for-education.md" data-raw-source="[Get Minecraft Education Edition](get-minecraft-for-education.md)">Get Minecraft Education Edition</a></b><br />Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.</p></div>
<div class="side-by-side-content-right"><p><b><a href="take-tests-in-windows-10.md" data-raw-source="[Take tests in Windows 10](take-tests-in-windows-10.md)">Take tests in Windows 10</a></b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
<p><b><a href="chromebook-migration-guide.md" data-raw-source="[Chromebook migration guide](chromebook-migration-guide.md)">Chromebook migration guide</a></b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p>
**[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)**
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
**[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)**
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
**[Get Minecraft Education Edition](get-minecraft-for-education.md)**
Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
**[Take tests in Windows 10](take-tests-in-windows-10.md)**
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
**[Chromebook migration guide](chromebook-migration-guide.md)**
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
## ![Deploy Windows 10 for Education.](images/PCicon.png) Deploy
<p><b><a href="set-up-windows-10.md" data-raw-source="[Set up Windows devices for education](set-up-windows-10.md)">Set up Windows devices for education</a></b><br />Depending on your school&#39;s device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p>
<p><b><a href="deploy-windows-10-in-a-school.md" data-raw-source="[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)">Deploy Windows 10 in a school</a></b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
<p><b><a href="deploy-windows-10-in-a-school-district.md" data-raw-source="[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)">Deploy Windows 10 in a school district</a></b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
<p><b><a href="test-windows10s-for-edu.md" data-raw-source="[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)">Test Windows 10 S on existing Windows 10 education devices</a></b><br />Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.</p>
**[Set up Windows devices for education](set-up-windows-10.md)**
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
**[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)**
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
**[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)**
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
**[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)**
Test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
## ![Switch to Windows 10 for Education.](images/windows.png) Switch
<p><b><a href="change-to-pro-education.md" data-raw-source="[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)">Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S</a></b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
**[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)**
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.
## Windows 8.1
@ -54,9 +88,11 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
<p><b><a href="/previous-versions/windows/it-pro/windows-8.1-and-8/dn645532(v=ws.11)" target="_blank">Microsoft Store apps</a></b><br />Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.</p>
<p><b><a href="/previous-versions/windows/it-pro/windows-8.1-and-8/dn645486(v=ws.11)" target="_blank">Windows To Go</a></b><br />Learn about the benefits, limitations, and processes involved in deploying Windows To Go.</p>
## Related topics
## Related articles
- [Microsoft Education documentation and resources](/education)
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)
<!--
<p><b><a href="/education/" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>

72
smb/cloud-mode-business-setup.md
View File

@ -27,7 +27,7 @@ ms.topic: conceptual
Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools?
In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Microsoft 365 Business Standard, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to:
- Acquire an Microsoft 365 for business domain
- Acquire a Microsoft 365 for business domain
- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant
- Set up Microsoft Store for Business and manage app deployment and sync with Intune
- Add users and groups in Azure AD and Intune
@ -37,27 +37,29 @@ In this walkthrough, we'll show you how to deploy and manage a full cloud IT sol
Go to the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a> and select **Products** to learn more about pricing and purchasing options for your business.
## Prerequisites
Here's a few things to keep in mind before you get started:
- You'll need a registered domain to successfully go through the walkthrough.
- If you already own a domain, you can add this during the Office 365 setup.
- If you don't already own a domain, you'll have the option to purchase a domain from the Microsoft 365 admin center. We'll show how to do this as part of the walkthrough.
- If you don't already own a domain, you can purchase a domain from the Microsoft 365 admin center. This walkthrough includes the steps.
- You'll need an email address to create your Office 365 tenant.
- We recommend that you use Internet Explorer for the entire walkthrough. Right click on Internet Explorer and then choose **Start InPrivate Browsing**.
- We recommend that you use Internet Explorer for the entire walkthrough. Right select on Internet Explorer > **Start InPrivate Browsing**.
## 1. Set up your cloud infrastructure
To set up a cloud infrastructure for your organization, follow the steps in this section.
### 1.1 Set up Office 365 for business
See <a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
See <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
- Plan your setup
- Create Office 365 accounts and how to add your domain.
- Install Office
To set up your Microsoft 365 for business tenant, see <a href="https://support.office.com/en-us/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Microsoft 365 for business</a>.
To set up your Microsoft 365 for business tenant, see <a href="https://support.office.com/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Microsoft 365 for business</a>.
If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started:
If you're new at setting up Office 365, and you'd like to see how it's done, you can follow these steps to get started:
1. Go to the <a href="https://products.office.com/en-us/business/office-365-affiliate-program-buy-business-premium" target="_blank">Office 365</a> page in the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
1. Go to the <a href="https://products.office.com/business/office-365-affiliate-program-buy-business-premium" target="_blank">Office 365</a> page in the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
**Figure 1** - Try or buy Office 365
@ -76,17 +78,17 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 2** - Microsoft 365 admin center
![Microsoft 365 admin center.](images/office365_portal.png)
![Opens the Microsoft 365 admin center.](images/office365_portal.png)
6. Select the **Admin** tile to go to the admin center.
7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup.
This may take up to a half hour to complete.
This step can take up to a half hour to complete.
**Figure 3** - Admin center
![Microsoft 365 admin center.](images/office365_admin_portal.png)
![Complete the Office 365 setup in the Microsoft 365 admin center.](images/office365_admin_portal.png)
8. Go back to the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a> to add or buy a domain.
@ -97,7 +99,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
![Add or buy a domain in admin center.](images/office365_buy_domain.png)
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as `fabrikamdesign.onmicrosoft.com`.
**Figure 5** - Microsoft-provided domain
@ -128,7 +130,7 @@ When adding users, you can also assign admin privileges to certain users in your
2. In the **Home > Active users** page, add users individually or in bulk.
- To add users one at a time, select **+ Add a user**.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the admin center* in <a href="https://support.office.com/en-us/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the admin center* in <a href="https://support.office.com/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
**Figure 8** - Add an individual user
@ -136,7 +138,7 @@ When adding users, you can also assign admin privileges to certain users in your
- To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
**Figure 9** - Import multiple users
@ -163,7 +165,7 @@ Microsoft Intune provides mobile device management, app management, and PC manag
![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png)
5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
6. Select **Intune**. This will take you to the Intune management portal.
6. Select **Intune**. This step opens the Endpoint Manager admin center.
**Figure 12** - Microsoft Intune management portal
@ -187,8 +189,8 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
![Access to Azure AD not available.](images/azure_ad_access_not_available.png)
3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
4. Click **Azure subscription**. This will take you to a free trial sign up screen.
3. From the error message, select the country/region for your business. The region should match with the location you specified when you signed up for Office 365.
4. Select **Azure subscription**. This step will take you to a free trial sign up screen.
**Figure 14** - Sign up for Microsoft Azure
@ -201,7 +203,7 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
![Start managing your Azure subscription.](images/azure_ad_successful_signup.png)
This will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
This step will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
### 1.5 Add groups in Azure AD
This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see <a href="/azure/active-directory/active-directory-manage-groups" target="_blank">Managing access to resources with Azure Active Directory groups</a>.
@ -257,7 +259,7 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
**To enable automatic MDM enrollment**
1. In to the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
1. In the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list.
@ -294,7 +296,7 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
### 1.7 Configure Microsoft Store for Business for app distribution
Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune.
In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a>.
In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a>.
**To associate your Store account with Intune and configure synchronization**
@ -305,7 +307,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
![Set up mobile device management in Intune.](images/intune_admin_mdm_configure.png)
3. Sign into <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
3. Sign into <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business.
@ -331,7 +333,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
**To buy apps from the Store**
In your <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
In your <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
- Sway
- OneNote
- PowerPoint Mobile
@ -344,7 +346,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Example 1 - Add other apps like Reader and InstaNote**
1. In the <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
1. In the <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
**Figure 28** - Shop for Store apps
@ -405,7 +407,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png)
4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
4. In the **Let's get you signed in** screen, sign in using a user account you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
**Figure 33** - Sign in using one of the accounts you added
@ -419,14 +421,14 @@ To set up new Windows devices, go through the Windows initial device setup or fi
Verify that the device is set up correctly and boots without any issues.
**To verify that the device was set up correctly**
1. Click on the **Start** menu and select some of the options to make sure everything launches properly.
1. Click on the **Start** menu and select some of the options to make sure everything opens properly.
2. Confirm that the Store and built-in apps are working.
### 2.3 Verify the device is Azure AD joined
In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune.
**To verify if the device is joined to Azure AD**
1. Check the device name on your PC. To do this, on your Windows PC, select **Settings > System > About** and then check **PC name**.
1. Check the device name on your PC. On your Windows PC, select **Settings > System > About** and then check **PC name**.
**Figure 34** - Check the PC name on your device
@ -456,7 +458,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
2. Select the app, right-click, then select **Manage Deployment...**.
3. Select the group(s) whose apps will be managed, and then click **Add** to add the group.
4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app.
5. For each group that you selected, set **Approval** to **Required Install**. This automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**.
5. For each group that you selected, set **Approval** to **Required Install**. This step automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**.
**Figure 36** - Reconfigure an app's deployment setting in Intune
@ -464,7 +466,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
6. Click **Finish**.
7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
8. Verify that the app shows up on the device. To do this:
8. Verify that the app shows up on the device using the following steps:
- Make sure you're logged in to the Windows device.
- Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section.
@ -563,23 +565,25 @@ For other devices, such as those personally-owned by employees who need to conne
### 4.2 Add a new user
You can add new users to your tenant simply by adding them to the Microsoft 365 groups. Adding new users to Microsoft 365 groups automatically adds them to the corresponding groups in Microsoft Intune.
See [Add users to Office 365](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc?ui=en-US&rs=en-US&ad=US&fromAR=1) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
## Get more info
### For IT admins
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- <a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/en-us/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
- <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
- More info about managing devices, apps, data, troubleshooting, and more in <a href="/intune/" target="_blank">Intune documentation</a>
- Learn more about Windows 10 in <a href="/windows/windows-10/" target="_blank">Windows 10 guide for IT pros</a>
- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
- Info about distributing apps to your employees, managing apps, managing settings, and more in <a href="/microsoft-store/" target="_blank">Microsoft Store for Business</a>
### For information workers
Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
- <a href="https://support.office.com/" target="_blank">Office help and training</a>
- <a href="https://support.microsoft.com/products/windows?os=windows-10" target="_blank">Windows 10 help</a>
- [Office Help & Training](https://support.microsoft.com/office)
- [Windows help & learning](https://support.microsoft.com/windows)
## Related topics
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)

4
smb/includes/smb-content-updates.md
View File

@ -2,8 +2,10 @@
## Week of April 26, 2021
## Week of October 25, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 10/28/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified |
| 10/28/2021 | [Windows 10/11 for small to midsize businesses](/windows/smb/index) | modified |

35
smb/index.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 for small to midsize businesses
title: Windows 10/11 for small to midsize businesses
description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business.
keywords: Windows 10, SMB, small business, midsize business, business
keywords: Windows 10, Windows 11, SMB, small business, midsize business, business
ms.prod: w10
ms.technology:
ms.topic: article
@ -15,22 +15,39 @@ manager: dansimp
audience: itpro
---
# Windows 10 for SMB
# Windows 10/11 for Small and Medium Business (SMB)
![Windows 10 for SMB.](images/smb_portal_banner.png)
## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn
<p><b><a href="https://business.microsoft.com/en-us/products/windows" target="_blank">Windows 10 for business</a></b><br />Learn how Windows 10 and Windows devices can help your business.</p>
<p><b><a href="https://blogs.business.microsoft.com/" target="_blank">SMB blog</a></b><br />Read about the latest stories, technology insights, and business strategies for SMBs.</p>
<p><b><a href="https://business.microsoft.com/en-us/products" target="_blank">How to buy</a></b><br />Go here when you&#39;re ready to buy or want to learn more about Microsoft products you can use to help transform your business.</p>
**[Windows for business](https://www.microsoft.com/windows/business)**
Learn how Windows can help your business be more productive, collaborate better, and be more secure.
**[Bing Pages](https://www.microsoft.com/bing/bing-pages-overview)**
Use Bing to grow your business and enhance your brand online.
**[Customer stories](https://customers.microsoft.com/)**
Read about the latest stories and technology insights.
**[SMB Blog](https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/bg-p/Microsoft365BusinessBlog)**
Read about business strategies and collaborations with SMBs.
**[Business Solutions and Technology](https://www.microsoft.com/store/b/business)**
Learn more about Microsoft products, or when you're ready to buy products and services to help transform your business.
## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy
<p><b><a href="cloud-mode-business-setup.md" data-raw-source="[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)">Get started: Deploy and manage a full cloud IT solution for your business</a></b><br />Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.</p>
**[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)**
Using Microsoft cloud services and tools, it can be easy to deploy and manage a full cloud IT solution for your small to midsize business.
## Related topics
## Related articles
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)

3
store-for-business/add-unsigned-app-to-code-integrity-policy.md
View File

@ -24,7 +24,7 @@ ms.date: 07/21/2021
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
>
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/).
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
@ -41,7 +41,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.

13
store-for-business/app-inventory-management-microsoft-store-for-business.md
View File

@ -19,7 +19,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -64,12 +63,12 @@ Each app in the Store for Business has an online, or an offline license. For mor
| Action | Online-licensed app | Offline-licensed app |
| ------ | ------------------- | -------------------- |
| Assign to employees | X | |
| Add to private store | X | |
| Remove from private store | X | |
| View license details | X | |
| View product details | X | X |
| Download for offline use | | X |
| Assign to employees | ✔️ | |
| Add to private store | ✔️ | |
| Remove from private store | ✔️ | |
| View license details | ✔️ | |
| View product details | ✔️ | ✔️ |
| Download for offline use | | ✔️ |
The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).

1
store-for-business/apps-in-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/assign-apps-to-employees.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

2
store-for-business/configure-mdm-provider-microsoft-store-for-business.md
View File

@ -18,8 +18,8 @@ ms.date: 07/21/2021
# Configure an MDM provider
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

3
store-for-business/device-guard-signing-portal.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -133,7 +132,7 @@ Device Guard is a feature set that consists of both hardware and software system
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
- Usage:

1
store-for-business/distribute-apps-from-your-private-store.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-apps-with-management-tool.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-offline-apps.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to:**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/find-and-acquire-apps-overview.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/index.md
View File

@ -19,7 +19,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

4
store-for-business/manage-access-to-private-store.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -40,9 +39,9 @@ Organizations can use either an MDM policy, or Group Policy to show only their p
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports Microsoft Store for Business, the MDM can use the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](/windows/client-management/mdm/policy-configuration-service-provider#ApplicationManagement_RequirePrivateStoreOnly) policy.
**ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions:
- Enterprise
- Education
- Mobile
For more information on configuring an MDM provider, see [Configure an MDM provider](./configure-mdm-provider-microsoft-store-for-business.md).
@ -51,6 +50,7 @@ For more information on configuring an MDM provider, see [Configure an MDM provi
If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**Only display the private store within Microsoft Store app** group policy is supported on the following Windows 10 editions:
- Enterprise
- Education

1
store-for-business/manage-apps-microsoft-store-for-business-overview.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-private-store-settings.md
View File

@ -20,7 +20,6 @@ ms.localizationpriority: medium
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-settings-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-users-and-groups-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

11
store-for-business/microsoft-store-for-business-overview.md
View File

@ -4,7 +4,7 @@ description: With Microsoft Store for Business and Microsoft Store for Education
ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
ms.reviewer:
ms.prod: w10
ms.pagetype: store, mobile
ms.pagetype: store
ms.mktglfcycl: manage
ms.sitesec: library
ms.author: cmcatee
@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -92,10 +91,10 @@ After your admin signs up for the Store for Business and Education, they can ass
| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
| ---------- | ---------------- | ------------ | --------------- | -------------------- |
| Admin | X | X | X | |
| Purchaser | | X | X | |
| Device Guard signer | | | | X |
| Basic purchaser | | X | X | |
| Admin | ✔️ | ✔️ | ✔️ | |
| Purchaser | | ✔️ | ✔️ | |
| Device Guard signer | | | | ✔️ |
| Basic purchaser | | ✔️ | ✔️ | |
> [!NOTE]
> Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](/education/windows/education-scenarios-store-for-business?toc=%2fmicrosoft-store%2feducation%2ftoc.json#manage-domain-settings).

1
store-for-business/notifications-microsoft-store-business.md
View File

@ -22,7 +22,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/prerequisites-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

27
store-for-business/roles-and-permissions-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -37,13 +36,13 @@ Microsoft Store for Business and Education has a set of roles that help admins a
This table lists the global user accounts and the permissions they have in Microsoft Store.
| | **Global Administrator** | **Billing Administrator** |
|| Global Administrator | Billing Administrator |
| ------------------------------ | --------------------- | --------------------- |
| **Sign up for Microsoft Store for Business and Education** | X | X |
| **Modify company profile settings** | X | X |
| **Purchase apps** | X | X |
| **Distribute apps** | X | X |
| **Purchase subscription-based software** | X | X |
| **Sign up for Microsoft Store for Business and Education** | ✔️ | ✔️ |
| **Modify company profile settings** | ✔️ | ✔️ |
| **Purchase apps** | ✔️ | ✔️ |
| **Distribute apps** | ✔️ | ✔️ |
| **Purchase subscription-based software** | ✔️ | ✔️ |
- **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
@ -53,14 +52,14 @@ Microsoft Store for Business has a set of roles that help IT admins and employee
This table lists the roles and their permissions.
| | **Admin** | **Purchaser** | **Device Guard signer** |
|| Admin | Purchaser | Device Guard signer |
| ------------------------------ | ------ | -------- | ------------------- |
| **Assign roles** | X | | |
| **Manage Microsoft Store for Business and Education settings** | X | | |
| **Acquire apps** | X | X | |
| **Distribute apps** | X | X | |
| **Sign policies and catalogs** | X | | |
| **Sign Device Guard changes** | X | | X |
| **Assign roles** | ✔️ | | |
| **Manage Microsoft Store for Business and Education settings** | ✔️ | | |
| **Acquire apps** | ✔️ | ✔️ | |
| **Distribute apps** | ✔️ | ✔️ | |
| **Sign policies and catalogs** | ✔️ | | |
| **Sign Device Guard changes** | ✔️ | | ✔️ |
These permissions allow people to:

1
store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
View File

@ -42,7 +42,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.

1
store-for-business/sign-up-microsoft-store-for-business-overview.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

4
store-for-business/troubleshoot-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -29,6 +28,7 @@ Troubleshooting topics for Microsoft Store for Business.
## Can't find apps in private store
The private store for your organization is a page in Microsoft Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check:
- **No apps in the private store** - The private store page is only available in Microsoft Store on Windows 10 if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Microsoft Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on **Product & services - Apps**. If the status under **Private store** is **Add in progress**, wait and check back.
- **Signed in with the wrong account** - If you have multiple accounts that you use in your organization, you might be signed in with the wrong account. Or, you might not be signed in. Use this procedure to sign in with your organization account.
@ -64,5 +64,5 @@ If you are still having trouble using Microsoft Store or installing an app, Admi
**To view Support page** 
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com)
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
2.Choose **Manage**> **Support**.

1
store-for-business/working-with-line-of-business-apps.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

9
windows/application-management/apps-in-windows-10.md
View File

@ -71,6 +71,15 @@ There are different types of apps that can run on your Windows client devices. T
Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices.
## Android™ apps
Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
For more information, see:
- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
- [Windows Subsystem for Android developer information](/windows/android/wsa)
## Add or deploy apps to devices
When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.

3
windows/application-management/manage-windows-mixed-reality.md
View File

@ -50,8 +50,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
```
> [!NOTE]
> * On Windows 10, you must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab**
> * On Windows 11, you must rename the FOD .CAB file to: **Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e45~amd_64~~.cab**
> On Windows 10 and 11, you must rename the FOD .CAB file to: **Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab**
1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**.

4
windows/application-management/toc.yml
View File

@ -23,7 +23,7 @@ items:
href: manage-windows-mixed-reality.md
- name: Application Virtualization (App-V)
items:
- name: App-V for Windows 10 overview
- name: App-V for Windows overview
href: app-v/appv-for-windows.md
- name: Getting Started
items:
@ -266,5 +266,5 @@ items:
href: per-user-services-in-windows.md
- name: Disabling System Services in Windows Server
href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server
- name: How to keep apps removed from Windows 10 from returning during an update
- name: How to keep apps removed from Windows from returning during an update
href: remove-provisioned-apps-during-update.md

4
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -18,9 +18,9 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 11
- Windows 10
- Windows 11
Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.

2
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -21,7 +21,7 @@ This article includes general troubleshooting for 802.1X wireless and wired clie
## Scenarios
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 11 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
## Known issues

3
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -31,8 +31,7 @@ There are several reasons why a Windows-based computer may have problems during
**1. PreBoot**
The PCs firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot
Manager.
The PCs firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
**2. Windows Boot Manager**

3
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -21,7 +21,8 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 11
- Windows 11
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).

4
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -16,9 +16,9 @@ ms.topic: troubleshooting
# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
**Applies to**
- Windows 10
- Windows 11
- Windows 10
- Windows 11
In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education.

22
windows/client-management/manage-corporate-devices.md
View File

@ -1,5 +1,5 @@
---
title: Manage corporate devices (Windows)
title: Manage corporate devices
description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones.
ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
ms.reviewer:
@ -30,13 +30,13 @@ You can use the same management tools to manage all device types running Windows
| Topic | Description |
| --- | --- |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment |
| [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment |
| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start |
| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 or Windows 11 in their organizations |
| [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
| [New policies for Windows 10 (and Windows 11)](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
| [Group Policies that apply only to Windows Enterprise and Windows Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations |
## Learn more
@ -47,13 +47,13 @@ You can use the same management tools to manage all device types running Windows
[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791)
[Azure AD Join on Windows 10 (and Windows 11) devices](https://go.microsoft.com/fwlink/p/?LinkId=616791)
[Azure AD support for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=615765)
[Azure AD support for Windows 10 (and Windows 11)](https://go.microsoft.com/fwlink/p/?LinkID=615765)
[Windows 10 and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
[How to manage Windows 10 devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620)
[How to manage Windows 10 (and Windows 11) devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620)
[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207)

11
windows/client-management/manage-device-installation-with-group-policy.md
View File

@ -14,7 +14,6 @@ ms.topic: article
# Manage Device Installation with Group Policy
**Applies to**
- Windows 10
@ -343,8 +342,8 @@ Getting the right device identifier to prevent it from being installed:
> ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\
> This class includes printers.
> [!NOTE]
> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
> [!NOTE]
> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
Creating the policy to prevent all printers from being installed:
@ -377,9 +376,9 @@ Creating the policy to prevent all printers from being installed:
1. If you have not completed step #9 follow these steps:
- Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
- For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
- You should not be able to reinstall the printer.
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
1. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
1. You should not be able to reinstall the printer.
2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.

6
windows/client-management/manage-settings-app-with-group-policy.md
View File

@ -14,11 +14,11 @@ ms.topic: article
# Manage the Settings app with Group Policy
**Applies to**
- Windows 10, Windows Server 2016
- Windows 11
- Windows 10
- Windows 11
- Windows Server 2016
You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.

6
windows/client-management/mandatory-user-profile.md
View File

@ -68,7 +68,7 @@ First, you create a default user profile with the customizations that you want,
1. At a command prompt, type the following command and press **ENTER**.
```dos
```console
sysprep /oobe /reboot /generalize /unattend:unattend.xml
```
@ -100,11 +100,11 @@ First, you create a default user profile with the customizations that you want,
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
![Example of Copy profile to.](images/copy-to-path.png)
![Example of Copy profile to.](images/copy-to-path.png)
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
![Example of Copy To UI with UNC path.](images/copy-to-path.png)
![Example of Copy To UI with UNC path.](images/copy-to-path.png)
1. Click **OK** to copy the default user profile.

14
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -19,10 +19,18 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
> [!NOTE]
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
The following shows the AccountManagement configuration service provider in tree format.
The following diagram shows the AccountManagement configuration service provider in tree format.
![accountmanagement csp.](images/provisioning-csp-accountmanagement.png)
```console
./Vendor/MSFT
AccountManagement
----UserProfileManagement
--------EnableProfileManager
--------DeletionPolicy
--------StorageCapacityStartDeletion
--------StorageCapacityStopDeletion
--------ProfileInactivityThreshold
```
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.

31
windows/client-management/mdm/appv-deploy-and-config.md
View File

@ -23,7 +23,36 @@ manager: dansimp
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png)
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
```console
./Vendor/MSFT
EnterpriseAppVManagement
----AppVPackageManagement
--------EnterpriseID
------------PackageFamilyName
---------------PackageFullName
------------------Name
------------------Version
------------------Publisher
------------------InstallLocation
------------------InstallDate
------------------Users
------------------AppVPackageID
------------------AppVVersionId
------------------AppVPackageUri
----AppVPublishing
--------LastSync
------------LastError
------------LastErrorDescription
------------SyncStatusDescription
------------SyncProgress
--------Sync
------------PublishXML
----AppVDynamicPolicy
--------ConfigurationId
------------Policy
```
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>

265
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -13,9 +13,15 @@ author: dansimp
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a devices compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
Once a device is enrolled in MDM, the MDM:
- Can enforce compliance with organization policies, add or remove apps, and more.
- Can report a devices compliance in Azure AD.
- Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies.
To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This article describes the steps involved.
## Connect to Azure AD
@ -32,9 +38,9 @@ For personal devices (BYOD):
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device won't be joined to Azure AD.
> [!IMPORTANT]
> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license.
@ -42,7 +48,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in
### BYOD scenario
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. Its important to note that in the BYOD case, users can reject the MDM Terms of Use—in which case the device is not enrolled in MDM and access to corporate resources is typically restricted.
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted.
## Integrated MDM enrollment and UX
@ -50,18 +56,18 @@ Two Azure AD MDM enrollment scenarios:
- Joining a device to Azure AD for company-owned devices
- Adding a work account to a personal device (BYOD)
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios is similar.
Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure ADintegrated enrollment
@ -70,87 +76,86 @@ Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent.
This is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
2. Enroll the device.
This is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand that the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
Its important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
After the users accepts the Terms of Use, the device is registered in Azure AD and the automatic MDM enrollment begins.
After the users accepts the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic.
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
## Make the MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api).
To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api).
### Add a cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It is a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
> [!NOTE]
> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs.
The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenent the managed device belongs.
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Log in to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
2. In the left navigation, select **Active Directory**.
3. Click the directory tenant where you want to register the application.
3. Select the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
Ensure you're logged into your home tenant.
4. Click the **Applications** tab.
4. Select the **Applications** tab.
5. In the drawer, click **Add**.
5. In the drawer, select **Add**.
6. Click **Add an application my organization is developing**.
6. Select **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://&lt;your\_tenant\_name>/ContosoMDM**, then click OK.
9. For the App ID, enter **https://&lt;your\_tenant\_name>/ContosoMDM**, then select OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
10. While still in the Azure portal, select the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
You'll need this ID later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
You need this key to call the Azure AD Graph API to report device compliance. This information is covered in the next section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
### Add an on-premises MDM
An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
@ -162,16 +167,16 @@ The application keys used by your MDM service are a sensitive resource. They sho
For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715).
You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There is a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
For the on-premises MDM, the keys used to authenticate with Azure AD are within the tenant of the customer and must be rolled over by the customer's administrator. In this case, you should provide guidance to the customers about rolling over and protecting the keys to improved security.
For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys.
## Publish your MDM app to Azure AD app gallery
IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
The following image show how MDM applications show up in the Azure app gallery.
![azure ad add an app for mdm.](images/azure-ad-app-gallery.png)
@ -196,7 +201,7 @@ The following table shows the required information to create an entry in the Azu
<tbody>
<tr class="odd">
<td><p><strong>Application ID</strong></p></td>
<td><p>The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.</p></td>
<td><p>The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app.</p></td>
</tr>
<tr class="even">
<td><p><strong>Publisher</strong></p></td>
@ -204,7 +209,7 @@ The following table shows the required information to create an entry in the Azu
</tr>
<tr class="odd">
<td><p><strong>Application URL</strong></p></td>
<td><p>A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.</p></td>
<td><p>A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment.</p></td>
</tr>
<tr class="even">
<td><p><strong>Description</strong></p></td>
@ -220,27 +225,30 @@ The following table shows the required information to create an entry in the Azu
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery. There is a generic entry for administrator to add an app to their tenant.
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Azure AD Graph API and for reporting device compliance.
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right.
There are 3 distinct scenarios:
There are three distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
These scenarios support Windows client Pro, Enterprise, and Education.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
The CSS files provided by Microsoft contain version information and we recommend that you use the latest version. There are separate CSS files for Windows client devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
- For Windows 10, use **oobe-desktop.css**
- For Windows 11, use **oobe-light.css**
### Using themes
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, then the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
<table>
<colgroup>
@ -281,11 +289,11 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
## Terms of Use protocol semantics
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows performs a full-page redirect to this endpoint. This enables the MDM to display the terms and conditions that apply and allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
### Redirect to the Terms of Use endpoint
This is a full page redirect to the Terms of User endpoint hosted by the MDM. Here is an example URL, https:<span></span>//fabrikam.contosomdm.com/TermsOfUse.
This redirect is a full page redirect to the Terms of User endpoint hosted by the MDM. Here's an example URL, https:<span></span>//fabrikam.contosomdm.com/TermsOfUse.
The following parameters are passed in the query string:
@ -307,15 +315,15 @@ The following parameters are passed in the query string:
</tr>
<tr class="even">
<td><p>client-request-id</p></td>
<td><p>A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.</p></td>
<td><p>A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures.</p></td>
</tr>
<tr class="odd">
<td><p>api-version</p></td>
<td><p>Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.</p></td>
<td><p>Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.</p></td>
</tr>
<tr class="even">
<td><p>mode</p></td>
<td><p>Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.</p></td>
<td><p>Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.</p></td>
</tr>
</tbody>
</table>
@ -323,7 +331,7 @@ The following parameters are passed in the query string:
### Access token
A bearer access token is issued by Azure AD is passed in the authorization header of the HTTP request. Here is a typical format:
Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw…
@ -351,7 +359,7 @@ The following claims are expected in the access token passed by Windows to the T
</tr>
<tr class="odd">
<td><p>TID</p></td>
<td><p>A claim representing the tenant ID of the tenant. In the example above, it&#39;s Fabrikam.</p></td>
<td><p>A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.</p></td>
</tr>
<tr class="even">
<td><p>Resource</p></td>
@ -362,7 +370,7 @@ The following claims are expected in the access token passed by Windows to the T
<br/>
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
> There's no device ID claim in the access token because the device may not yet be enrolled at this time.
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api).
@ -377,7 +385,7 @@ The MDM is expected to validate the signature of the access token to ensure it w
### Terms of Use content
The MDM may perform other additional redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control.
The MDM may do other more redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control.
The Terms of Use content should contain the following buttons:
@ -391,29 +399,28 @@ The Terms of Use content must be consistent with the theme used for the other pa
At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page:
- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here is an example redirect - ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true
- **IsAccepted** - This Boolean value is required, and must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true`
- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to false. This also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter is not expected to be used because the enrollment is stopped with an error message displayed to the user.
- **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
Users skip the Terms of Use when they are adding a Microsoft work account to their device. However, then cannot skip it during the Azure AD Join process. The decline button must not be shown in the Azure AD Join process because MDM enrollment cannot be declined by the user if configured by the administrator for the Azure AD Join.
Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join.
We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
### Terms Of Use Error handling
If an error was encountered during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. Note that the URL should be encoded and the contents of the error\_description should be in English plain text. This text is not visible to the end-user and therefore localization of the error description text is not a concern.
If an error occurs during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the error\_description should be in English plain text. This text isn't visible to the end-user. So, localization of the error description text isn't a concern.
Here is the URL format:
Here's the URL format:
```console
HTTP/1.1 302
Location:
<redirect_uri>?error=access_denied&error_description=Access%20is%20denied%2E
Example:
HTTP/1.1 302
Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Access%20is%20denied%2E
@ -467,7 +474,7 @@ The following table shows the error codes.
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there is no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
<table>
<colgroup>
@ -480,8 +487,8 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
<tr class="header">
<th>Detail</th>
<th>Traditional MDM enrollment</th>
<th>Azure AD Join (corporate-owned device)</th>
<th>Azure AD add a work account (user-owned device)</th>
<th>Azure AD Join (organization-owned device)</th>
<th>Azure AD adds a work account (user-owned device)</th>
</tr>
</thead>
<tbody>
@ -594,12 +601,6 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
<li>Policy</li>
<li>w7 APPLICATION</li>
</ul>
<p>Legacy support:</p>
<ul>
<li>EnterpriseAppManagement (Windows Phone 8.1)</li>
</ul></td>
<td><p>same as traditional MDM enrollment</p></td>
<td><p>same as traditional MDM enrollment</p></td>
</tr>
</tbody>
</table>
@ -608,13 +609,13 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
## Management protocol with Azure AD
There are two different MDM enrollment types that take advantage of integration with Azure AD and therefore make use of Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who logs on to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, conclude what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token is not sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user logs on to the machine, Azure AD user token is not available to OMA-DM process. Typically MDM enrollment completes before Azure AD user logs on to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically MDM enrollment completes before Azure AD user sign in to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
In this scenario, the MDM enrollment applies to a single user who initially added his work account and enrolled the device. In this enrollment type the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
@ -630,14 +631,14 @@ Additional claims may be present in the Azure AD token, such as:
- Device ID - identifies the device that is checking in
- Tenant ID
Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens:
Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](/previous-versions/dotnet/framework/security/json-web-token-handler).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
```xml
Alert Type: com.microsoft/MDM/AADUserToken
@ -689,19 +690,19 @@ Here's an example.
## Report device compliance to Azure AD
Once a device is enrolled with the MDM for management, corporate policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. Use this key to authenticate the MDM service with Azure AD, in order to obtain authorization.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This is because each on-premises instance of your MDM product has a different tenant-specific key. For this purpose, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
### Use Azure AD Graph API
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it.
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device being managed by it.
> [!NOTE]
> This is only applicable for approved MDM apps on Windows 10 devices.
> This API is only applicable for approved MDM apps on Windows 10 devices.
```console
Sample Graph API Request:
@ -717,20 +718,20 @@ Content-Type: application/json
Where:
- **contoso.com** This is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request.
- **contoso.com** This value is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This value is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant cannot be found.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
## Data loss during unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenrollment.](images/azure-ad-unenrollment.png)
@ -752,182 +753,182 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
<tbody>
<tr class="odd">
<td>0x80180001</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x80180002</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_AUTHENTICATION_ERROR</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180003</td>
<td>&quot;idErrorAuthorizationFailure&quot;, // MENROLL_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
<td>"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180004</td>
<td>&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180005</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x80180006</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180007</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180008</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_UNKNOWN_ERROR</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180009</td>
<td>&quot;idErrorAlreadyInProgress&quot;, // MENROLL_E_ENROLLMENT_IN_PROGRESS</td>
<td>"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS</td>
<td><p>Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x8018000A</td>
<td>&quot;idErrorMDMAlreadyEnrolled&quot;, // MENROLL_E_DEVICE_ALREADY_ENROLLED</td>
<td>"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED</td>
<td><p>This device is already enrolled. You can contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x8018000D</td>
<td>&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x8018000E</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_PASSWORD_NEEDED</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x8018000F</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_WAB_ERROR</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180010</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_CONNECTIVITY</td>
<td>"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180012</td>
<td>&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_INVALIDSSLCERT</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180013</td>
<td>&quot;idErrorDeviceLimit&quot;, // MENROLL_E_DEVICECAPREACHED</td>
<td>"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED</td>
<td><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180014</td>
<td>&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_DEVICENOTSUPPORTED</td>
<td><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
<td>"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED</td>
<td><p>This feature isn't supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180015</td>
<td>&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_NOTSUPPORTED</td>
<td><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
<td>"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED</td>
<td><p>This feature isn't supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180016</td>
<td>&quot;idErrorMDMRenewalRejected&quot;, // MENROLL_E_NOTELIGIBLETORENEW</td>
<td>"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW</td>
<td><p>The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180017</td>
<td>&quot;idErrorMDMAccountMaintenance&quot;, // MENROLL_E_INMAINTENANCE</td>
<td>"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE</td>
<td><p>The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180018</td>
<td>&quot;idErrorMDMLicenseError&quot;, // MENROLL_E_USERLICENSE</td>
<td>"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE</td>
<td><p>There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180019</td>
<td>&quot;idErrorInvalidServerConfig&quot;, // MENROLL_E_ENROLLMENTDATAINVALID</td>
<td><p>Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
<td>"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID</td>
<td><p>Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>&quot;rejectedTermsOfUse&quot;</td>
<td>&quot;idErrorRejectedTermsOfUse&quot;</td>
<td>"rejectedTermsOfUse"</td>
<td>"idErrorRejectedTermsOfUse"</td>
<td><p>Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.</p></td>
</tr>
<tr class="even">
<td>0x801c0001</td>
<td>&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td>"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x801c0002</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_AUTHENTICATION_ERROR</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0003</td>
<td>&quot;idErrorAuthorizationFailure&quot;, // DSREG_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
<td>"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c0006</td>
<td>&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_INTERNALSERVICE_ERROR</td>
<td>"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x801c000B</td>
<td>&quot;idErrorUntrustedServer&quot;, // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED</td>
<td>The server being contacted is not trusted. Contact your system administrator with the error code {0}.</td>
<td>"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED</td>
<td>The server being contacted isn't trusted. Contact your system administrator with the error code {0}.</td>
</tr>
<tr class="odd">
<td>0x801c000C</td>
<td>&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_FAILED</td>
<td>"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x801c000E</td>
<td>&quot;idErrorDeviceLimit&quot;, // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED</td>
<td>"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED</td>
<td><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c000F</td>
<td>&quot;idErrorDeviceRequiresReboot&quot;, // DSREG_E_DEVICE_REQUIRES_REBOOT</td>
<td>"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT</td>
<td><p>A reboot is required to complete device registration.</p></td>
</tr>
<tr class="even">
<td>0x801c0010</td>
<td>&quot;idErrorInvalidCertificate&quot;, // DSREG_E_DEVICE_AIK_VALIDATION_ERROR</td>
<td>"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR</td>
<td><p>Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c0011</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_ATTESTATION_ERROR</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0012</td>
<td>&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR</td>
<td>"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x801c0013</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_TENANTID_NOT_FOUND</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0014</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_USERSID_NOT_FOUND</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
</tbody>

51
windows/client-management/mdm/bootstrap-csp.md
View File

@ -1,51 +0,0 @@
---
title: BOOTSTRAP CSP
description: Use the BOOTSTRAP configuration service provider to set the Trusted Provisioning Server (TPS) for the device.
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# BOOTSTRAP CSP
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png)
<a href="" id="context-allow"></a>**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
<a href="" id="provurl"></a>**PROVURL**
Required. Specifies the location of a Trusted Provisioning Server (TPS). The PROVURL value must be a complete URL string with a maximum length of 256 characters.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

16
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -28,9 +28,13 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png)
```console
BrowserFavorite
favorite name
----URL
```
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
@ -78,19 +82,19 @@ The following table shows the Microsoft custom elements that this configuration
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top-level query: Yes</p></td>

8
windows/client-management/mdm/cellularsettings-csp.md
View File

@ -19,9 +19,13 @@ The CellularSettings configuration service provider is used to configure cellula
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png)
```console
./Vendor/MSFT
CellularSettings
----DataRoam
```
<a href="" id="dataroam"></a>**DataRoam**
<p> Optional. Integer. Specifies the default roaming value. Valid values are:</p>

37
windows/client-management/mdm/certificate-renewal-windows-mdm.md
View File

@ -17,39 +17,31 @@ ms.date: 06/26/2017
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> [!Note]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
## In this topic
- [Automatic certificate renewal request](#automatic-certificate-renewal-request)
- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
- [Certificate renewal response](#certificate-renewal-response)
- [Configuration service providers supported during MDM enrollment and certificate renewal](#configuration-service-providers-supported-during-mdm-enrollment-and-certificate-renewal)
<a href="" id="automatic-certificate-renewal"></a>
## Automatic certificate renewal request
In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal.
> [!Note]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
For the device that is enrolled with the OnPremise authentication method, for backward compatibility, the default renewal method is user manual certificate renewal. However, for Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal via CertificateStore CSPs ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. For more information about Renew related configuration settings, refer to the CertificateStore configuration service provider.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSPs](certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
Unlike manual certificate renewal where there is an additional b64 encoding for PKCS\#7 message content, with automatic renewal, the PKCS\#7 message content isnt b64 encoded separately.
With automatic renewal, the PKCS\#7 message content isnt b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Make sure using one of device pre-installed root certificates or provision the root cert over a DM session via CertificateStore Configuration Service Provider.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](certificatestore-csp.md).
During the automatic certificate renew process, the device will deny HTTP redirect request from the server unless it is the same redirect URL that the user explicitly accepted during the initial MDM enrollment process.
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
The following example shows the details of an automatic renewal request.
``` xml
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
@ -101,18 +93,16 @@ The following example shows the details of an automatic renewal request.
</s:Envelope>
```
<a href="" id="certificate-renewal-schedule"></a>
## Certificate renewal schedule configuration
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry to be configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, instead of only reminding the user once, the Windows device will remind the user with a prompt dialog at every renewal retry time until the certificate is expired.
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week.
> [!Note]
> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
## Certificate renewal response
@ -129,9 +119,9 @@ After validation is completed, the web service retrieves the PKCS\#10 content fr
> [!Note]
> The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of an certificate renewal response.
The following example shows the details of a certificate renewal response.
``` xml
```xml
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
@ -157,9 +147,8 @@ The following example shows the details of an certificate renewal response.
```
> [!Note]
The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
> The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
<a href="" id="csp-support-during-enrollment-and-renewal"></a>
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.

48
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png)
```console
CM_CellularEntries
----entryname
--------AlwaysOn
--------AuthType
--------ConnectionType
--------Desc.langid
--------Enabled
--------IpHeaderCompression
--------Password
--------SwCompression
--------UserName
--------UseRequiresMappingPolicy
--------Version
--------DevSpecificCellular
-----------GPRSInfoAccessPointName
--------Roaming
--------OEMConnectionID
--------ApnId
--------IPType
--------ExemptFromDisablePolicy
--------ExemptFromRoaming
--------TetheringNAI
--------IdleDisconnectTimeout
--------SimIccId
--------PurposeGroups
```
<a href="" id="entryname"></a>***entryname***
<p>Defines the name of the connection.</p>
@ -51,27 +77,27 @@ The following diagram shows the CM\_CellularEntries configuration service provid
</colgroup>
<tbody>
<tr class="odd">
<td><p>gprs</p></td>
<td><p>Gprs</p></td>
<td><p>Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).</p></td>
</tr>
<tr class="even">
<td><p>cdma</p></td>
<td><p>Cdma</p></td>
<td><p>Used for CDMA type connections (1XRTT + EVDO).</p></td>
</tr>
<tr class="odd">
<td><p>lte</p></td>
<td><p>Lte</p></td>
<td><p>Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.</p></td>
</tr>
<tr class="even">
<td><p>legacy</p></td>
<td><p>Legacy</p></td>
<td><p>Used for GPRS + GSM + EDGE + UMTS connections.</p></td>
</tr>
<tr class="odd">
<td><p>lte_iwlan</p></td>
<td><p>Lte_iwlan</p></td>
<td><p>Used for GPRS type connections that may be offloaded over WiFi</p></td>
</tr>
<tr class="even">
<td><p>iwlan</p></td>
<td><p>Iwlan</p></td>
<td><p>Used for connections that are implemented over WiFi offload only</p></td>
</tr>
</tbody>
@ -285,15 +311,15 @@ The following table shows the Microsoft custom elements that this configuration
</thead>
<tbody>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>

184
windows/client-management/mdm/cm-proxyentries-csp.md
View File

@ -1,184 +0,0 @@
---
title: CM\_ProxyEntries CSP
description: Learn how the CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 06/26/2017
---
# CM\_ProxyEntries CSP
The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
> [!NOTE]
> CM\_ProxyEntries CSP is only supported in Windows 10 Mobile.
> [!IMPORTANT]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
The following shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607.
```
./Vendor/MSFT
CM_ProxyEntries
----Entry
--------ConnectionName
--------BypassLocal
--------Enable
--------Exception
--------Password
--------Port
--------Server
--------Type
--------Username
./Device/Vendor/MSFT
Root
./Vendor/MSFT
./Device/Vendor/MSFT
CM_ProxyEntries
----Entry
--------ConnectionName
--------BypassLocal
--------Enable
--------Exception
--------Password
--------Port
--------Server
--------Type
--------Username
```
<a href="" id="entryname"></a>**entryname**
Defines the name of the connection proxy.
Each cellular entry can have only one proxy entry. For example, an Internet connection can have no more than one HTTP proxy specified but it might also have a WAP proxy. If two applications need access to the same APN but one application needs a proxy and the other application cannot have a proxy, two entries can be created with different names for the same APN.
<a href="" id="connectionname"></a>**ConnectionName**
Specifies the name of the connection the proxy is associated with. This is the APN name of a connection configured using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md).
<a href="" id="bypasslocal"></a>**BypassLocal**
Specifies if the proxy should be bypassed when local hosts are accessed by the device.
A value of "0" specifies that the proxy bypass for local hosts is disabled. A value of "1" specifies that the proxy bypass for local hosts is enabled.
<a href="" id="enable"></a>**Enable**
Specifies if the proxy is enabled.
A value of "0" specifies that the proxy is disabled. A value of "1" specifies that the proxy is enabled.
<a href="" id="exception"></a>**Exception**
Specifies a list of external hosts which should bypass the proxy when accessed.
The exception list is a semi-colon delimited list of host names. For example, to bypass the proxy when either MSN or Yahoo is accessed, the value for the Exception list would be "www.msn.com;www.yahoo.com".
<a href="" id="password"></a>**Password**
Specifies the password used to connect to the proxy.
Passwords are only required for WAP and SOCKS proxies and are not used for HTTP proxies. Queries of this parameter return a string composed of asterisks (\*).
When setting the password, passing in the same string causes the new password to be ignored and does not change the existing password.
<a href="" id="port"></a>**Port**
Specifies the port number of the proxy server.
<a href="" id="server"></a>**Server**
Specifies the name of the proxy server.
<a href="" id="type"></a>**Type**
Specifies the type of proxy connection for this entry.
The following list enumerates the values allowed for the Type parameter.
- "0" = Null proxy
- "1" = HTTP proxy
- "2" = WAP proxy
- "4" = SOCKS4 proxy
- "5" = SOCKS5 proxy
The Null proxy can be used to allow Connection Manager to treat one network as a super set of another network by creating a null proxy from one network to the other.
<a href="" id="username"></a>**UserName**
Specifies the username used to connect to the proxy.
## Additional information
To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection.
```xml
<wap-provisioningdoc>
<characteristic type="CM_ProxyEntries">
<nocharacteristic type="GPRS_Proxy"/>
</characteristic>
<characteristic type="CM_CellularEntries">
<nocharacteristic type="GPRS1"/>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

133
windows/client-management/mdm/config-lock.md Normal file
View File

@ -0,0 +1,133 @@
---
title: Secured-Core Configuration Lock
description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration.
manager: dansimp
keywords: mdm,management,administrator,config lock
ms.author: v-lsaldanha
ms.topic: article
ms.prod: w11
ms.technology: windows
author: lovina-saldanha
ms.date: 10/07/2021
---
# Secured-Core PC Configuration Lock
**Applies to**
- Windows 11
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
To summarize, Config Lock:
- Enables IT to “lock” Secured-Core PC features when managed through MDM
- Detects drift remediates within seconds
- DOES NOT prevent malicious attacks
## Configuration Flow
After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
## System Requirements
Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
## Enabling Config Lock using Microsoft Intune
Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
- **Template name**: Custom
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
1. Name your profile.
1. When you reach the Configuration Settings step, select “Add” and add the following information:
- **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- **Data type**: Integer
- **Value**: 1 </br>
To turn off Config Lock. Change value to 0.
:::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
1. You'll not need to set any applicability rules for test purposes.
1. Review the Configuration and select “Create” if everything is correct.
1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
:::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
:::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
## Disabling
Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
## FAQ
**Can an IT admins disable Config Lock ?** </br>
Yes. IT admins can use MDM to turn off Config Lock.</br>
### List of locked policies
|**CSPs** |
|-----|
|[BitLocker ](bitlocker-csp.md) |
|[PassportForWork](passportforwork-csp.md) |
|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
|[ApplicationControl](applicationcontrol-csp.md)
|**MDM policies** |
|-----|
|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) |
|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) |
|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) |
|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) |
|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) |
|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) |
|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)|
|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) |
|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)|
|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) |
|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) |

1196
windows/client-management/mdm/configuration-service-provider-reference.md
View File

File diff suppressed because it is too large Load Diff

60
windows/client-management/mdm/devdetail-csp.md
View File

@ -1,6 +1,6 @@
---
title: DevDetail CSP
description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server.
description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server.
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.reviewer:
manager: dansimp
@ -14,15 +14,16 @@ ms.date: 03/27/2020
# DevDetail CSP
The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands.
The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
For the DevDetail CSP, you can't use the Replace command unless the node already exists.
The following shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
```
The following information shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol isn't supported for this configuration service provider.
```console
.
DevDetail
----URI
@ -97,24 +98,24 @@ Required. Returns the maximum depth of the management tree that the device suppo
Supported operation is Get.
This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
This value is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
<a href="" id="uri-maxtotlen"></a>**URI/MaxTotLen**
Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
Supported operation is Get.
This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
This value is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
<a href="" id="uri-maxseglen"></a>**URI/MaxSegLen**
Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
Supported operation is Get.
This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
<a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID**
Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support.
Supported operation is Get.
@ -131,7 +132,7 @@ Required. Returns the UI screen resolution of the device (example: &quot;480x800
Supported operation is Get.
<a href="" id="ext-microsoft-commercializationoperator"></a>**Ext/Microsoft/CommercializationOperator**
Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
Required. Returns the name of the mobile operator if it exists. Otherwise, it returns 404.
Supported operation is Get.
@ -158,7 +159,7 @@ Supported operation is Get.
<a href="" id="ext-microsoft-devicename"></a>**Ext/Microsoft/DeviceName**
Required. Contains the user-specified device name.
Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
Replace operation isn't supported in Windows client or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name doesn't take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
Value type is string.
@ -171,23 +172,15 @@ The following are the available naming macros:
| Macro | Description | Example | Generated Name |
| -------| -------| -------| -------|
| %RAND:<# of digits> | Generates the specified number of random digits. | Test%RAND:6% | Test123456|
| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| Test-Device-%SERIAL% | Test-Device-456|
| %RAND:<# of digits> | Generates the specified number of random digits. | `Test%RAND:6%` | Test123456|
| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| `Test-Device-%SERIAL%` | Test-Device-456|
Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
Supported operation is Get.
> [!NOTE]
> This is only supported in Windows 10 Mobile.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalram"></a>**Ext/Microsoft/TotalRAM**
Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
@ -205,30 +198,30 @@ The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
Supported operation is Get.
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
> This isn't supported in Windows 10 for desktop editions.
<a href="" id="volteservicesetting"></a>**Ext/VoLTEServiceSetting**
Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
Returns the VoLTE service to on or off. This setting is only exposed to mobile operator OMA-DM servers.
Supported operation is Get.
<a href="" id="wlanipv4address"></a>**Ext/WlanIPv4Address**
Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
Returns the IPv4 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA DM servers.
Supported operation is Get.
<a href="" id="wlanipv6address"></a>**Ext/WlanIPv6Address**
Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Returns the IPv6 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
<a href="" id="wlandnssuffix"></a>**Ext/WlanDnsSuffix**
Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Returns the DNS suffix of the active Wi-Fi connection. This suffix is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
<a href="" id="wlansubnetmask"></a>**Ext/WlanSubnetMask**
Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Returns the subnet mask for the active Wi-Fi connection. This subnet mask is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
@ -236,17 +229,10 @@ Supported operation is Get.
Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!NOTE]
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you can't parse the content to get any meaningful hardware information.
Supported operation is Get.
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

443
windows/client-management/mdm/device-update-management.md
View File

@ -19,24 +19,24 @@ ms.date: 11/15/2017
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
In particular, Windows 10 provides APIs to enable MDMs to:
- Ensure machines stay up to date by configuring Automatic Update policies.
- Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device.
- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up to date is a particular machine.
- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10.
This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
- Configure automatic update policies to ensure devices stay up-to-date.
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed).
- Specify a per-device update approval list, to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end user so update deployment can be automated even for updates with EULAs.
- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the updates title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the updates title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
@ -48,29 +48,29 @@ The diagram can be roughly divided into three areas:
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol, but only downloads and installs updates that are both applicable to the device and approved by IT (right portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
## <a href="" id="gettingupdatemetadata"></a>Getting update metadata using the Server-Server sync protocol
The Microsoft Update Catalog is huge and contains many updates that are not needed by MDM-managed devices, including updates for legacy software (for example, updates to servers, down-level desktop operating systems, and legacy apps), and a large number of drivers. We recommend that the MDM use the Server-Server sync protocol to get update metadata for updates reported from the client.
The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client.
This section describes how this is done. The following diagram shows the server-server sync protocol process.
This section describes this setup. The following diagram shows the server-server sync protocol process.
![mdm server-server sync.](images/deviceupdateprocess2.png)
:::image type="content" alt-text="mdm server-server sync." source="images/deviceupdateprocess2.png" lightbox="images/deviceupdateprocess2.png":::
MSDN provides much information about the Server-Server sync protocol. In particular:
- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights:
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> [!NOTE]
> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions
@ -82,16 +82,16 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData
- **CreationDate** the date on which this update was created.
- **UpdateType** The type of update, which could include the following:
- **Detectoid** if this update identity represents a compatibility logic
- **Category** This could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office etc.
- The classification the update belongs to. For example, Drivers, security etc.
- **Category** This element could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office, and so on.
- The classification the update belongs to. For example, drivers, security, and so on.
- **Software** If the update is a software update.
- **Driver** if the update is a driver update.
- **LocalizedProperties** represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** The language code identifier (LCID). For example, en or es.
- **Title** Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.”
- **KBArticleID** The KB article number for this update that has details regarding the particular update. For example, <https://support.microsoft.com/kb/2902892>.
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.”
- **KBArticleID** The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol
@ -99,119 +99,156 @@ This section describes a possible algorithm for using the server-server sync pro
First some background:
- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it is common to all tenants.
- A metadata sync service can then be implemented that periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client if those updates are not already known to the device.
- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
The following procedure describes a basic algorithm for a metadata sync service:
- Initialization, composed of the following:
1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about four new definition updates per day, each of which is cumulative).
- Initialization uses the following steps:
a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB.
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they have been brought in.
- Remove updates from the "needed update IDs to fault in" list once they've been brought in.
This provides an efficient way to pull in the information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time you can pull information so IT can see what updates they are approving, or for compliance reports to see what updates are needed but not yet installed.
These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed.
## <a href="" id="managingupdates"></a>Managing updates using OMA DM
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented the [Mobile device management](mobile-device-enrollment.md) topic. This section focuses on how to extend that integration to support update management. The key aspects of update management include the following:
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information:
- Configure automatic update policies to ensure devices stay up-to-date.
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed)
- Specify a per-device update approval list to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs
- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are available. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues.
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates.
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md).
### Update policies
The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following diagram shows the Update policies in a tree format.
The following information shows the Update policies in a tree format.
![update policies.](images/update-policies.png)
```console
./Vendor/MSFT
Policy
----Config
--------Update
-----------ActiveHoursEnd
-----------ActiveHoursMaxRange
-----------ActiveHoursStart
-----------AllowAutoUpdate
-----------AllowMUUpdateService
-----------AllowNonMicrosoftSignedUpdate
-----------AllowUpdateService
-----------AutoRestartNotificationSchedule
-----------AutoRestartRequiredNotificationDismissal
-----------BranchReadinessLevel
-----------DeferFeatureUpdatesPeriodInDays
-----------DeferQualityUpdatesPeriodInDays
-----------DeferUpdatePeriod
-----------DeferUpgradePeriod
-----------EngagedRestartDeadline
-----------EngagedRestartSnoozeSchedule
-----------EngagedRestartTransitionSchedule
-----------ExcludeWUDriversInQualityUpdate
-----------IgnoreMOAppDownloadLimit
-----------IgnoreMOUpdateDownloadLimit
-----------PauseDeferrals
-----------PauseFeatureUpdates
-----------PauseQualityUpdates
-----------RequireDeferUpgrade
-----------RequireUpdateApproval
-----------ScheduleImminentRestartWarning
-----------ScheduledInstallDay
-----------ScheduledInstallTime
-----------ScheduleRestartWarning
-----------SetAutoRestartNotificationDisable
-----------UpdateServiceUrl
-----------UpdateServiceUrlAlternate
```
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Allows the IT admin (when used with <strong>Update/ActiveHoursStart</strong>) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
<p>Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
<p>The default is 17 (5 PM).
The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p>Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
<p>Supported values are 8-18.
Supported values are 8-18.
<p>The default value is 18 (hours).
The default value is 18 (hours).
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p>Added in Windows 10, version 1607. Allows the IT admin (when used with <strong>Update/ActiveHoursEnd</strong>) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
<p>Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
<p>The default value is 8 (8 AM).
The default value is 8 (8 AM).
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p>Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
<p>If the policy is not configured, end-users get the default behavior (Auto install and restart).
If the policy isn't configured, end users get the default behavior (Auto install and restart).
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Not allowed or not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
@ -221,31 +258,31 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
<p>Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.
Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
<p>This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
<p>Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update.
<p>Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Update service is not allowed.
- 0 Update service isn't allowed.
- 1 (default) Update service is allowed.
> [!NOTE]
@ -257,20 +294,20 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
<p>Supported values are 15, 30, 60, 120, and 240 (minutes).
Supported values are 15, 30, 60, 120, and 240 (minutes).
<p>The default value is 15 (minutes).
The default value is 15 (minutes).
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
<p>The following list shows the supported values:
The following list shows the supported values:
- 1 (default) Auto Dismissal.
- 2 User Dismissal.
@ -280,9 +317,9 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
<p>The following list shows the supported values:
The following list shows the supported values:
- 16 (default) User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB).
@ -291,18 +328,18 @@ The following diagram shows the Update policies in a tree format.
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p>Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
<p>Supported values are 0-180.
Supported values are 0-180.
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
<p>Supported values are 0-30.
Supported values are 0-30.
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
> [!NOTE]
@ -311,13 +348,13 @@ The following diagram shows the Update policies in a tree format.
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
<p>Allows IT Admins to specify update delays for up to four weeks.
Allows IT Admins to specify update delays for up to four weeks.
<p>Supported values are 0-4, which refers to the number of weeks to defer updates.
Supported values are 0-4, which refers to the number of weeks to defer updates.
<p>If the &quot;Specify intranet Microsoft update service location&quot; policy is enabled, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect.
<p>If the Allow Telemetry policy is enabled and the Options value is set to 0, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<table>
<colgroup>
@ -375,76 +412,73 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
<p>Allows IT Admins to specify additional upgrade delays for up to eight months.
Allows IT Admins to enter more upgrade delays for up to eight months.
<p>Supported values are 0-8, which refers to the number of months to defer upgrades.
Supported values are 0-8, which refers to the number of months to defer upgrades.
<p>If the &quot;Specify intranet Microsoft update service location&quot; policy is enabled, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<p>If the &quot;Allow Telemetry&quot; policy is enabled and the Options value is set to 0, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
<p>Supported values are 2-30 days.
Supported values are 2-30 days.
<p>The default value is 0 days (not specified).
The default value is 0 days (not specified).
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
<p>Supported values are 1-3 days.
Supported values are 1-3 days.
<p>The default value is three days.
The default value is three days.
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
<p>Supported values are 2-30 days.
Supported values are 2-30 days.
<p>The default value is seven days.
The default value is seven days.
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p>Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Allow Windows Update drivers.
- 1 Exclude Windows Update drivers.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
<p>Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Do not ignore MO download limit for apps and their updates.
- 0 (default) Don't ignore MO download limit for apps and their updates.
- 1 Ignore MO download limit (allow unlimited downloading) for apps and their updates.
<p>To validate this policy:
To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
@ -456,20 +490,20 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
<p>Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Do not ignore MO download limit for OS updates.
- 0 (default) Don't ignore MO download limit for OS updates.
- 1 Ignore MO download limit (allow unlimited downloading) for OS updates.
<p>To validate this policy:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
@ -482,26 +516,26 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
<p>Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Deferrals are not paused.
- 0 (default) Deferrals aren't paused.
- 1 Deferrals are paused.
<p>If the &quot;Specify intranet Microsoft update service location&quot; policy is enabled, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<p>If the &quot;Allow Telemetry&quot; policy is enabled and the Options value is set to 0, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p>Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Feature Updates are not paused.
- 0 (default) Feature Updates aren't paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
@ -509,11 +543,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Quality Updates are not paused.
- 0 (default) Quality Updates aren't paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
@ -523,9 +557,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
<p>Allows the IT admin to set a device to CBB train.
Allows the IT admin to set a device to CBB train.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business.
@ -541,38 +575,38 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
<p>Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
<p>Supported values are 15, 30, or 60 (minutes).
Supported values are 15, 30, or 60 (minutes).
<p>The default value is 15 (minutes).
The default value is 15 (minutes).
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Enables the IT admin to schedule the day of the update installation.
Enables the IT admin to schedule the day of the update installation.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Add, Delete, Get, and Replace.
Supported operations are Add, Delete, Get, and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Every day
- 1 Sunday
@ -588,35 +622,35 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Enables the IT admin to schedule the time of the update installation.
Enables the IT admin to schedule the time of the update installation.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Add, Delete, Get, and Replace.
Supported operations are Add, Delete, Get, and Replace.
<p>Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
<p>The default value is 3.
The default value is 3.
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
<p>Supported values are 2, 4, 8, 12, or 24 (hours).
Supported values are 2, 4, 8, 12, or 24 (hours).
<p>The default value is 4 (hours).
The default value is 4 (hours).
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Enabled
- 1 Disabled
@ -626,13 +660,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise.
> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
<p>Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
@ -640,43 +674,73 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Example
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
</Target>
<Data>http://abcd-srv:8530</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
</Target>
<Data>http://abcd-srv:8530</Data>
</Item>
</Replace>
```
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p>Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
<p>This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
<p>To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
<p>Value type is string and the default value is an empty string, &quot;&quot;. If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
![provisioning csp update.](images/provisioning-csp-update.png)
```console
./Vendor/MSFT
Update
----ApprovedUpdates
--------Approved Update Guid
------------ApprovedTime
----FailedUpdates
--------Failed Update Guid
------------HResult
------------Status
------------RevisionNumber
----InstalledUpdates
--------Installed Update Guid
------------RevisionNumber
----InstallableUpdates
--------Installable Update Guid
------------Type
------------RevisionNumber
----PendingRebootUpdates
--------Pending Reboot Update Guid
------------InstalledTime
------------RevisionNumber
----LastSuccessfulScanTime
----DeferUpgrade
----Rollback
--------QualityUpdate
--------FeatureUpdate
--------QualityUpdateStatus
--------FeatureUpdateStatus
```
<a href="" id="update"></a>**Update**
The root node.
@ -684,15 +748,17 @@ The root node.
Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
Node for update approvals and EULA acceptance on behalf of the end-user.
Node for update approvals and EULA acceptance for the end user.
> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added.
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
@ -722,7 +788,7 @@ Specifies the approved updates that failed to install on a device.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/**<strong>*Failed Update Guid*</strong>
Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
Supported operation is Get.
@ -747,7 +813,7 @@ UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved.
Supported operation is Get.
@ -798,7 +864,7 @@ Supported operation is Get.
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). You should use these policies for the new Windows 10, version 1607 devices.
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
@ -878,7 +944,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices.
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
@ -945,5 +1011,16 @@ Set auto update to notify and defer.
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)
![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)
![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)
![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)
![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)
![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)
![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)
![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)

121
windows/client-management/mdm/deviceinstanceservice-csp.md
View File

@ -1,121 +0,0 @@
---
title: DeviceInstanceService CSP
description: Learn how the DeviceInstanceService configuration service provider (CSP) provides some device inventory information that could be useful for an enterprise.
ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 06/26/2017
---
# DeviceInstanceService CSP
The DeviceInstanceService configuration service provider provides some device inventory information that could be useful for an enterprise. Additionally, this CSP supports querying two different phone numbers in the case of dual SIM. The URIs for SIM 1 and SIM 2 are ./Vendor/MSFT/DeviceInstanceService/Identity/Identity1 and ./Vendor/MSFT/DeviceInstanceService/Identity/Identity2 respectively.
> **Note**  
Stop using DeviceInstanceService CSP and use the updated [DeviceStatus CSP](devicestatus-csp.md) instead.
The DeviceInstance CSP is only supported in Windows 10 Mobile.
The following diagram shows the DeviceInstanceService configuration service provider in tree format.
![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png)
<a href="" id="roaming"></a>**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
Supported operation is **Get**.
Returns **True** if the device is roaming; otherwise **False**.
<a href="" id="phonenumber"></a>**PhoneNumber**
A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imei"></a>**IMEI**
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imsi"></a>**IMSI**
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="identity"></a>**Identity**
The parent node to group per SIM specific information in case of dual SIM mode.
<a href="" id="identity1"></a>**Identity1**
The parent node to group SIM1 specific information in case of dual SIM mode.
<a href="" id="identity2"></a>**Identity2**
The parent node to group SIM2 specific information in case of dual SIM mode.
## Examples
The following sample shows how to query roaming status and phone number on the device.
```xml
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DeviceInstanceService/Roaming</LocURI>
</Target>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DeviceInstanceService/PhoneNumber</LocURI>
</Target>
</Item>
</Get>
```
Response from the phone.
```xml
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source><LocURI>./Vendor/MSFT/DeviceInstanceService/Roaming</LocURI></Source>
<Meta><Format xmlns="syncml:metinf">bool</Format></Meta>
<Data>false</Data>
</Item>
<Item>
<Source><LocURI>./Vendor/MSFT/DeviceInstanceService/PhoneNumber</LocURI></Source>
<Data>+14254458055</Data>
</Item>
</Results>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

68
windows/client-management/mdm/devicelock-csp.md
View File

@ -17,7 +17,8 @@ ms.date: 06/26/2017
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
> **Note**   The DeviceLock CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
> [!Note]
> For Windows 10 devices, use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
 
@ -30,26 +31,51 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
The following image shows the DeviceLock configuration service provider in tree format.
The following information shows the DeviceLock configuration service provider in tree format.
![devicelock csp.](images/provisioning-csp-devicelock.png)
```console
./Vendor/MSFT
DeviceLock
--------Provider
----------ProviderID
-------------DevicePasswordEnabled
-------------AllowSimpleDevicePassword
-------------MinDevicePasswordLength
-------------AlphanumericDevicePasswordRequired
-------------MaxDevicePasswordFailedAttempts
-------------DevicePasswordExpiration
-------------DevicePasswordHistory
-------------MaxInactivityTimeDeviceLock
-------------MinDevicePasswordComplexCharacters
----------DeviceValue
-------------DevicePasswordEnabled
-------------AllowSimpleDevicePassword
-------------MinDevicePasswordLength
-------------AlphanumericDevicePasswordRequired
-------------MaxDevicePasswordFailedAttempts
-------------DevicePasswordExpiration
-------------DevicePasswordHistory
-------------MaxInactivityTimeDeviceLock
-------------MinDevicePasswordComplexCharacters
```
<a href="" id="provider"></a>**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
<a href="" id="---------------providerid"></a> ***ProviderID***
Optional. The node that contains the configured management server's ProviderID. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one *ProviderID* node. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
Optional. The node that contains the configured management server's ProviderID. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
- **Add** - Add the management account to the configuration service provider tree.
- **Delete** - Delete all policies set by this account. This command could be used in enterprise unenrollment for removing policy values set by the enterprise management server.
- **Get** - Return all policies set by the management server.
> **Note**   The value cannot be changed after it is added. The **Replace** command isn't supported.
> [!NOTE]
> The value cannot be changed after it's added. The **Replace** command isn't supported.
 
<a href="" id="providerid-devicepasswordenabled"></a>***ProviderID*/DevicePasswordEnabled**
Optional. An integer value that specifies whether device lock is enabled. Possible values are one of the following:
Optional. An integer value that specifies whether device lock is enabled. Possible values include:
- 0 - Device lock is enabled.
- 1 (default) - Device lock not enabled.
@ -59,7 +85,7 @@ The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-allowsimpledevicepassword"></a>***ProviderID*/AllowSimpleDevicePassword**
Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values for this node are one of the following:
Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values include:
- 0 - Not allowed.
- 1 (default) - Allowed.
@ -76,7 +102,7 @@ Supported operations are Get, Add, and Replace.
<a href="" id="providerid-alphanumericdevicepasswordrequired"></a>***ProviderID*/AlphanumericDevicePasswordRequired**
Optional. An integer value that specifies the complexity of the password or PIN allowed.
Valid values are one of the following:
Possible values include:
- 0 - Alphanumeric password required
- 1 - Users can choose a numeric or alphanumeric password
@ -93,28 +119,28 @@ Deprecated in Windows 10.
Deprecated in Windows 10.
<a href="" id="providerid-maxdevicepasswordfailedattempts"></a>***ProviderID*/MaxDevicePasswordFailedAttempts**
Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device will not be wiped regardless of the number of authentication failures.
Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device won't be wiped, whatever the number of authentication failures.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-maxinactivitytimedevicelock"></a>***ProviderID*/MaxInactivityTimeDeviceLock**
Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it is password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it's password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-mindevicepasswordcomplexcharacters"></a>***ProviderID*/MinDevicePasswordComplexCharacters**
Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 4 for mobile and 1 to 3 for desktop. The default value is 1.
Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 3 for Windows client. The default value is 1.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="devicevalue"></a>**DeviceValue**
Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are actually applied to the device. The scope is permanent.
Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are applied to the device. The scope is permanent.
Supported operation is Get.
@ -264,31 +290,21 @@ All node values under the **ProviderID** interior node represent the policy valu
- An **Add** or **Replace** command on those nodes returns success in the following cases:
- The value is actually applied to the device.
- The value is applied to the device.
- The value isn't applied to the device because the device has a more secure value set already.
From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
From a security perspective, the device complies with the policy request that's at least as secure as the one requested.
- A **Get** command on those nodes returns the value the server pushes down to the device.
- If a **Replace** command fails, the node value is set back to the value that was to be replaced.
- If an **Add** command fails, the node is not created.
- If an **Add** command fails, the node isn't created.
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

212
windows/client-management/mdm/dmclient-csp.md
View File

@ -15,14 +15,15 @@ ms.date: 11/01/2017
# DMClient CSP
The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
The following shows the DMClient CSP in tree format.
```
The following information shows the DMClient CSP in tree format.
```console
./Vendor/MSFT
DMClient
----Provider
--------
--------ProviderID
------------EntDeviceName
------------ExchangeID
------------EntDMID
@ -45,6 +46,10 @@ DMClient
------------HWDevID
------------ManagementServerAddressList
------------CommercialID
------------ConfigLock
----------------Lock
----------------UnlockDuration
----------------SecureCore
------------Push
----------------PFN
----------------ChannelURI
@ -68,7 +73,7 @@ All the nodes in this CSP are supported in the device context, except for the **
Root node for the CSP.
<a href="" id="updatemanagementserviceaddress"></a>**UpdateManagementServiceAddress**
For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node.
<a href="" id="hwdevid"></a>**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@ -81,28 +86,31 @@ Required. The root node for all settings that belong to a single management serv
Supported operation is Get.
<a href="" id="provider-providerid"></a>**Provider/**<strong>*ProviderID*</strong>
Required. This node contains the URI-encoded value of the bootstrapped device management accounts Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesnt require XML/URI escaping.
Required. This node contains the URI-encoded value of the bootstrapped device management accounts Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesnt require XML/URI escaping.
Supported operations are Get and Add.
<a href="" id="provider-providerid-entdevicename"></a>**Provider/*ProviderID*/EntDeviceName**
Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
<a href="" id="provider-providerid-entdmid"></a>**Provider/*ProviderID*/EntDMID**
Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
> [!NOTE]
> Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSPs **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSPs **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
<a href="" id="provider-providerid-exchangeid"></a>**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
- A device that's managed by Exchange.
- A device that's natively managed by a dedicated management server.
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
@ -111,7 +119,7 @@ Optional. Character string that contains the unique Exchange device ID used by t
Supported operation is Get.
The following is a Get command example.
The following XML is a Get command example:
```xml
<Get>
@ -124,13 +132,8 @@ The following is a Get command example.
</Get>
```
<a href="" id="provider-providerid-publisherdeviceid"></a>**Provider/*ProviderID*/PublisherDeviceID**
(Only for Windows 10 Mobile.) Optional. The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/&lt;enterprise id&gt;/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises applications, each enterprise is identified differently.
Supported operation is Get.
<a href="" id="provider-providerid-signedentdmid"></a>**Provider/*ProviderID*/SignedEntDMID**
Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
@ -140,57 +143,61 @@ Optional. The time in OMA DM standard time format. This node is designed to redu
Supported operation is Get.
<a href="" id="provider-providerid-managementserviceaddress"></a>**Provider/*ProviderID*/ManagementServiceAddress**
Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server.
Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server.
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;. If there is only a single URL, then the &lt;&gt; are not required. This is supported for both desktop and mobile devices.
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;. If there's only a single URL, then the &lt;&gt; aren't required. This feature is supported on Windows client devices.
During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-upn"></a>**Provider/*ProviderID*/UPN**
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
<a href="" id="provider-providerid-helpphonenumber"></a>**Provider/*ProviderID*/HelpPhoneNumber**
Optional. The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-helpwebsite"></a>**Provider/*ProviderID*/HelpWebsite**
Optional. The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete
<a href="" id="provider-providerid-helpemailaddress"></a>**Provider/*ProviderID*/HelpEmailAddress**
Optional. The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-requiremessagesigning"></a>**Provider/*ProviderID*/RequireMessageSigning**
Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature.
Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature.
Default value is false, where the device management client does not include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
When enabled, the MDM provider should:
- Validate the signature and the timestamp using the device identify certificate enrolled as part of Mobile Device Enrollment protocol (MS-MDE).
- Ensure the certificate and time are valid.
- Verify that the signature is trusted by the MDM provider.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-syncapplicationversion"></a>**Provider/*ProviderID*/SyncApplicationVersion**
Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0.
> [!NOTE]
> This node is only supported in Windows 10 and later.
Once you set the value to 2.0, it will not go back to 1.0.
Once you set the value to 2.0, it won't go back to 1.0.
@ -204,18 +211,18 @@ When you query this node, a Windows 10 client will return 2.0 and a Windows 8.
Supported operation is Get.
<a href="" id="provider-providerid-aadresourceid"></a>**Provider/*ProviderID*/AADResourceID**
Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
<a href="" id="provider-providerid-enableomadmkeepalivemessage"></a>**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending.
To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. Send a SyncML message with a specific device alert element in the body until the client can respond back to the server with the requested information.
Here is an example of DM message sent by the device when it is in pending state:
Here's an example of DM message sent by the device when it's in pending state:
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
@ -262,12 +269,12 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
<a href="" id="provider-providerid-commercialid"></a>**Provider/*ProviderID*/CommercialID**
Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="provider-providerid-managementserveraddresslist"></a>**Provider/*ProviderID*/ManagementServerAddressList**
Added in Windows 10, version 1607. The list of management server URLs in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;, and so on. If there is only one, the angle brackets (&lt;&gt;) are not required.
Added in Windows 10, version 1607. The list of management server URLs in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;, and so on. If there's only one, the angle brackets (&lt;&gt;) aren't required.
> [!NOTE]
> The &lt; and &gt; should be escaped.
@ -290,12 +297,12 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value.
When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.
When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
Supported operations are Get and Replace. Value type is string.
<a href="" id="provider-providerid-managementservertoupgradeto"></a>**Provider/*ProviderID*/ManagementServerToUpgradeTo**
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM server to upgrade to for a Mobile Application Management (MAM) enrolled device.
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@ -306,18 +313,18 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
<a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Supported operations are Get and Add.
There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration.
There are three schedules managed under the Poll node. They enable a rich polling schedule experience to provide greater flexibility in managing the way devices poll the management server. There are various ways that polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules to restore the polling schedules back to a valid configuration.
If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
If there's no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).**
@ -536,80 +543,107 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch
If the device was previously enrolled in MDM with polling schedule configured via registry key values directly, the MDM server that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/&lt;ProviderID&gt;/Poll** node before it sends a Get/Replace command to query or update polling parameters via DMClient CSP
If the device was previously enrolled in MDM with polling schedule configured using the registry key values directly, the MDM provider that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/&lt;ProviderID&gt;/Poll** node before it sends a Get/Replace command to query or update polling parameters using the DMClient CSP
When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all 3 number of retry nodes to 0 because it will cause a configuration failure.
When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure.
<a href="" id="provider-providerid-poll-intervalforfirstsetofretries"></a>**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `/<ProviderID>/Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously utilized the Registry CSP.
The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP.
<a href="" id="provider-providerid-poll-numberoffirstretries"></a>**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10.
Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10.
Supported operations are Get and Replace.
The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously utilized the Registry CSP.
The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously used the Registry CSP.
The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule.
<a href="" id="provider-providerid-poll-intervalforsecondsetofretries"></a>**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
Optional. The waiting time (in minutes) for the second set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.
Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `/<ProviderID>/Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously utilized the Registry CSP.
The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP.
<a href="" id="provider-providerid-poll-numberofsecondretries"></a>**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Supported operations are Get and Replace.
The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously utilized the Registry CSP.
The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously used the Registry CSP.
The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
<a href="" id="provider-providerid-poll-intervalforremainingscheduledretries"></a>**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `/<ProviderID>/Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously utilized the Registry CSP.
The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP.
<a href="" id="provider-providerid-poll-numberofremainingscheduledretries"></a>**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Supported operations are Get and Replace.
The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously utilized the Registry CSP.
The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP.
The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
The RemainingScheduledRetries is used for the long run device polling schedule.
<a href="" id="provider-providerid-poll-pollonlogin"></a>**Provider/*ProviderID*/Poll/PollOnLogin**
Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-poll-alluserspollonfirstlogin"></a>**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-configlock"></a>**Provider/*ProviderID*/ConfigLock**
Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
Default = Locked
> [!Note]
>If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
<a href="" id="provider-providerid-configlock-lock"></a>**Provider/*ProviderID*/ConfigLock/Lock**
The supported values for this node are 0-unlock, 1-lock.
Supported operations are Add, Delete, Get.
<a href="" id="provider-providerid-configlock-unlockduration"></a>**Provider/*ProviderID*/ConfigLock/UnlockDuration**
The supported values for this node are 1 to 480 (in min).
Supported operations are Add, Delete, Get.
<a href="" id="provider-providerid-configlock-securecore"></a>**Provider/*ProviderID*/ConfigLock/SecureCore**
The supported values for this node are false or true.
Supported operation is Get only.
<a href="" id="provider-providerid-push"></a>**Provider/*ProviderID*/Push**
Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
Supported operations are Add and Delete.
<a href="" id="provider-providerid-push-pfn"></a>**Provider/*ProviderID*/Push/PFN**
Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-push-channeluri"></a>**Provider/*ProviderID*/Push/ChannelURI**
Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Supported operation is Get.
@ -689,12 +723,12 @@ Optional. Added in Windows 10, version 1703. Specifies the body text of the all
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinkhref"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
Optional. Added in Windows 10, version 1703. Specifies the URL that is shown at the end of the MDM enrollment flow.
Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinktext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that is shown at the end of the MDM enrollment flow.
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@ -702,39 +736,39 @@ Supported operations are Add, Delete, Get, and Replace. Value type is string.
Optional node. Added in Windows 10, version 1709.
<a href="" id="provider-providerid-firstsyncstatus-expectedpolicies"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectednetworkprofiles "></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to provision, delimited by the character L"\xF000".
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmsiapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmodernapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example,
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
``` syntax
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
This represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedpfxcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedscepcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@ -744,42 +778,42 @@ Required. Added in Windows 10, version 1709. This node determines how long we wi
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-serverhasfinishedprovisioning"></a>**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-issyncdone"></a>**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-wasdevicesuccessfullyprovisioned"></a>**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-blockinstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
Required. Device Only. Added in Windows 10, version 1803. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-allowcollectlogsbutton"></a>**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
Required. Added in Windows 10, version 1803. This node decides whether or not the MDM progress page displays the Collect Logs button.
Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-customerrortext"></a>**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-skipdevicestatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-skipuserstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
@ -789,12 +823,12 @@ Required node. Added in Windows 10, version 1709.
Supported operation is Get.
<a href="" id="provider-providerid-enhancedapplayersecurity-securitymode"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
Required. Added in Windows 10, version 1709. This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="provider-providerid-enhancedapplayersecurity-usecertifrevocationcheckoffline"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
Required. Added in Windows 10, version 1709. This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
@ -809,13 +843,13 @@ Required. Added in Windows 10, version 1709. The node contains the secondary cer
Supported operations are Add, Get, Replace, and Delete. Value type is string.
<a href="" id="provider-providerid-unenroll"></a>**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.
Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.
Supported operations are Get and Exec.
Note that &lt;LocURI&gt;./Vendor/MSFT/DMClient/Unenroll&lt;/LocURI&gt; is supported for backward compatibility.
&lt;LocURI&gt;./Vendor/MSFT/DMClient/Unenroll&lt;/LocURI&gt; is supported for backward compatibility.
The following SyncML shows how to remotely unenroll the device. Note that this command should be inserted in the general DM packages sent from the server to the device.
The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device.
```xml
<Exec>
@ -833,17 +867,7 @@ The following SyncML shows how to remotely unenroll the device. Note that this c
</Exec>
```
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

31
windows/client-management/mdm/dmprocessconfigxmlfiltered.md
View File

@ -25,26 +25,27 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> [!Important]
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses.
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
- Adding dynamic credentials for OMA Client Provisioning.
- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they are sold.
- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they're sold.
Microsoft recommends that this function is not used to configure the following types of settings.
Microsoft recommends that this function isn't used to configure the following types of settings:
- Security settings that are configured by using CertificateStore, SecurityPolicy, and RemoteWipe, unless they are related to OMA DM or OMA Client Provisioning security policies.
- Security settings that are configured using CertificateStore, SecurityPolicy, and RemoteWipe, unless they're related to OMA DM or OMA Client Provisioning security policies
- Non-cellular data connection settings (such as Hotspot settings).
- File system files and registry settings, unless they are used for OMA DM account management, mobile operator data connection settings, or manufacturing tests.
- File system files and registry settings, unless they're used for OMA DM account management, mobile operator data connection settings, or manufacturing tests
- Email settings.
- Email settings
> **Note**  The **DMProcessConfigXMLFiltered** function has full functionality in Windows 10 Mobile and Windows Phone 8.1, but it has a read-only functionality in Windows 10 desktop.
> [!Note]
> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@ -63,13 +64,13 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
*pszXmlIn*
<ul>
<li>[in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. <strong>DMProcessConfigXMLFiltered</strong> accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).</li>
<li>[in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. <strong>DMProcessConfigXMLFiltered</strong> accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).</li>
</ul>
<br>
*rgszAllowedCspNode*
<ul>
<li>[in] Array of <strong>WCHAR\</strong>* that specify which configuration service provider nodes are allowed to be invoked.</li>
<li>[in] Array of <strong>WCHAR\</strong>* that specify which configuration service provider nodes can be invoked.</li>
</ul>
<br>
@ -85,11 +86,11 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
</ul>
<br>
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document does not contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
## Return value
Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows the additional error codes that may be returned.
Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows more error codes that can be returned:
<table>
<colgroup>
@ -130,9 +131,9 @@ Returns the standard **HRESULT** value **S\_OK** to indicate success. The follow
## Remarks
The processing of the XML is transactional; either the entire document gets processed successfully or none of the settings are processed. Therefore, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
The processing of the XML is transactional. Either the entire document gets processed successfully, or none of the settings are processed. So, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input .provxml contains the following two settings:
The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input `.provxml` contains the following two settings:
``` XML
<wap-provisioningdoc>
@ -163,9 +164,9 @@ LPCWSTR rgszAllowedCspNodes[] =
};
```
This array of configuration service provider names indicates which .provxml contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* does not contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
This array of configuration service provider names indicates which `.provxml` contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* doesn't contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
The following code sample shows how this array would be passed in. Note that *szProvxmlContent* does not show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
The following code sample shows how this array would be passed in. The *szProvxmlContent* doesn't show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
``` C++
WCHAR szProvxmlContent[] = L"<wap-provisioningdoc>...</wap-provisioningdoc>";

126
windows/client-management/mdm/email2-csp.md
View File

@ -17,13 +17,14 @@ ms.date: 06/26/2017
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
On the desktop, only per user configuration is supported.
> [!Note]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
 
On Windows client, only per user configuration is supported. 
The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
```
The following information shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
```console
./Vendor/MSFT
EMAIL2
----Account GUID
@ -60,9 +61,10 @@ EMAIL2
------------8128000B
------------812C000B
```
In Windows 10 Mobile, after the users out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operators proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords.
After provisioning, the **Start** screen has a tile for the proprietary mail provider and there's also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
Configuration data isn't encrypted when sent over the air (OTA). This is a potential security risk when sending sensitive configuration data, such as passwords.
> [!IMPORTANT]
> All Add and Replace commands need to be wrapped in an Atomic section.
@ -73,7 +75,7 @@ The configuration service provider root node.
Supported operation is Get.
<a href="" id="guid"></a>***GUID***
Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one does not create the new account and Add command will fail in this case.
Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case.
Supported operations are Get, Add, and Delete.
@ -86,14 +88,14 @@ The braces {} around the GUID are required in the EMAIL2 configuration service p
<a href="" id="accounticon"></a>**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added.
<a href="" id="accounttype"></a>**ACCOUNTTYPE**
Required. Specifies the type of account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Valid values are:
@ -104,60 +106,61 @@ Valid values are:
<a href="" id="authname"></a>**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="authrequired"></a>**AUTHREQUIRED**
Optional. Character string that specifies whether the outgoing server requires authentication.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Valid values are one of the following:
Value options:
- 0 - Server authentication is not required.
- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
> **Note**  If this value is not specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
> [!NOTE]
> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
 
<a href="" id="authsecret"></a>**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="domain"></a>**DOMAIN**
Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="dwnday"></a>**DWNDAY**
Optional. Character string that specifies how many days' worth of email should be downloaded from the server.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Valid values are one of the following:
Value options:
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that 7 days worth of email should be downloaded.
- 7: Specifies that seven days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
<a href="" id="inserver"></a>**INSERVER**
Required. Character string that specifies the name of the incoming server name and port number. This is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
Supported operations are Get, Add and Replace.
Supported operations are Get, Add, and Replace.
<a href="" id="linger"></a>**LINGER**
Optional. Character string that specifies the length of time between email send/receive updates in minutes.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Valid values are:
Value options:
- 0 - Email updates must be performed manually.
@ -174,16 +177,16 @@ Optional. Specifies the maximum size for a message attachment. Attachments beyon
The limit is specified in KB
Valid values are 0, 25, 50, 125, and 250.
Value options are 0, 25, 50, 125, and 250.
A value of 0 meaning that no limit will be enforced.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="name"></a>**NAME**
Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the users name. Limited to 255 characters.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="outserver"></a>**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
@ -195,14 +198,15 @@ Supported operations are Get, Add, Delete, and Replace.
<a href="" id="replyaddr"></a>**REPLYADDR**
Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
Supported operations are Get, Add, Delete and Replace.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="servicename"></a>**SERVICENAME**
Required. Character string that specifies the name of the email service to create or edit (32 characters maximum).
Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
> [!NOTE]
> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
@ -211,19 +215,19 @@ Required. Character string that specifies the type of email service to create or
Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
> **Note**   The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="retrieve"></a>**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
Valid values are 512, 1024, 2048, 5120, 20480, and 51200.
Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="serverdeleteaction"></a>**SERVERDELETEACTION**
Optional. Character string that specifies how message is deleted on server. Valid values:
Optional. Character string that specifies how message is deleted on server. Value options:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
@ -238,7 +242,7 @@ Optional. If this flag is set, the account only uses the cellular network and no
Value type is string. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="syncingcontenttypes"></a>**SYNCINGCONTENTTYPES**
Required. Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar).
Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
- Contacts (0x1)
@ -257,12 +261,12 @@ Required. Specifies a bitmask for which content types are supported for syncing
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="contactsserver"></a>**CONTACTSSERVER**
Optional. Server for contact sync if it is different from the email server.
Optional. Server for contact sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="calendarserver"></a>**CALENDARSERVER**
Optional. Server for calendar sync if it is different from the email server.
Optional. Server for calendar sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
@ -289,38 +293,38 @@ Supported operations are Get, Add, Replace, and Delete.
<a href="" id="smtpaltauthname"></a>**SMTPALTAUTHNAME**
Optional. Character string that specifies the display name associated with the user's alternative SMTP email account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="smtpaltdomain"></a>**SMTPALTDOMAIN**
Optional. Character string that specifies the domain name for the user's alternative SMTP account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="smtpaltenabled"></a>**SMTPALTENABLED**
Optional. Character string that specifies if the user's alternate SMTP account is enabled.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
A value of "FALSE" specifies that the user's alternate SMTP email account is disabled. A value of "TRUE" specifies that the user's alternate SMTP email account is enabled.
A value of "FALSE" means the user's alternate SMTP email account is disabled. A value of "TRUE" means that the user's alternate SMTP email account is enabled.
<a href="" id="smtpaltpassword"></a>**SMTPALTPASSWORD**
Optional. Character string that specifies the password for the user's alternate SMTP account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="tagprops"></a>**TAGPROPS**
Optional. Defines a group of properties with non-standard element names.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="tagprops-8128000b"></a>**TAGPROPS/8128000B**
Optional. Character string that specifies if the incoming email server requires SSL.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Value is one of the following:
Value options:
- 0 - SSL is not required.
- 0 - SSL isn't required.
- 1 - SSL is required.
<a href="" id="tagprops-812c000b"></a>**TAGPROPS/812C000B**
@ -328,49 +332,39 @@ Optional. Character string that specifies if the outgoing email server requires
Supported operations are Get and Replace.
Value is one of the following:
Value options:
- 0 - SSL is not required.
- 0 - SSL isn't required.
- 1 - SSL is required.
## Remarks
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some but not all of the outgoing server credentials parameters are present then the EMAIL2 Configuration Service Provider will be considered in error.
- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details cannot be queried unless the account GUID is known. Currently, there is no way to perform a top-level query for account GUIDs.
- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
Windows 10 Mobile supports Transport Layer Security (TLS), but this cannot be explicitly enabled through this configuration service provider, and the user cannot enable TLS through the UI. If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device does not attempt another connection.
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
4. If the user did not select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, the device enables TLS. TLS is not enabled on connections using SSL or non-SSL.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

534
windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
View File

@ -1,534 +0,0 @@
---
title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
description: Overview of how to enable offline updates using Microsoft Endpoint Configuration Manager.
ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 06/26/2017
---
# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. There are also situations where network restrictions or other enterprise policies require that devices download updates from an internal location. This article describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
The following table describes the update path to Windows 10 Mobile.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Starting SKU</th>
<th>Upgrade to Windows 10 Mobile</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Windows Mobile 6.5</p></td>
<td><p>No</p></td>
</tr>
<tr class="even">
<td><p>Windows Phone 8</p></td>
<td><p>No</p></td>
</tr>
<tr class="odd">
<td><p>Windows Phone 8.1</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
 
To configure the mobile device management (MDM) service provider and enable mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps:
1. Prepare a test device that can connect to the Internet to download the released update packages.
2. After the updates are downloaded and before pressing the install button, retrieve an XML file on the device that contains all the metadata about each update package.
3. Check the status code in the XML file.
4. Check for registry dependencies.
5. Using a script that we provide, parse the XML file to extract download URLs for the update packages.
6. Download the update packages using the download URLs.
7. Place the downloaded packages on an internal share that is accessible to devices you are updating.
8. Create two additional XML files that define the specific updates to download and the specific locations from which to download the updates, and deploy them onto the production device.
9. Start the update process from the devices.
As a part of the update process, Windows runs data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings are automatically migrated to Windows 10 as part of the update process. If the handheld device was configured for assigned access lockdown, then this configuration is also migrated to Windows 10 as part of the update process. This includes ProductId and AumId conversion for all internal apps (including buttonremapping apps).
Be aware that the migrators do not take care of the following:
- Third-party apps provided by OEMs.
- Deprecated first-party apps, such as Bing News.
- Deprecated system or application settings, such as Microsoft.Game and Microsoft.IE.
In the event of an Enterprise Reset, these migrated settings are automatically persisted.
After the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
1. Delete the TPK\*ppkg and push down a new ppkg with your new configuration to the persistent folder.
2. Push down a new ppkg with your new configuration with higher priority. (Be aware that in ICD, Owner=Microsoft, Rank=0 is the lowest priority, and vice versa. With this step, the old assigned access lockdown configuration is overwritten.)
**Requirements:**
- The test device must be same as the other production devices that are receiving the updates.
- The test device must be enrolled with Microsoft Endpoint Configuration Manager.
- The test device must be connected to the Internet.
- The test device must have an SD card with at least 0.5 GB of free space.
- Ensure that the settings app and PhoneUpdate applet are available through Assigned Access.
The following diagram shows a high-level overview of the process.
![update process for windows embedded 8.1 devices.](images/windowsembedded-update.png)
## Step 1: Prepare a test device to download updates from Microsoft Update
Define the baseline update set that you want to apply to other devices. Use a device that is running the most recent image as the test device.
Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager.
**Check for updates manually**
1. On the device, go to **Settings** > **Phone updates** > **Check for updates**.
2. Sync the device, go to **Settings** > **Workplace** > **Enrolled**, and then select the refresh icon. Repeat as needed.
3. Follow the prompts to download the updates, but do not select the **Install** button.
> [!NOTE]
> There is a bug in all OS versions up to GDR2 where the Cloud Solution Provider (CSP) does not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
**Check for updates by using Microsoft Endpoint Configuration Manager**
1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
![device scan using Configuration Manager.](images/windowsembedded-update2.png)
2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
![device scan using Configuration Manager.](images/windowsembedded-update3.png)
3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
![device scan using Configuration Manager.](images/windowsembedded-update4.png)
4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
5. Follow the prompts for downloading the updates, but do not install the updates on the device.
## <a href="" id="step2"></a>Step 2: Retrieve the device update report XML from the device
After updates are downloaded (but not installed on the device), the process generates an XML file that contains information about the packages it downloaded. You must retrieve this XML file.
There are two ways to retrieve this file from the device; one pre-GDR1 and one post-GDR1.
**Pre-GDR1: Parse a compliance log from the device in ConfigMgr**
1. Use ConfigMgr to create a configuration item to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
> [!NOTE]
> In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml, but the process still completes even if the file is large.
If the XML file is greater than 32 KB, you can also use ./Vendor/MSFT/FileSystem/&lt;*filename*&gt;.
2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
The dummy value is not set; it is only used for comparison.
3. After the report XML is sent to the device, Microsoft Endpoint Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
4. Parse this log for the report XML content.
For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-manager-logs).
**Post-GDR1: Retrieve the report xml file using an SD card**
1. Use ConfigMgr to create a configuration item to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
2. The value that you define for this configuration item is defined by the relative path to the SD card, which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
3. Remove the SD card from device and copy the XML file to your PC.
## Step 3: Check the status code in the XML file
Make sure that the status code is set to 0000-0000 (success).
## Step 4: Check for registry dependencies
Remove any registry dependencies in the XML file.
## Step 5: Extract download URLs from the report XML
Use the [example PowerShell script](#example-powershell-script) to extract the download URLs from the XML file or parse it manually.
## Step 6: Retrieve update packages using download URLs
Use a script or manually download each update package to a PC or an internal share.
## Step 7: Place the update packages on an accessible share
Put all the update packages into an internal share that is accessible to all the devices that need these updates. Ensure that the internal share can support multiple devices trying to access the updates at the same time.
## Step 8: Create two XML files for production devices to select updates and download locations
Here are the two files.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Term</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>DUControlledUpdates.xml</strong></p></td>
<td><p>This is the same file as the report XML retrieved in Step 2 with a different name. This file tells the device the specific update packages to download. See Appendix for example</p>
<p></p></td>
</tr>
<tr class="even">
<td><p><strong>DUCustomContentUris.xml</strong></p></td>
<td><p>This file maps the update packages in DUControlledUpdates.xml to the internal share location.</p></td>
</tr>
</tbody>
</table>
 
For a walkthrough of these steps, see [Deploy controlled updates](#deploy-controlled-updates). Ensure that the Trigger Scan configuration baseline has NOT been deployed.
<a href="" id="deploy-controlled-updates"></a>
### Deploy controlled updates
The deployment process has three parts:
- Create a configuration item for DUControlledUpdates.xml.
- Create a configuration item for DUCustomContentURIs.xml.
- Create a configuration item for approved updates.
<a href="" id="create-ducontrolledupdates"></a>
**Create a configuration item for DUControlledUpdates.xml**
1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
![embedded device update.](images/windowsembedded-update18.png)
2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
![embedded device update.](images/windowsembedded-update19.png)
3. Select **Remediate noncompliant settings**, and then select **OK**.
<a href="" id="create-ducustomcontent"></a>
**Create a configuration item for DUCustomContentURIs.xml**
1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
2. Select **Remediate noncompliant settings**.
![embedded device update.](images/windowsembedded-update21.png)
3. Select **OK**.
<a href="" id="create-config-baseline"></a>
**Create a configuration baseline for approved updates**
1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
![embedded device update.](images/windowsembedded-update22.png)
3. Deploy the configuration baseline to the appropriate device or device collection.
![embedded device update.](images/windowsembedded-update23.png)
4. Select **OK**.
## Step 7: Trigger the other devices to scan, download, and install updates
Now that the other "production" or "in-store" devices have the necessary information to download updates from an internal share, the devices are ready for updates.
### Update unmanaged devices
If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways:
- A periodic scan that the device automatically performs.
- Manually through **Settings** > **Phone Update** > **Check for Updates**.
### Update managed devices
If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
- Trigger the device to scan for updates through Microsoft Endpoint Configuration Manager.
Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
> [!NOTE]
> Ensure that the PhoneUpdateRestriction Policy is set to a value of 0 so that the device doesn't perform an automatic scan.
- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager.
After the updates are installed, the IT Admin can use the DUReport generated in the production devices to determine whether the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
<a href="" id="example-script"></a>
## Example PowerShell script
```powershell
param (
# [Parameter (Mandatory=$true, HelpMessage="Input File")]
[String]$inputFile,
# [Parameter (Mandatory=$true, HelpMessage="Download Cache Location")]
[String]$downloadCache,
# [Parameter (Mandatory=$true, HelpMessage="Local Cache URL")]
[String]$localCacheURL
)
#DownloadFiles Function
function DownloadFiles($inputFile, $downloadCache, $localCacheURL)
{
$customContentURIFileCreationError = "Not able to create Custom Content URI File"
#Read the Input File
$report = [xml](Get-Content $inputFile)
# this is where the document will be saved
$customContentURLFile = "$downloadCache\DUCustomContentUris.xml"
New-Item -Path $customContentURLFile -ItemType File -force -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null
if ($NewItemError -ne "")
{
PrintMessageAndExit $customContentURIFileCreationError
}
# get an XMLTextWriter to create the XML
$XmlWriter = New-Object System.XMl.XmlTextWriter($customContentURLFile,$Null)
# choose a pretty formatting:
$xmlWriter.Formatting = 'Indented'
$xmlWriter.Indentation = 1
$XmlWriter.IndentChar = "`t"
# write the header
$xmlWriter.WriteStartDocument()
$xmlWriter.WriteStartElement('CustomContentUrls')
foreach ($update in $report.UpdateData.coreUpdateMetadata.updateSet.update)
{
if (!$update.destinationFilePath -or !$update.contentUrl)
{
continue;
}
$destFilePath = $update.destinationFilePath.Trim();
$contentUrl = $update.contentUrl.Trim();
Write-Host "Pre-Processing Line: $destFilePath#$contentUrl"
if (($destFilePath -ne "") -and ($destFilePath.Contains("\")) -and ($contentUrl -ne "") -and ($contentUrl.Contains("/")) )
{
$isBundle = $update.isBundle
$revisionId = $update.revisionId
$updateId = $update.updateId
$revisionNum = $update.revisionNum
$fileName = $destFilePath.Substring($destFilePath.LastIndexOf("\") + 1);
#Write-Host "Processing Line: $destFilePath#$contentUrl"
if ($fileName -ne "")
{
$destination = $downloadCache + "\" + $fileName;
Try
{
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($contentUrl, $destination)
Write-Host "Successfull Download: $contentUrl#$destination";
$XmlWriter.WriteStartElement('contentUrl')
$XmlWriter.WriteAttributeString('isBundle', $isBundle)
$XmlWriter.WriteAttributeString('revisionId', $revisionId)
$XmlWriter.WriteAttributeString('updateId', $updateId)
$XmlWriter.WriteAttributeString('revisionNum', $revisionNum)
$XmlWriter.WriteRaw($localCacheURL + $fileName)
$xmlWriter.WriteEndElement()
}
Catch [ArgumentNullException]
{
Write-Host "Content URL is null";
}
Catch [WebException]
{
Write-Host "Invalid Content URL: $contentUrl";
}
Catch
{
Write-Host "Exception in Download: $contentUrl";
}
}
else
{
Write-Host "Ignored Input Line: $contentUrl"
}
}
else
{
Write-Host "Ignored Input Line: $contentUrl"
}
}
# close the "CustomContentUrls" node
$xmlWriter.WriteEndElement()
# finalize the document
$xmlWriter.WriteEndDocument()
$xmlWriter.Flush()
$xmlWriter.Close()
Write-Host "Successfully Created Custom Content URL File: $customContentURLFile"
}
#PrintMessage Function
function PrintMessageAndExit($ErrorMessage)
{
Write-Host $ErrorMessage
exit 1
}
#PrintMessage Function
function PrintUsageAndExit()
{
Write-Host "Usage: Download.ps1 -inputFile <InputFilePath> -downloadCache <CachePath> -localCacheURL <URL>"
exit 1
}
if (($inputFile -eq "") -or ($downloadCache -eq "") -or ($localCacheURL -eq ""))
{
PrintUsageAndExit
}
if (!$localCacheURL.EndsWith("/"))
{
$localCacheURL = $localCacheURL + "/";
}
$inputFileErrorString = "Input File does not exist";
$downloadCacheErrorString = "Download Cache does not exist";
$downloadCacheAddError = "Access Denied in creating the Download Cache Folder";
$downloadCacheRemoveError = "Not able to delete files from Download Cache"
$downloadCacheClearWarningString = "Download Cache not empty. Do you want to Clear";
#Check if Input File Exist
$inputFileExists = Test-Path $inputFile;
if(!$inputFileExists)
{
PrintMessageAndExit($inputFileErrorString)
}
#Check if Download Cache Exist
$downloadCacheExists = Test-Path $downloadCache;
if(!$downloadCacheExists)
{
PrintMessageAndExit($downloadCacheErrorString)
}
$downloadCacheFileCount = (Get-ChildItem $downloadCache).Length;
if ($downloadCacheFileCount -ne 0)
{
#Clear the directory
Remove-Item $downloadCache -Recurse -Force -Confirm -ErrorVariable RemoveItemError -ErrorAction SilentlyContinue > $null
if ($RemoveItemError -ne "")
{
PrintMessageAndExit $downloadCacheRemoveError
}
$childItem = Get-ChildItem $downloadCache -ErrorAction SilentlyContinue > $null
$downloadCacheFileCount = ($childItem).Length;
if ($downloadCacheFileCount -ne 0)
{
PrintMessageAndExit $downloadCacheRemoveError
}
#Create a new directory
New-Item -Path $downloadCache -ItemType Directory -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null
if ($NewItemError -ne "")
{
PrintMessageAndExit $downloadCacheAddError
}
}
DownloadFiles $inputFile $downloadCache $localCacheURL
```
<a href="" id="how-to-retrieve"></a>
## Retrieve a device update report using Microsoft Endpoint Manager logs
**For pre-GDR1 devices**
Use this procedure for pre-GDR1 devices:
1. Trigger a device scan by going to **Settings** > **Phone Update** > **Check for Updates**.
Since the DUReport settings have not been remedied, you should see a non-compliance.
2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
3. Select **Create Configuration Item**.
![device update using Configuration Manager.](images/windowsembedded-update5.png)
4. Enter a filename (such as GetDUReport), and then select **Mobile Device**.
5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
![device update using Configuration Manager.](images/windowsembedded-update6.png)
6. On the **Additional Settings** page, select **Add**.
![device update using Configuration Manager.](images/windowsembedded-update7.png)
7. On the **Browse Settings** page, select **Create Setting**.
![device update.](images/windowsembedded-update8.png)
8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
![handheld device update.](images/windowsembedded-update9.png)
10. On the **Browse Settings** page, select **Close**.
11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
![embedded device update.](images/windowsembedded-update10.png)
12. Close the **Create Configuration Item Wizard** page.
13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
15. Enter a dummy value (such as zzz) that is different from the one on the device.
![embedded device update.](images/windowsembedded-update11.png)
16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
17. Select **OK** to close the **Edit Rule** page.
18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
19. Select **Create Configuration Item**.
![embedded device update.](images/windowsembedded-update12.png)
20. Enter a baseline name (such as RetrieveDUReport).
21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
![embedded device update.](images/windowsembedded-update13.png)
22. Select **OK**, and then select **OK** again to complete the configuration baseline.
23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
![embedded device update.](images/windowsembedded-update14.png)
24. Select **Remediate noncompliant rules when supported**.
25. Select the appropriate device collection and define the schedule.
![device update.](images/windowsembedded-update15.png)
26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
![device update.](images/windowsembedded-update16.png)
29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
![device update.](images/windowsembedded-update17.png)
30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
 

10
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -5,8 +5,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 06/02/2021
author: dansimp
ms.date: 10/14/2021
ms.reviewer:
manager: dansimp
---
@ -214,7 +214,7 @@ Requirements:
If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain.
6. Wait for the SYSVOL DFSR replication to be completed and then restart the Domain Controller for the policy to be available.
6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
This procedure will work for any future version as well.
@ -289,6 +289,10 @@ To collect Event Viewer logs:
- [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11))
- [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11))
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
- [Getting started with Cloud Native Windows Endpoints](https://docs.microsoft.com/mem/cloud-native-windows-endpoints)
- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)

335
windows/client-management/mdm/enterprise-app-management.md
View File

@ -1,6 +1,6 @@
---
title: Enterprise app management
description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99
ms.reviewer:
manager: dansimp
@ -14,7 +14,7 @@ ms.date: 10/04/2021
# Enterprise app management
This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. It is the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals
@ -26,32 +26,129 @@ Windows 10 offers the ability for management servers to:
- Inventory all apps for a user (Store and non-Store apps)
- Inventory all apps for a device (Store and non-Store apps)
- Uninstall all apps for a user (Store and non-Store apps)
- Provision apps so they are installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps
Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications:
Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
- nonStore - Apps that were not acquired from the Microsoft Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
- nonStore - Apps that weren't acquired from the Microsoft Store.
- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
The following information shows the EnterpriseModernAppManagement CSP in a tree format:
![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png)
```console
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
EnterpriseAppManagement
----AppManagement
--------UpdateScan
--------LastScanError
--------AppInventoryResults
--------AppInventoryQuery
--------RemovePackage
--------AppStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemovable
----------ReleaseManagement
------------ReleaseManagementKey
--------------ChannelId
--------------ReleaseId
--------------EffectiveRelease
-----------------ChannelId
-----------------ReleaseId
--------nonStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
--------System
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
----AppInstallation
--------PackageFamilyName
----------StoreInstall
----------HostedInstall
----------LastError
----------LastErrorDesc
----------Status
----------ProgressStatus
----AppLicenses
--------StoreLicenses
----------LicenseID
------------LicenseCategory
------------LicenseUsage
------------RequesterID
------------AddLicense
------------GetLicenseFromStore
```
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
Inventory can be performed recursively at any level from the AppManagement node through the package full name. Inventory can also be performed only for a specific inventory attribute.
Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute.
Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name.
> [!NOTE]
> On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name.
Here are the nodes for each package full name:
- Name
@ -72,11 +169,11 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
### App inventory
You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Note that performing a full inventory of a device can be resource intensive on the client based on the hardware and number of apps that are installed. The data returned can also be very large. You may want to chunk these requests to reduce the impact to clients and network traffic.
Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic.
Here is an example of a query for all apps on the device.
Here's an example of a query for all apps on the device.
```xml
<!-- Get all apps under AppManagement -->
@ -90,7 +187,7 @@ Here is an example of a query for all apps on the device.
</Get>
```
Here is an example of a query for a specific app for a user.
Here's an example of a query for a specific app for a user.
```xml
<!-- Get all information of a specific app for a user -->
@ -106,7 +203,7 @@ Here is an example of a query for a specific app for a user.
### Store license inventory
You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Here are the nodes for each license ID:
@ -119,7 +216,7 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
> [!NOTE]
> The LicenseID in the CSP is the content ID for the license.
Here is an example of a query for all app licenses on a device.
Here's an example of a query for all app licenses on a device.
```xml
<!-- Get all app licenses for the device -->
@ -133,7 +230,7 @@ Here is an example of a query for all app licenses on a device.
</Get>
```
Here is an example of a query for all app licenses for a user.
Here's an example of a query for all app licenses for a user.
```xml
<!-- Get a specific app license for a user -->
@ -149,13 +246,13 @@ Here is an example of a query for all app licenses for a user.
## Enable the device to install non-Store apps
There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
### Unlock the device for non-Store apps
To deploy app that are not from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
@ -191,13 +288,13 @@ Here are some examples.
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device.
Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
Here is an example.
Here's an example.
```xml
<!-- Get policy (Default)-->
@ -227,20 +324,20 @@ Here is an example.
## Install your apps
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
To deploy an app to a user directly from the Microsoft Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
To deploy an app to a user directly from the Microsoft Store, the management server runs an Add and Exec command on the AppInstallation node of the EnterpriseModernAppManagement CSP. This feature is only supported in the user context, and not supported in the device context.
If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Microsoft Store.
If you purchased an app from the Store for Business and the app is specified for an online license, then the app and license must be acquired directly from the Microsoft Store.
Here are the requirements for this scenario:
- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server.
- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
- The device requires connectivity to the Microsoft Store.
- Microsoft Store services must be enabled on the device. Note that the UI for the Microsoft Store can be disabled by the enterprise admin.
- The user must be signed in with their AAD identity.
- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
- The user must be signed in with their Azure AD identity.
Here are some examples.
@ -264,9 +361,9 @@ Here are the changes from the previous release:
1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
2. The value for flags can be "0" or "1"
When using "0" the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1" the management tool does not call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
3. The skuid is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
@ -276,10 +373,10 @@ The app license only needs to be deployed as part of the initial installation of
In the SyncML, you need to specify the following information in the Exec command:
- License ID - This is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
- License Content - This is specified in the data section. The License Content is the Base64 encoded blob of the license.
- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
Here is an example of an offline license installation.
Here's an example of an offline license installation.
```xml
<Exec>
@ -305,15 +402,15 @@ Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled.
- The user must be logged in, but association with AAD identity is not required.
- The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
- The user must be logged in, but association with Azure AD identity isn't required.
> [!NOTE]
> You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
Here is an example of a line-of-business app installation.
Here's an example of a line-of-business app installation.
```xml
<!-- Add PackageFamilyName -->
@ -340,7 +437,7 @@ Here is an example of a line-of-business app installation.
</Exec>
```
Here is an example of an app installation with dependencies.
Here's an example of an app installation with dependencies.
```xml
<!-- Add PackageFamilyName -->
@ -374,7 +471,7 @@ Here is an example of an app installation with dependencies.
</Exec>
```
Here is an example of an app installation with dependencies and optional packages.
Here's an example of an app installation with dependencies and optional packages.
```xml
<!-- Add PackageFamilyName -->
@ -416,23 +513,23 @@ Here is an example of an app installation with dependencies and optional package
### Provision apps for all users of a device
Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This is only supported for app purchased from the Store for Business and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device does not need to have connectivity to the Microsoft Store, or store services enabled.
- The device does not need any AAD identity or domain membership.
- The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
- The device doesn't need any Azure AD identity or domain membership.
- For nonStore app, your device must be unlocked.
- For Store offline apps, the required licenses must be deployed prior to deploying the apps.
- For Store offline apps, the required licenses must be deployed before deploying the apps.
To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
To provision app for all users of a device from a hosted location, the management server runs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
> [!NOTE]
> When you remove the provisioned app, it will not remove it from the users that already installed the app.
Here is an example of app installation.
Here's an example of app installation.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
@ -464,12 +561,12 @@ Here is an example of app installation.
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPs location.
- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
- Dependencies can be specified if required to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
Here is an example of app installation with dependencies.
Here's an example of app installation with dependencies.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
@ -508,22 +605,22 @@ Here is an example of app installation with dependencies.
### Get status of app installations
When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here is the list of information you can get back in the query:
When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query:
- Status - indicates the status of app installation.
- NOT\_INSTALLED (0) - The node was added, but the execution was not completed.
- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success this value is updated.
- NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
- LastError - This is the last error reported by the app deployment server.
- INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
- LastError - The last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
- Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress.
- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress.
Status is not available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node.
Here is an example of a query for a specific app installation.
Here's an example of a query for a specific app installation.
```xml
<!-- Get all app status under AppInstallation for a specific app-->
@ -537,7 +634,7 @@ Here is an example of a query for a specific app installation.
</Get>
```
Here is an example of a query for all app installations.
Here's an example of a query for all app installations.
```xml
<!-- Get all app status under AppInstallation-->
@ -553,9 +650,9 @@ Here is an example of a query for all app installations.
### Alert for installation completion
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
Application installations can take some time to complete. So, they're done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
Here is an example of an alert.
Here's an example of an alert.
```xml
<Alert>
@ -576,10 +673,10 @@ Here is an example of an alert.
For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path.
The Data field value of 0 (zero) indicates success, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node.
The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node.
> [!NOTE]
> At this time, the alert for Store app installation is not yet available.
> At this time, the alert for Store app installation isn't yet available.
## Uninstall your apps
@ -587,12 +684,12 @@ The Data field value of 0 (zero) indicates success, otherwise it is an error cod
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
- nonStore - These apps that were not acquired from the Microsoft Store.
- System - These apps are part of the OS. You cannot uninstall these apps.
- nonStore - These apps that weren't acquired from the Microsoft Store.
- System - These apps are part of the OS. You can't uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name.
Here is an example for uninstalling all versions of an app for a user.
Here's an example for uninstalling all versions of an app for a user.
```xml
<!-- Uninstall App for a Package Family-->
@ -606,7 +703,7 @@ Here is an example for uninstalling all versions of an app for a user.
</Delete>
```
Here is an example for uninstalling a specific version of the app for a user.
Here's an example for uninstalling a specific version of the app for a user.
```xml
<!-- Uninstall App for a specific package full name-->
@ -622,7 +719,7 @@ Here is an example for uninstalling a specific version of the app for a user.
### Removed provisioned apps from a device
You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users.
You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them will continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users.
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
@ -630,7 +727,7 @@ You can remove provisioned apps from a device for a specific version or for all
Removing provisioned app occurs in the device context.
Here is an example for removing a provisioned app from a device.
Here's an example for removing a provisioned app from a device.
```xml
<!— Remove Provisioned App for a Package Family-->
@ -644,7 +741,7 @@ Here is an example for removing a provisioned app from a device.
</Delete>
```
Here is an example for removing a specific version of a provisioned app from a device:
Here's an example for removing a specific version of a provisioned app from a device:
```xml
<!-- Remove Provisioned App for a specific package full name-->
@ -662,7 +759,7 @@ Here is an example for removing a specific version of a provisioned app from a d
You can remove app licenses from a device per app based on the content ID.
Here is an example for removing an app license for a user.
Here's an example for removing an app license for a user.
```xml
<!-- Remove App License for a User-->
@ -676,7 +773,7 @@ Here is an example for removing an app license for a user.
</Delete>
```
Here is an example for removing an app license for a provisioned package (device context).
Here's an example for removing an app license for a provisioned package (device context).
```xml
<!-- Remove App License for a provisioned package (device) -->
@ -692,11 +789,11 @@ Here is an example for removing an app license for a provisioned package (device
### Alert for app uninstallation
Uninstallation of an app can take some time complete, hence the uninstallation is performed asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
For user-based uninstallation, use ./User in the LocURI, and for provisioning, use ./Device in the LocURI.
Here is an example. There is only one uninstall for hosted and store apps.
Here's an example. There's only one uninstall for hosted and store apps.
```xml
<Alert>
@ -722,7 +819,7 @@ Apps installed on a device can be updated using the management server. Apps can
To update an app from Microsoft Store, the device requires contact with the store services.
Here is an example of an update scan.
Here's an example of an update scan.
```xml
<!— Initiate a update scan for a user-->
@ -736,7 +833,7 @@ Here is an example of an update scan.
</Exec>
```
Here is an example of a status check.
Here's an example of a status check.
```xml
<!— Get last error related to the update scan-->
@ -760,11 +857,11 @@ A provisioned app automatically updates when an app update is sent to the user.
### Prevent app from automatic updates
You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
You can prevent specific apps from being automatically updated. This feature allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
Turning off updates only applies to updates from the Microsoft Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
Turning off updates only applies to updates from the Microsoft Store at the device level. This feature isn't available at a user level. You can still update an app if the offline packages are pushed from hosted install location.
Here is an example.
Here's an example.
```xml
<!— Prevent app from being automatically updated-->
@ -782,96 +879,24 @@ Here is an example.
</Replace>
```
## Additional app management scenarios
## More app management scenarios
The following subsections provide information about additional settings configurations.
### Restrict app installation to the system volume
You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md).
> [!NOTE]
> This is only supported in mobile devices.
Here is an example.
```xml
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppToSystemVolume?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
### Restrict AppData to the system volume
In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved.
> [!NOTE]
> The feature is only for Windows 10 Mobile.
The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1.
Here is an example.
```xml
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppDataToSystemVolume?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
The following subsections provide information about more settings configurations.
### Enable shared user app data
The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device.
The Universal Windows app can share application data between the users of the device. The ability to share data can be set at a package family level or per device.
> [!NOTE]
> This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
If you disable this policy, applications cannot share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there is any shared data, and /Remove-SharedAppxData to remove it).
If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
The valid values are 0 (off, default value) and 1 (on).
Here is an example.
Here's an example.
```xml
<!-- Get policy (Default)-->

30
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -21,9 +21,35 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
The following shows the EnterpriseAppManagement configuration service provider in tree format.
![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png)
```console
./Vendor/MSFT
EnterpriseAppManagement
----EnterpriseID
--------EnrollmentToken
--------StoreProductID
--------StoreUri
--------CertificateSearchCriteria
--------Status
--------CRLCheck
--------EnterpriseApps
------------Inventory
----------------ProductID
--------------------Version
--------------------Title
--------------------Publisher
--------------------InstallDate
------------Download
----------------ProductID
--------------------Version
--------------------Name
--------------------URL
--------------------Status
--------------------LastError
--------------------LastErrorDesc
--------------------DownloadInstall
```
<a href="" id="enterpriseid"></a>***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.

3
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -19,8 +19,7 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
> **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
```

30
windows/client-management/mdm/euiccs-csp.md
View File

@ -62,6 +62,36 @@ Required. Indicates whether this eUICC is physically present and active. Updated
Supported operation is Get. Value type is boolean.
<a href="" id="euicc-ppr1allowed"></a>**_eUICC_/PPR1Allowed**
Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed.
Supported operation is Get. Value type is boolean.
<a href="" id="euicc-ppr1alreadyset"></a>**_eUICC_/PPR1AlreadySet**
Required. Indicates whether the eUICC already has a profile with PPR1.
Supported operation is Get. Value type is boolean.
<a href="" id="euicc-downloadservers"></a>**_eUICC_/DownloadServers**
Interior node. Represents default SM-DP+ discovery requests.
Supported operation is Get.
<a href="" id="euicc-downloadservers-servername"></a>**_eUICC_/DownloadServers/_ServerName_**
Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
Supported operations are Add, Get, and Delete.
<a href="" id="euicc-downloadservers-servername-discoverystate"></a>**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
Supported operation is Get. Value type is integer. Default value is 1.
<a href="" id="euicc-downloadservers-servername-autoenable"></a>**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
Supported operations are Add, Get, and Replace. Value type is bool.
<a href="" id="euicc-profiles"></a>**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.

206
windows/client-management/mdm/euiccs-ddf-file.md
View File

@ -49,7 +49,7 @@ The XML below if for Windows 10, version 1803.
<CIS />
</CaseSense>
<DFType>
<MIME>com.microsoft/1.1/MDM/eUICCs</MIME>
<MIME>com.microsoft/1.2/MDM/eUICCs</MIME>
</DFType>
</DFProperties>
<Node>
@ -58,7 +58,7 @@ The XML below if for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.</Description>
<Description>Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC.</Description>
<DFFormat>
<node />
</DFFormat>
@ -79,7 +79,7 @@ The XML below if for Windows 10, version 1803.
<AccessType>
<Get />
</AccessType>
<Description>Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID.</Description>
<Description>The EID.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -118,6 +118,139 @@ The XML below if for Windows 10, version 1803.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PPR1Allowed</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PPR1AlreadySet</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Indicates whether the eUICC already has a profile with PPR1.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DownloadServers</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Represents default SM-DP+ discovery requests.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ServerName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DiscoveryState</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AutoEnable</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Profiles</NodeName>
<DFProperties>
@ -145,6 +278,7 @@ The XML below if for Windows 10, version 1803.
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).</Description>
<DFFormat>
@ -167,6 +301,7 @@ The XML below if for Windows 10, version 1803.
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.</Description>
<DFFormat>
@ -192,6 +327,7 @@ The XML below if for Windows 10, version 1803.
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.</Description>
<DFFormat>
@ -256,6 +392,70 @@ The XML below if for Windows 10, version 1803.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PPR1Set</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PPR2Set</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ErrorDetail</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>

11
windows/client-management/mdm/filesystem-csp.md
View File

@ -22,9 +22,16 @@ The FileSystem configuration service provider is used to query, add, modify, and
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png)
```console
./Vendor/MSFT
FileSystem
----file name
----file directory
--------file name
--------file directory
```
<a href="" id="filesystem"></a>**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.

541
windows/client-management/mdm/healthattestation-csp.md
View File

@ -8,25 +8,470 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 06/26/2017
author: dansimp
ms.date:
---
# Device HealthAttestation CSP
The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
The following is a list of functions performed by the Device HealthAttestation CSP:
- Collects device boot logs, TPM audit trails and the TPM certificate (DHA-BootData) from a managed device
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device
- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data
- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
## Terms
## Windows 11 Device health attestation
Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation.
The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device.
### Terms
**TPM (Trusted Platform Module)**
<p>TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.</p>
**DHA (Device HealthAttestation) feature**
<p>The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.</p>
**MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)**
<p>The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.</p>
**MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**
<p>The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.</p>
<p>The following list of operations is performed by MAA-CSP:</p>
<ul>
<li>Receives attestation trigger requests from a HealthAttestation enabled MDM provider.</li>
<li>The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.</li>
<li>Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.</li>
<li>Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.</li>
</ul>
**MAA endpoint**
Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint.
**JWT (JSON Web Token)**
JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
### Attestation Flow with Microsoft Azure Attestation Service
![Attestation Flow with Microsoft Azure Attestation Service](./images/maa-attestation-flow.png)
<br>
<p>Attestation flow can be broadly in three main steps:</p>
<ul>
<li>An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.</li>
<li>The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.</li>
<li>The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.</li>
</ul>
The protocol implemented can be found here: <a href="/azure/attestation/virtualization-based-security-protocol" id="attestationprotocol"> Attestation Protocol</a>.
### Configuration Service Provider Nodes
Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service.
```
./Vendor/MSFT
HealthAttestation
----...
----TriggerAttestation |
----AttestStatus | Added in Windows 11
----GetAttestReport |
----GetServiceCorrelationIDs |
----VerifyHealth
----Status
----ForceRetrieve
----Certificate
----Nonce
----CorrelationID
----HASEndpoint
----TpmReadyStatus
----CurrentProtocolVersion
----PreferredMaxProtocolVersion
----MaxSupportedProtocolVersion
```
<a href="" id="healthattestation"></a>**./Vendor/MSFT/HealthAttestation**
<p>The root node for the device HealthAttestation configuration service provider.</p>
<a href="" id="triggerAttestation"></a>**TriggerAttestation** (Required)
<p>Node type: EXECUTE
This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned.
</p>
<p>Templated SyncML Call:</p>
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>VERIFYHEALTHV2</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/HealthAttestation/TriggerAttestation
</LocURI>
</Target>
<Data>
{
rpID : "rpID", serviceEndpoint : “MAA endpoint”,
nonce : “nonce”, aadToken : “aadToken”, "cv" : "CorrelationVector"
}
</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
<p>Data fields:</p>
<ul>
<li>rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.</li>
<li>serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.</li>
<li>nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.</li>
<li>aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.</li>
<li>cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.</li>
</ul>
<p>Sample Data:</p>
```json
<Data>
{
"rpid" : "https://www.contoso.com/attestation",
"endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01",
"nonce" : "5468697320697320612054657374204e6f6e6365",
"aadToken" : "dummytokenstring",
"cv" : "testonboarded"
}
</Data>
```
<a href="" id="AttestStatus"></a>**AttestStatus**
<p>Node type: GET
This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step.
The status is always cleared prior to making the attest service call.
</p>
<p>Templated SyncML Call:</p>
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<Item>
<Target>
<LocURI>
./Device/Vendor/MSFT/HealthAttestation/AttestStatus
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<p>Sample Data:</p>
```
If Successful: 0
If Failed: A corresponding HRESULT error code
Example: 0x80072efd, WININET_E_CANNOT_CONNECT
```
<a href="" id="getAttestReport"></a>**GetAttestReport**
<p>Node type: GET
This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store.
</p>
<p>Templated SyncML Call:</p>
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<Item>
<Target>
<LocURI>
./Device/Vendor/MSFT/HealthAttestation/GetAttestReport
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<p>Sample data:</p>
```
If Success:
JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc
If failed:
Previously cached report if available (the token may have already expired per the attestation policy).
OR Sync ML 404 error if not cached report available.
```
<a href="" id="getServiceCorrelationIDs"></a>**GetServiceCorrelationIDs**
<p>Node type: GET
This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by “;” in the string.
</p>
<p>Templated SyncML Call:</p>
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<Item>
<Target>
<LocURI>
./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<p>Sample data:</p>
> If success:
> GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM
> If Trigger Attestation call failed and no previous data is present. The field remains empty.
> Otherwise, the last service correlation id will be returned. In a successful attestation there are two
> calls between client and MAA and for each call the GUID is separated by semicolon.
> **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported.
### MAA CSP Integration Steps
<ol>
<li>Set up a MAA provider instance:<br>
MAA instance can be created following the steps here <a href="/azure/attestation/quickstart-portal" id="quickstartsetup">Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.</a></li>
<br><li>Update the provider with an appropriate policy:<br>
The MAA instance should be updated with an appropriate policy. <a href="/azure/attestation/claim-rule-grammar" id="policy">How to author an Azure Attestation policy | Microsoft Docs</a>
<br>A Sample attestation policy:
```
version=1.2;
configurationrules{
};
authorizationrules {
=> permit();
};
issuancerules{
// SecureBoot enabled
c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));
c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));
![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);
// Retrieve bool properties
c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));
c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));
![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);
// Bitlocker Boot Status, The first non zero measurement or zero.
c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]")));
[type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true);
![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false);
// Elam Driver (windows defender) Loaded
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));
[type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true);
![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false);
// Boot debugging
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));
c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);
// Kernel Debugging
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));
c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);
// DEP Policy
c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]")));
![type=="depPolicy"] => issue(type="depPolicy", value=0);
// Test Signing
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING")));
c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false));
![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);
// Flight Signing
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING")));
c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));
![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);
// VSM enabled
c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED")));
c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));
c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true));
![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false);
c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);
// HVCI
c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));
c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));
![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);
// IOMMU
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));
c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));
![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);
// Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements
// Find the first EV_SEPARATOR in PCR 12, 13, Or 14
c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");
// Find the first EVENT_APPLICATION_SVN.
c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq"));
c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));
c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
// The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN
c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
// OS Rev List Info
c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]")));
// Safe mode
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));
c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));
![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);
// Win PE
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE")));
c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));
![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);
// CI Policy
c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));
// Secure Boot Custom Policy
c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]")));
// Find the first EV_SEPARATOR in PCR 12, 13, Or 14
c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present
//Finding the Boot App SVN
// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR
c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));
c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq"));
c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));
// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.
c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]"));
c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));
// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12.
c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
// Finding the Boot Rev List Info
c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]")));
};
```
</li>
<br><li>Call TriggerAttestation with your rpid, AAD token and the attestURI:<br>
Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Attestation) | Microsoft Docs</li>
<br><li>Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:<br>
GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy.
<br>
```json
{
"typ": "JWT",
"alg": "RS256",
"x5c": [
"MIIE.....=",
"MIIG.....=",
"MIIF.....="
],
"kid": "8FUer20z6wzf1rod044wOAFdjsg"
}.{
"nbf": 1633664812,
"exp": 1634010712,
"iat": 1633665112,
"iss": "https://contosopolicy.eus.attest.azure.net",
"jti": "2b63663acbcafefa004d20969991c0b1f063c9be",
"ver": "1.0",
"x-ms-ver": "1.0",
"rp_data": "AQIDBA",
"nonce": "AQIDBA",
"cnf": {
"jwk": {
"kty": "RSA",
"n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ",
"e": "AQAB"
}
},
"x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0",
"WindowsDefenderElamDriverLoaded": true,
"bitlockerEnabled": true,
"bitlockerEnabledValue": 4,
"bootAppSvn": 1,
"bootDebuggingDisabled": true,
"bootMgrSvn": 1,
"bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw",
"codeIntegrityEnabled": true,
"codeIntegrityPolicy": [
"AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk",
"AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o",
"AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI",
"AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc",
"AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM"
],
"depPolicy": 0,
"flightSigningNotEnabled": false,
"hvciEnabled": true,
"iommuEnabled": true,
"notSafeMode": true,
"notWinPE": true,
"osKernelDebuggingDisabled": true,
"osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA",
"secureBootEnabled": true,
"testSigningDisabled": true,
"vbsEnabled": true
}.[Signature]
```
</li>
</ol>
### Learn More
More information about TPM attestation can be found here: [Microsoft Azure Attestation](/azure/attestation/).
## Windows 10 Device HealthAttestation
### Terms
**TPM (Trusted Platform Module)**
<p>TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing. </p>
<p>TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. </p>
**DHA (Device HealthAttestation) feature**
<p>The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.</p>
@ -59,10 +504,10 @@ The following is a list of functions performed by the Device HealthAttestation C
<strong>DHA session data (Device HealthAttestation session data)</strong>
<p>The following list of data is produced or consumed in one DHA-Transaction:</p>
<ul>
<li>DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.</li>
<li>DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.</li>
<li>DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.</li>
<li>DHA-SignedBlob: it is a signed snapshot of the current state of a devices runtime that is captured by DHA-CSP at device health attestation time.</li>
<li>DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has 2 parts:
<li>DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
<ul>
<li>DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service</li>
<li>DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP</li>
@ -96,7 +541,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<strong>DHA-Service (Device HealthAttestation Service)</strong>
<p>Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.</p>
<p>DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.</p>
<p>DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.</p>
<p>The following list of operations is performed by DHA-Service:</p>
- Receives device boot data (DHA-BootData) from a DHA-Enabled device</li>
@ -173,7 +618,7 @@ The following is a list of functions performed by the Device HealthAttestation C
</tbody>
</table>
## CSP diagram and node descriptions
### CSP diagram and node descriptions
The following shows the Device HealthAttestation configuration service provider in tree format.
@ -205,12 +650,12 @@ HealthAttestation
<p>The supported operation is Get.</p>
<p>The following list shows some examples of supported values. For the complete list of status see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
<p>The following list shows some examples of supported values. For the complete list of status, see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
<a href="" id="forceretrieve"></a>**ForceRetrieve** (Optional)
<p>Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</p>
@ -220,7 +665,7 @@ HealthAttestation
<a href="" id="certificate"></a>**Certificate** (Required)
<p>Instructs the DHA-CSP to forward DHA-Data to the MDM server.</p>
<p>Value type is b64.The supported operation is Get.</p>
<p>Value type is b64. The supported operation is Get.</p>
<a href="" id="nonce"></a>**Nonce** (Required)
<p>Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.</p>
@ -243,7 +688,7 @@ HealthAttestation
<p>Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.</p>
<p>Value type is integer. The supported operation is Get.</p>
## **DHA-CSP integration steps**
### **DHA-CSP integration steps**
The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM):
@ -260,7 +705,7 @@ The following list of validation and development tasks are required for integrat
Each step is described in detail in the following sections of this topic.
## <a href="" id="verify-access"></a>**Step 1: Verify HTTPS access**
### <a href="" id="verify-access"></a>**Step 1: Verify HTTPS access**
Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS).
@ -313,7 +758,7 @@ SSL-Session:
```
## <a href="" id="assign-trusted-dha-service"></a>**Step 2: Assign an enterprise trusted DHA-Service**
### <a href="" id="assign-trusted-dha-service"></a>**Step 2: Assign an enterprise trusted DHA-Service**
There are three types of DHA-Service:
- Device Health Attestation Cloud (owned and operated by Microsoft)
@ -339,7 +784,7 @@ The following example shows a sample call that instructs a managed device to com
```
## <a href="" id="prepare-health-data"></a>**Step 3: Instruct client to prepare health data for verification**
### <a href="" id="prepare-health-data"></a>**Step 3: Instruct client to prepare health data for verification**
Send a SyncML call to start collection of the DHA-Data.
@ -366,7 +811,7 @@ The following example shows a sample call that triggers collection and verificat
</Get>
```
## <a href="" id="take-action-client-response"></a>**Step 4: Take action based on the clients response**
### <a href="" id="take-action-client-response"></a>**Step 4: Take action based on the clients response**
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
@ -392,9 +837,9 @@ Here is a sample alert that is issued by DHA_CSP:
</Item>
</Alert>
```
- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
## <a href="" id="forward-health-attestation"></a>**Step 5: Instruct the client to forward health attestation data for verification**
### <a href="" id="forward-health-attestation"></a>**Step 5: Instruct the client to forward health attestation data for verification**
Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
@ -431,7 +876,7 @@ Here is an example:
</Get>
```
## <a href="" id="forward-data-to-has"></a>**Step 6: Forward device health attestation data to DHA-service**
### <a href="" id="forward-data-to-has"></a>**Step 6: Forward device health attestation data to DHA-service**
In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node).
@ -455,14 +900,14 @@ When the MDM-Server receives the above data, it must:
- DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
## <a href="" id="receive-has-response"></a>**Step 7: Receive response from the DHA-service**
### <a href="" id="receive-has-response"></a>**Step 7: Receive response from the DHA-service**
When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
- Decrypts the encrypted data it receives.
- Validates the data it has received
- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format
## <a href="" id="take-policy-action"></a>**Step 8: Take appropriate policy action based on evaluation results**
### <a href="" id="take-policy-action"></a>**Step 8: Take appropriate policy action based on evaluation results**
After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be:
@ -471,7 +916,7 @@ After the MDM server receives the verified data, the information can be used to
- Allow the device to access the resources, but flag the device for further investigation.
- Prevent a device from accessing resources.
The following list of data points are verified by the DHA-Service in DHA-Report version 3:
The following list of data points is verified by the DHA-Service in DHA-Report version 3:
- [Issued](#issued )
- [AIKPresent](#aikpresent)
@ -503,7 +948,7 @@ The following list of data points are verified by the DHA-Service in DHA-Report
\* TPM 2.0 only
\*\* Reports if BitLocker was enabled during initial boot.
\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.
\*\*\* The “Hybrid Resume” must be disabled on the device. Reports first-party ELAM “Defender” was loaded during boot.
Each of these are described in further detail in the following sections, along with the recommended actions to take.
@ -519,7 +964,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="resetcount"></a>**ResetCount** (Reported only for devices that support TPM 2.0)
@ -544,7 +989,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bitlockerstatus"></a>**BitLockerStatus** (at boot time)
@ -560,7 +1005,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bootmanagerrevlistversion"></a>**BootManagerRevListVersion**
@ -573,7 +1018,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="codeintegrityrevlistversion"></a>**CodeIntegrityRevListVersion**
<p>This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.</p>
@ -585,7 +1030,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="securebootenabled"></a>**SecureBootEnabled**
<p>When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.</p>
@ -596,11 +1041,11 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bootdebuggingenabled"></a>**BootDebuggingEnabled**
<p>Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.</p>
<p>Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.</p>
<p>Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:</p>
@ -626,7 +1071,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="codeintegrityenabled"></a>**CodeIntegrityEnabled**
<p>When code integrity is enabled, code execution is restricted to integrity verified code.</p>
@ -641,7 +1086,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI assets
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="testsigningenabled"></a>**TestSigningEnabled**
@ -680,11 +1125,11 @@ Each of these are described in further detail in the following sections, along w
<p>If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.</p>
<a href="" id="elamdriverloaded"></a>**ELAMDriverLoaded** (Windows Defender)
<p>To use this reporting feature you must disable &quot;Hybrid Resume&quot; on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.</p>
<p>To use this reporting feature, you must disable &quot;Hybrid Resume&quot; on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.</p>
<p>In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.</p>
<p>In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.</p>
<p>If a device is expected to use a 3rd party antivirus program, ignore the reported state.</p>
<p>If a device is expected to use a third-party antivirus program, ignore the reported state.</p>
<p>If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.</p>
@ -705,7 +1150,7 @@ Each of these are described in further detail in the following sections, along w
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="vsmenabled"></a>**VSMEnabled**
<p>Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory it has just enough capability to run the LSA service that is used for all authentication brokering.</p>
<p>Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory it has enough capability to run the LSA service that is used for all authentication brokering.</p>
<p>VSM can be enabled by using the following command in WMI or a PowerShell script:</p>
@ -760,7 +1205,7 @@ Each of these are described in further detail in the following sections, along w
<a href="" id="pcr0"></a>**PCR0**
<p>The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.</p>
<p>Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.</p>
<p>Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.</p>
<p>If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.</p>
@ -776,7 +1221,7 @@ Each of these are described in further detail in the following sections, along w
<p>If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
<p>If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
<p>If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.
@ -786,7 +1231,7 @@ Each of these are described in further detail in the following sections, along w
<p>If CIPolicy is not present, or is an accepted allow-listed value, then allow access.</p>
<p>If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
<p>If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.
@ -816,7 +1261,7 @@ Each of these are described in further detail in the following sections, along w
<p>In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.</p>
## **Device HealthAttestation CSP status and error codes**
### **Device HealthAttestation CSP status and error codes**
<table>
<tr>
@ -962,7 +1407,7 @@ Each of these are described in further detail in the following sections, along w
<tr>
<td>27</td>
<td>HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE</td>
<td>DHA-CSP failed to create a HTTP request handle.</td>
<td>DHA-CSP failed to create an HTTP request handle.</td>
</tr>
<tr>
<td>28</td>
@ -997,7 +1442,7 @@ Each of these are described in further detail in the following sections, along w
<tr>
<td>34</td>
<td>HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE</td>
<td>DHA-CSP received an empty response along with a HTTP error code from DHA-Service.</td>
<td>DHA-CSP received an empty response along with an HTTP error code from DHA-Service.</td>
</tr>
<tr>
<td>35</td>
@ -1027,7 +1472,7 @@ Each of these are described in further detail in the following sections, along w
</table>
## DHA-Report V3 schema
### DHA-Report V3 schema
```xml
@ -1131,7 +1576,7 @@ Each of these are described in further detail in the following sections, along w
</xs:schema>
```
## DHA-Report example
### DHA-Report example
```xml

571
windows/client-management/mdm/healthattestation-ddf.md
View File

@ -22,193 +22,430 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<identity
xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
owner="Microsoft"
namespace="Windows-DeviceManagement-CspDefinition"
name="HealthAttestation">
<cspDefinition>
<MgmtTree>
<VerDTD>1.2</VerDTD>
<BinaryPath>$(runtime.windows)\system32\hascsp.dll</BinaryPath>
<Diagnostics></Diagnostics>
<ComClsid>{9DCCCE22-C057-424E-B8D1-67935988B174}</ComClsid>
<Node>
<NodeName>HealthAttestation</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.2/MDM/HealthAttestation</MIME>
</DFType>
<AccessType>
<Get />
</AccessType>
<Description>The root node for the device HealthAttestation configuration service provider.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.4/MDM/HealthAttestation</MIME>
</DFType>
<Applicability>
<OsBuildVersion>10.0.10586</OsBuildVersion>
<CspVersion>1.0</CspVersion>
</Applicability>
<ExposedTo>
<Wmi />
<Mdm />
</ExposedTo>
</DFProperties>
<Node>
<NodeName>VerifyHealth</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
</DFProperties>
<NodeName>VerifyHealth</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>Notifies the device to prepare a device health verification request.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<OneTimeExecution />
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ForceRetrieve</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
<NodeName>ForceRetrieve</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>false</Value>
<ValueDescription>False</ValueDescription>
</Enum>
<Enum>
<Value>true</Value>
<ValueDescription>True</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>Certificate</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<NodeName>Certificate</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Instructs the DHA-CSP to forward DHA-Data to the MDM server.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Nonce</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>\0</DefaultValue>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
<NodeName>Nonce</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>\0</DefaultValue>
<Description>Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="None">
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>CorrelationID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
<NodeName>CorrelationID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="None">
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>HASEndpoint</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
<NodeName>HASEndpoint</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>has.spserv.microsoft.com.</DefaultValue>
<Description>Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="None">
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>TpmReadyStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
<NodeName>TpmReadyStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description> Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>10.0.14393</OsBuildVersion>
<CspVersion>1.1</CspVersion>
</Applicability>
</DFProperties>
</Node>
</Node>
</MgmtTree>
<Node>
<NodeName>CurrentProtocolVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Provides the current protocol version that the client is using to communicate with the Health Attestation Service.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>10.0.16299</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
</DFProperties>
</Node>
<Node>
<NodeName>PreferredMaxProtocolVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>3</DefaultValue>
<Description>Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>10.0.16299</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="None">
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>MaxSupportedProtocolVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the maximum protocol version that this client can support.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>10.0.16299</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
</DFProperties>
</Node>
<Node>
<NodeName>TriggerAttestation</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>Notifies the device to trigger an attestation session asynchronously.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.4</CspVersion>
</Applicability>
<AsynchronousTracking ResourceSuccessURI="AttestStatus" />
<OneTimeExecution />
</DFProperties>
</Node>
<Node>
<NodeName>GetAttestReport</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieve attestation session report if exists.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.4</CspVersion>
</Applicability>
</DFProperties>
</Node>
<Node>
<NodeName>AttestStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>AttestStatus maintains the success or failure status code for the last attestation session.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.4</CspVersion>
</Applicability>
</DFProperties>
</Node>
<Node>
<NodeName>GetServiceCorrelationIDs</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieve service correlation IDs if exist.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.4</CspVersion>
</Applicability>
</DFProperties>
</Node>
</Node>
</MgmtTree>
</cspDefinition>
</identity>
```

21
windows/client-management/mdm/hotspot-csp.md
View File

@ -25,9 +25,26 @@ The HotSpot configuration service provider is used to configure and enable Inter
The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png)
```console
./Vendor/MSFT
HotSpot
-------Enabled
-------DedicatedConnections
-------TetheringNAIConnection
-------MaxUsers
-------MaxBluetoothUsers
-------MOHelpNumber
-------MOInfoLink
-------MOAppLink
-------MOHelpMessage
-------EntitlementRequired
-------EntitlementDll
-------EntitlementInterval
-------PeerlessTimeout
-------PublicConnectionTimeout
```
<a href="" id="enabled"></a>**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.

BIN
windows/client-management/mdm/images/configlock-mem-createprofile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/client-management/mdm/images/configlock-mem-dev.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/client-management/mdm/images/configlock-mem-devstatus.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/client-management/mdm/images/configlock-mem-editrow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/mdm/images/configlock-mem-firmwareprotect.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/client-management/mdm/images/faq-max-devices.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.0 KiB

After

Width:  |  Height:  |  Size: 5.4 KiB

BIN
windows/client-management/mdm/images/flow-configlock.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/client-management/mdm/images/maa-attestation-flow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

7
windows/client-management/mdm/index.md
View File

@ -1,6 +1,6 @@
---
title: Mobile device management
description: Windows 10 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
@ -15,9 +15,9 @@ author: dansimp
# Mobile device management
Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users privacy on their personal devices. A built-in management component can communicate with the management server.
Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users privacy on their personal devices. A built-in management component can communicate with the management server.
There are two parts to the Windows 10 management component:
There are two parts to the Windows management component:
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
@ -40,6 +40,7 @@ The MDM security baseline includes policies that cover the following areas:
For more details about the MDM policies defined in the MDM security baseline and what Microsofts recommended baseline policy values are, see:
- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip)

13
windows/client-management/mdm/messaging-csp.md
View File

@ -15,9 +15,18 @@ manager: dansimp
The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
The following diagram shows the Messaging configuration service provider in tree format.
The following shows the Messaging configuration service provider in tree format.
![messaging csp.](images/provisioning-csp-messaging.png)
```console
./User/Vendor/MSFT
Messaging
----AuditingLevel
----Auditing
--------Messages
----------Count
----------RevisionId
----------Data
```
<a href="" id="--user-msft-applocker"></a>**./User/Vendor/MSFT/Messaging**

53
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -66,13 +66,13 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
## Disable MDM enrollments
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
Here is the corresponding registry key:
Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Value: DisableRegistration
@ -80,19 +80,8 @@ Value: DisableRegistration
The following scenarios do not allow MDM enrollments:
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users cannot enroll in MDM. Only admin users can enroll.
- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
## Enrollment migration
**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
To manually trigger enrollment migration, you can run MDMMaintenenceTask.
**Mobile devices:** After the MDM client upgrade from Windows Phone 8.1 to Windows 10 Mobile, enrollment migration is performed during the first boot after the upgrade.
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users cannot enroll in MDM. Only admin users can enroll.
## Enrollment error messages
@ -143,49 +132,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
<td><p>s:</p></td>
<td><p>MessageFormat</p></td>
<td><p>MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</p></td>
<td><p>Message format is bad</p></td>
<td><p>Invalid message from the Mobile Device Management (MDM) server.</p></td>
<td><p>80180001</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>Authentication</p></td>
<td><p>MENROLL_E_DEVICE_AUTHENTICATION_ERROR</p></td>
<td><p>User not recognized</p></td>
<td><p>The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.</p></td>
<td><p>80180002</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>Authorization</p></td>
<td><p>MENROLL_E_DEVICE_AUTHORIZATION_ERROR</p></td>
<td><p>User not allowed to enroll</p></td>
<td><p>The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.</p></td>
<td><p>80180003</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>CertificateRequest</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</p></td>
<td><p>Failed to get certificate</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR</p></td>
<td><p>The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.</p></td>
<td><p>80180004</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>EnrollmentServer</p></td>
<td><p>MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</p></td>
<td></td>
<td>The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.</td>
<td><p>80180005</p></td>
</tr>
<tr class="even">
<td><p>a:</p></td>
<td><p>InternalServiceFault</p></td>
<td><p>MENROLL_E_DEVICE_INTERNALSERVICE_ERROR</p></td>
<td><p>The server hit an unexpected issue</p></td>
<td><p> There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.</p></td>
<td><p>80180006</p></td>
</tr>
<tr class="odd">
<td><p>a:</p></td>
<td><p>InvalidSecurity</p></td>
<td><p>MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</p></td>
<td><p>Cannot parse the security header</p></td>
<td><p>The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.</p></td>
<td><p>80180007</p></td>
</tr>
</tbody>
@ -242,43 +231,43 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
<tr class="odd">
<td><p>DeviceCapReached</p></td>
<td><p>MENROLL_E_DEVICECAPREACHED</p></td>
<td><p>User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.</p></td>
<td><p>The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.</p></td>
<td><p>80180013</p></td>
</tr>
<tr class="even">
<td><p>DeviceNotSupported</p></td>
<td><p>MENROLL_E_DEVICENOTSUPPORTED</p></td>
<td><p>Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.</p></td>
<td><p>The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.</p></td>
<td><p>80180014</p></td>
</tr>
<tr class="odd">
<td><p>NotSupported</p></td>
<td><p>MENROLL_E_NOTSUPPORTED</p></td>
<td><p>Mobile device management generally not supported (would save an admin call)</p></td>
<td><p>MENROLL_E_NOT_SUPPORTED</p></td>
<td><p>Mobile Device Management (MDM) is generally not supported for this device.</p></td>
<td><p>80180015</p></td>
</tr>
<tr class="even">
<td><p>NotEligibleToRenew</p></td>
<td><p>MENROLL_E_NOTELIGIBLETORENEW</p></td>
<td><p>Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.</p></td>
<td><p>The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.</p></td>
<td><p>80180016</p></td>
</tr>
<tr class="odd">
<td><p>InMaintenance</p></td>
<td><p>MENROLL_E_INMAINTENANCE</p></td>
<td><p>Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.</p></td>
<td><p>The Mobile Device Management (MDM) server states your account is in maintenance, try again later.</p></td>
<td><p>80180017</p></td>
</tr>
<tr class="even">
<td><p>UserLicense</p></td>
<td><p>MENROLL_E_USERLICENSE</p></td>
<td><p>License of user is in bad state and blocking the enrollment. The user needs to call the admin.</p></td>
<td><p>MENROLL_E_USER_LICENSE</p></td>
<td><p>There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.</p></td>
<td><p>80180018</p></td>
</tr>
<tr class="odd">
<td><p>InvalidEnrollmentData</p></td>
<td><p>MENROLL_E_ENROLLMENTDATAINVALID</p></td>
<td><p>The server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>80180019</p></td>
</tr>
</tbody>

46
windows/client-management/mdm/napdef-csp.md
View File

@ -25,13 +25,41 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png)
```console
NAPDEF
----NAPAUTHINFO
------AUTHNAME
------AUTHSECRET
------AUTHTYPE
----BEARER
----INTERNET
----LOCAL-ADDR
----LOCAL-ADDRTYPE
----NAME
----NAP-ADDRESS
----NAP-ADDRTYPE
----NAPID
```
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png)
```console
NAPDEF
--NAPID
----NAPAUTHINFO
------AUTHNAME
------AUTHSECRET
------AUTHTYPE
----BEARER
----INTERNET
----LOCAL-ADDR
----LOCAL-ADDRTYPE
----NAME
----NAP-ADDRESS
----NAP-ADDRTYPE
```
<a href="" id="napauthinfo"></a>**NAPAUTHINFO**
Defines a group of authentication settings.
@ -106,26 +134,26 @@ The following table shows the Microsoft custom elements that this configuration
</colgroup>
<thead>
<tr class="header">
<th>ELements</th>
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p>
<p>Note that some GPRS parameters will not necessarily contain the exact same value as was set.</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>

366
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

File diff suppressed because one or more lines are too long

61
windows/client-management/mdm/passportforwork-csp.md
View File

@ -21,15 +21,68 @@ The PassportForWork configuration service provider is used to provision Windows
 
### User configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
The following shows the PassportForWork configuration service provider in tree format.
![passportforwork csp.](images/provisioning-csp-passportforwork.png)
```console
./User/Vendor/MSFT
PassportForWork
-------TenantId
----------Policies
-------------UsePassportForWork
-------------RequireSecurityDevice
-------------EnablePinRecovery
-------------PINComplexity
----------------MinimumPINLength
----------------MaximumPINLength
----------------UppercaseLetters
----------------LowercaseLetters
----------------SpecialCharecters
----------------Digits
----------------History
----------------Expiration
```
### Device configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
The following shows the PassportForWork configuration service provider in tree format.
![passportforwork diagram.](images/provisioning-csp-passportforwork2.png)
```console
./Device/Vendor/MSFT
PassportForWork
-------TenantId
----------Policies
-------------UsePassportForWork
-------------RequireSecurityDevice
-------------ExcludeSecurityDevices
----------------TPM12
-------------EnablePinRecovery
-------------UserCertificateForOnPremAuth
-------------PINComplexity
----------------MinimumPINLength
----------------MaximumPINLength
----------------UppercaseLetters
----------------LowercaseLetters
----------------SpecialCharacters
----------------Digits
----------------History
----------------Expiration
-------------Remote
----------------UseRemotePassport
-------------UseHelloCertificatesAsSmartCardCertificates
-------UseBiometrics
-------Biometrics
----------UseBiometrics
----------FacialFeatureUse
-------DeviceUnlock
----------GroupA
----------GroupB
----------Plugins
-------DynamicLock
----------DynamicLock
----------Plugins
-------SecurityKey
----------UseSecurityKeyForSignin
```
<a href="" id="passportforwork"></a>**PassportForWork**
Root node for PassportForWork configuration service provider.

13
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 10/08/2020
ms.date: 10/11/2021
---
# Policies in Policy CSP supported by HoloLens 2
@ -51,6 +51,7 @@ ms.date: 10/08/2020
- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>10</sup>
- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) <sup>9</sup>
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) <sup>9</sup>
@ -101,7 +102,13 @@ ms.date: 10/08/2020
- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) <sup>9</sup>
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) <sup>10</sup>
- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) <sup>10</sup>
- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) <sup>10</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) <sup>10</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) <sup>10</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) <sup>10</sup>
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
@ -109,7 +116,10 @@ ms.date: 10/08/2020
- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) <sup>10</sup>
- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) <sup>10</sup>
- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess)
- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) <sup>10</sup>
- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) <sup>8</sup>
@ -125,6 +135,7 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
- 10 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
## Related topics

1
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -29,7 +29,6 @@ ms.date: 07/22/2020
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)

23
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -42,9 +42,25 @@ The Policy configuration service provider has the following sub-categories:
> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![policy csp diagram.](images/provisioning-csp-policy.png)
```console
./Vendor/MSFT
Policy
-------Config
----------AreaName
-------------PolicyName
-------Result
----------AreaName
-------------PolicyName
-------ConfigOperations
----------ADMXInstall
-------------AppName
----------------Policy
------------------UniqueID
----------------Preference
------------------UniqueID
```
<a href="" id="--vendor-msft-policy"></a>**./Vendor/MSFT/Policy**
@ -5825,9 +5841,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-defender.md#defender-allowioavprotection" id="defender-allowioavprotection">Defender/AllowIOAVProtection</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-allowintrusionpreventionsystem" id="defender-allowintrusionpreventionsystem">Defender/AllowIntrusionPreventionSystem</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-allowonaccessprotection" id="defender-allowonaccessprotection">Defender/AllowOnAccessProtection</a>
</dd>

3
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1551,7 +1551,8 @@ ADMX Info:
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>

4
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -517,7 +517,7 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
@ -596,7 +596,7 @@ Value type is integer. Supported values:
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.

448
windows/client-management/mdm/policy-csp-browser.md
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More