(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 1b8ae56970..dad5176518 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -226,7 +226,7 @@ However, key management is different for on-premises MDM. You must obtain the cl ## Themes -The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers. +The pages rendered by the MDM as part of the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared templates ensure a seamless experience for the customers. There are 3 distinct scenarios: @@ -236,7 +236,11 @@ There are 3 distinct scenarios: Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511. -The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip). +The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip). + +- For Windows 10, use **oobe-desktop.css** +- For Windows 11, use **oobe-light.css** + ### Using themes diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 465173f72d..457c87e1ac 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -16,18 +16,18 @@ ms.date: 06/26/2017 The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device. +>[!Note] +>BOOTSTRAP CSP is only supported in Windows 10 Mobile. +> +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. -> **Note** BOOTSTRAP CSP is only supported in Windows 10 Mobile. -> -> -> -> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. +The following shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. - - -The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. - - +```console +BOOTSTRAP +----CONTEXT-ALLOW +----PROVURL +``` **CONTEXT-ALLOW** Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value. diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 1a723bdeb1..889eab27e9 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: m365-security ms.technology: windows-sec author: dansimp -ms.date: 06/26/2017 +ms.date: 10/25/2021 --- # BrowserFavorite CSP @@ -28,9 +28,13 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID -The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. +The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. - +```console +BrowserFavorite +favorite name +----URL +``` ***favorite name*** Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer. @@ -82,11 +86,11 @@ The following table shows the Microsoft custom elements that this configurationYes
No parm
Noparm
Yes
No characteristic
Nocharacteristic
Yes
Optional. Integer. Specifies the default roaming value. Valid values are:
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 6fb876a9ef..e0eef687f1 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application. -The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. +The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. - +```console +CM_CellularEntries +----entryname +--------AlwaysOn +--------AuthType +--------ConnectionType +--------Desc.langid +--------Enabled +--------IpHeaderCompression +--------Password +--------SwCompression +--------UserName +--------UseRequiresMappingPolicy +--------Version +--------DevSpecificCellular +-----------GPRSInfoAccessPointName +--------Roaming +--------OEMConnectionID +--------ApnId +--------IPType +--------ExemptFromDisablePolicy +--------ExemptFromRoaming +--------TetheringNAI +--------IdleDisconnectTimeout +--------SimIccId +--------PurposeGroups +``` ***entryname***Defines the name of the connection.
@@ -51,27 +77,27 @@ The following diagram shows the CM\_CellularEntries configuration service providgprs
Gprs
Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).
cdma
Cdma
Used for CDMA type connections (1XRTT + EVDO).
lte
Lte
Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.
legacy
Legacy
Used for GPRS + GSM + EDGE + UMTS connections.
lte_iwlan
Lte_iwlan
Used for GPRS type connections that may be offloaded over WiFi
iwlan
Iwlan
Used for connections that are implemented over WiFi offload only
nocharacteristic
Nocharacteristic
Yes
characteristic-query
Characteristic-query
Yes
parm-query
Parm-query
Yes
4444666666352222333331222223333322222222223666662222222
+ 33333B3333244444422222222222BBBBBB111111115555444111155551111333355555s:
MessageFormat
MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
Message format is bad
Invalid message from the Mobile Device Management (MDM) server.
80180001
s:
Authentication
MENROLL_E_DEVICE_AUTHENTICATION_ERROR
User not recognized
The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.
80180002
s:
Authorization
MENROLL_E_DEVICE_AUTHORIZATION_ERROR
User not allowed to enroll
The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
80180003
s:
CertificateRequest
MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR
Failed to get certificate
MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR
The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.
80180004
s:
EnrollmentServer
MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
80180005
a:
InternalServiceFault
MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
The server hit an unexpected issue
There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.
80180006
a:
InvalidSecurity
MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
Cannot parse the security header
The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.
80180007
DeviceCapReached
MENROLL_E_DEVICECAPREACHED
User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.
The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.
80180013
DeviceNotSupported
MENROLL_E_DEVICENOTSUPPORTED
Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.
The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.
80180014
NotSupported
MENROLL_E_NOTSUPPORTED
Mobile device management generally not supported (would save an admin call)
MENROLL_E_NOT_SUPPORTED
Mobile Device Management (MDM) is generally not supported for this device.
80180015
NotEligibleToRenew
MENROLL_E_NOTELIGIBLETORENEW
Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.
The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.
80180016
InMaintenance
MENROLL_E_INMAINTENANCE
Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.
The Mobile Device Management (MDM) server states your account is in maintenance, try again later.
80180017
UserLicense
MENROLL_E_USERLICENSE
License of user is in bad state and blocking the enrollment. The user needs to call the admin.
MENROLL_E_USER_LICENSE
There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.
80180018
InvalidEnrollmentData
MENROLL_E_ENROLLMENTDATAINVALID
The server rejected the enrollment data. The server may not be configured correctly.
The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.
80180019
parm-query
Parm-query
Yes
Note that some GPRS parameters will not necessarily contain the exact same value as was set.
noparm
Noparm
Yes
nocharacteristic
Nocharacteristic
Yes
characteristic-query
Characteristic-query
Yes
4104
-Hex:1008
Hex: 1008
TPS Policy
This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.
Default value: 1
@@ -58,7 +62,7 @@ The following security policies are supported.4105
-Hex:1009
Hex: 1009
Message Authentication Retry Policy
This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.
Default value: 3
@@ -66,7 +70,7 @@ The following security policies are supported.4108
-Hex:100c
Hex: 100c
Service Loading Policy
This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.
Default value: 256 (SECROLE_KNOWN_PPG)
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 3cecc2a632..6df84e5ee9 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -23,7 +23,7 @@ The VPN configuration service provider allows the MDM server to configure the VP Important considerations: -- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN. +- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is critical for forced tunnel VPN. - VPN configuration commands must be wrapped with an Atomic command as shown in the example below. @@ -31,9 +31,61 @@ Important considerations: - For the VPN CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the VPN configuration service provider in tree format. +The following shows the VPN configuration service provider in tree format. - +```console +./Vendor/MSFT +VPN +-----ProfileName +---------Server +---------TunnelType +---------ThirdParty +-------------Name +-------------AppID +-------------CustomStoreURL +-------------CustomConfiguration +---------RoleGroup +---------Authentication +-------------Method +-------------Certificate +---------------Issuer +---------------EKU +---------------CacheLifeTimeProtectedCert +-------------MultiAuth +---------------StartURL +---------------EndURL +-------------EAP +---------Proxy +-------------Automatic +-------------Manual +---------------Server +---------------Port +-------------BypassProxyforLocal +---------SecuredResources +-------------AppPublisherNameList +---------------AppPublisherName +-------------AppAllowedList +---------------AppAllowedList +-------------NetworkAllowedList +---------------NetworkAllowedList +-------------NameSapceAllowedList +---------------NameSapceAllowedList +-------------ExcudedAppList +---------------ExcudedAppList +-------------ExcludedNetworkList +---------------ExcludedNetworkList +-------------ExcludedNameSpaceList +---------------ExcludedNameSpaceList +-------------DNSSuffixSearchList +---------------DNSSuffixSearchList +---------Policies +-------------RememberCredentials +-------------SplitTunnel +-------------BypassforLocal +-------------TrustedNetworkDetection +-------------ConnectionType +---------DNSSuffix +``` ***ProfileName*** Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/). @@ -48,12 +100,12 @@ Supported operations are Get, Add, and Replace. Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com. **TunnelType** -Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release. +Optional, but required when deploying a third-party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release. Value type is chr. Supported operations are Get and Add. **ThirdParty** -Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning. +Optional, but required if deploying third-party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning. Supported operations are Get and Add. @@ -73,17 +125,17 @@ Valid values: - Checkpoint Mobile VPN **ThirdParty/AppID** -Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized. +Optional, but required when deploying a third-party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized. Value type is chr. Supported operations are Get, Add, Replace, and Delete. **ThirdParty/CustomStoreURL** -Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app. +Optional, but required if an enterprise is deploying a third-party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the third-party SSL-VPN plugin app. Value type is chr. Supported operations are Get, Add, Replace, and Delete. **ThirdParty/CustomConfiguration** -Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins. +Optional. This is an HTML encoded XML blob for SSL-VPN plugin-specific configuration that is deployed to the device to make it available for SSL-VPN plugins. Value type is char. Supported operations are Get, Add, Replace, and Delete. @@ -98,7 +150,7 @@ Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a col Supported operations are Get and Add. **Authentication/Method** -Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles. +Required for IKEv2 profiles and optional for third-party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles. Supported operations are Get and Add. @@ -114,7 +166,7 @@ Optional node. A collection of nodes that enables simpler authentication experie Supported operations are Get and Add. **Authentication/Certificate/Issuer** -Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering. +Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used with EKU for more granular filtering. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -123,7 +175,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace. **Authentication/Certificate/EKU** -Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering. +Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this with ISSUER for a more granular filtering. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -175,16 +227,16 @@ Default is False. Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported.. **SecuredResources/AppAllowedList/AppAllowedList** -Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps. +Optional. Specifies one or more ProductIDs for the enterprise line-of-business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is autotriggered, VPN is triggered automatically by these apps. -Supported operations are Get, Add, Replace and Delete. +Supported operations are Get, Add, Replace, and Delete. Value type is chr. Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u. **SecuredResources/NetworkAllowedList/NetworkAllowedList** -Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks. +Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is autotriggered, the VPN is triggered automatically by these protected networks. Supported operations are Get, Add, Replace, and Delete. @@ -202,7 +254,7 @@ Value type is chr. An example is \*.corp.contoso.com. **SecuredResources/ExcluddedAppList/ExcludedAppList** -Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection. +Optional. Specifies one or more ProductIDs for enterprise line-of-business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection. Supported operations are Get, Add, Replace, and Delete. diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 080d7049c2..ee97bcaf9b 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -21,11 +21,17 @@ The default security roles are defined in the root characteristic, and map to ea > **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application. - +The following shows the configuration service provider in tree format as used by OMA Client Provisioning. -The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning. - - +```console +APPLICATION +----APPID +----NAME +----TO-PROXY +----TO-NAPID +----ADDR +----MS +``` **APPID** Required. This parameter takes a string value. The only supported value for configuring MMS is "w4". diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 9015b2a89c..6da450c6ce 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -19,11 +19,37 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f > **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. - -The following image shows the configuration service provider in tree format as used by OMA Client Provisioning. +The following shows the configuration service provider in tree format as used by OMA Client Provisioning. - +```console +APPLICATION +---APPADDR +------ADDR +------ADDRTYPE +------PORT +---------PORTNBR +---APPAUTH +------AAUTHDATA +------AAUTHLEVEL +------AAUTHNAME +------AAUTHSECRET +------AAUTHTYPE +---AppID +---BACKCOMPATRETRYDISABLED +---CONNRETRYFREQ +---DEFAULTENCODING +---INIT +---INITIALBACKOFTIME +---MAXBACKOFTIME +---NAME +---PROTOVER +---PROVIDER-ID +---ROLE +---TO-NAPID +---USEHWDEVID +---SSLCLIENTCERTSEARCHCRITERIA +``` > **Note** All parm names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 61dfd124af..275a2f7d19 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -29,9 +29,22 @@ Programming considerations: - For the WiFi CSP, you cannot use the Replace command unless the node already exists. - Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure. -The following image shows the WiFi configuration service provider in tree format. +The following shows the WiFi configuration service provider in tree format. + +```console +./Device/Vendor/MSFT +or +./User/Vendor/MSFT +WiFi +---Profile +------SSID +---------WlanXML +---------Proxy +---------ProxyPacUrl +---------ProxyWPAD +---------WiFiCost +``` - The following list shows the characteristics and parameters. diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index edb1043e75..68a3ca3f5f 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -17,9 +17,25 @@ ms.date: 11/01/2017 The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. -The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). +The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). - +```console +./Device/Vendor/MSFT +WindowsAdvancedThreatProtection +----Onboarding +----HealthState +--------LastConnected +--------SenseIsRunning +--------OnboardingState +--------OrgId +----Configuration +--------SampleSharing +--------TelemetryReportingFrequency +----Offboarding +----DeviceTagging +--------Group +--------Criticality +``` The following list describes the characteristics and parameters. diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 5167384668..88137f9ab7 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -86,19 +86,19 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw