deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-5494946-B3

Browse Source
This commit is contained in:
denisebmsft 2021-10-25 11:01:02 -07:00
commit 579a2944fd
32 changed files with 1371 additions and 797 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,6 +10,7 @@ Tools/NuGet/
*.ini
_themes*/
common/
.vscode/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config

14
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -19,10 +19,18 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
> [!NOTE]
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
The following shows the AccountManagement configuration service provider in tree format.
The following diagram shows the AccountManagement configuration service provider in tree format.
![accountmanagement csp.](images/provisioning-csp-accountmanagement.png)
```console
./Vendor/MSFT
AccountManagement
----UserProfileManagement
--------EnableProfileManager
--------DeletionPolicy
--------StorageCapacityStartDeletion
--------StorageCapacityStopDeletion
--------ProfileInactivityThreshold
```
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.

31
windows/client-management/mdm/appv-deploy-and-config.md
View File

@ -23,7 +23,36 @@ manager: dansimp
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png)
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
```console
./Vendor/MSFT
EnterpriseAppVManagement
----AppVPackageManagement
--------EnterpriseID
------------PackageFamilyName
---------------PackageFullName
------------------Name
------------------Version
------------------Publisher
------------------InstallLocation
------------------InstallDate
------------------Users
------------------AppVPackageID
------------------AppVVersionId
------------------AppVPackageUri
----AppVPublishing
--------LastSync
------------LastError
------------LastErrorDescription
------------SyncStatusDescription
------------SyncProgress
--------Sync
------------PublishXML
----AppVDynamicPolicy
--------ConfigurationId
------------Policy
```
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>

8
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -226,7 +226,7 @@ However, key management is different for on-premises MDM. You must obtain the cl
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
The pages rendered by the MDM as part of the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
@ -236,7 +236,11 @@ There are 3 distinct scenarios:
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
- For Windows 10, use **oobe-desktop.css**
- For Windows 11, use **oobe-light.css**
### Using themes

18
windows/client-management/mdm/bootstrap-csp.md
View File

@ -16,18 +16,18 @@ ms.date: 06/26/2017
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile.
>[!Note]
>BOOTSTRAP CSP is only supported in Windows 10 Mobile.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
The following shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png)
```console
BOOTSTRAP
----CONTEXT-ALLOW
----PROVURL
```
<a href="" id="context-allow"></a>**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.

14
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: m365-security
ms.technology: windows-sec
author: dansimp
ms.date: 06/26/2017
ms.date: 10/25/2021
---
# BrowserFavorite CSP
@ -28,9 +28,13 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png)
```console
BrowserFavorite
favorite name
----URL
```
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
@ -82,11 +86,11 @@ The following table shows the Microsoft custom elements that this configuration
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>No parm</p></td>
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>No characteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">

8
windows/client-management/mdm/cellularsettings-csp.md
View File

@ -19,9 +19,13 @@ The CellularSettings configuration service provider is used to configure cellula
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png)
```console
./Vendor/MSFT
CellularSettings
----DataRoam
```
<a href="" id="dataroam"></a>**DataRoam**
<p> Optional. Integer. Specifies the default roaming value. Valid values are:</p>

48
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png)
```console
CM_CellularEntries
----entryname
--------AlwaysOn
--------AuthType
--------ConnectionType
--------Desc.langid
--------Enabled
--------IpHeaderCompression
--------Password
--------SwCompression
--------UserName
--------UseRequiresMappingPolicy
--------Version
--------DevSpecificCellular
-----------GPRSInfoAccessPointName
--------Roaming
--------OEMConnectionID
--------ApnId
--------IPType
--------ExemptFromDisablePolicy
--------ExemptFromRoaming
--------TetheringNAI
--------IdleDisconnectTimeout
--------SimIccId
--------PurposeGroups
```
<a href="" id="entryname"></a>***entryname***
<p>Defines the name of the connection.</p>
@ -51,27 +77,27 @@ The following diagram shows the CM\_CellularEntries configuration service provid
</colgroup>
<tbody>
<tr class="odd">
<td><p>gprs</p></td>
<td><p>Gprs</p></td>
<td><p>Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).</p></td>
</tr>
<tr class="even">
<td><p>cdma</p></td>
<td><p>Cdma</p></td>
<td><p>Used for CDMA type connections (1XRTT + EVDO).</p></td>
</tr>
<tr class="odd">
<td><p>lte</p></td>
<td><p>Lte</p></td>
<td><p>Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.</p></td>
</tr>
<tr class="even">
<td><p>legacy</p></td>
<td><p>Legacy</p></td>
<td><p>Used for GPRS + GSM + EDGE + UMTS connections.</p></td>
</tr>
<tr class="odd">
<td><p>lte_iwlan</p></td>
<td><p>Lte_iwlan</p></td>
<td><p>Used for GPRS type connections that may be offloaded over WiFi</p></td>
</tr>
<tr class="even">
<td><p>iwlan</p></td>
<td><p>Iwlan</p></td>
<td><p>Used for connections that are implemented over WiFi offload only</p></td>
</tr>
</tbody>
@ -285,15 +311,15 @@ The following table shows the Microsoft custom elements that this configuration
</thead>
<tbody>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>

2
windows/client-management/mdm/config-lock.md
View File

@ -19,7 +19,7 @@ ms.date: 10/07/2021
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
To summarize, Config Lock:

1196
windows/client-management/mdm/configuration-service-provider-reference.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/devdetail-csp.md
View File

@ -179,7 +179,7 @@ Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).

74
windows/client-management/mdm/device-update-management.md
View File

@ -138,9 +138,46 @@ Updates are configured using a combination of the [Update CSP](update-csp.md), a
The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following diagram shows the Update policies in a tree format.
The following shows the Update policies in a tree format.
![update policies.](images/update-policies.png)
```console
./Vendor/MSFT
Policy
----Config
--------Update
-----------ActiveHoursEnd
-----------ActiveHoursMaxRange
-----------ActiveHoursStart
-----------AllowAutoUpdate
-----------AllowMUUpdateService
-----------AllowNonMicrosoftSignedUpdate
-----------AllowUpdateService
-----------AutoRestartNotificationSchedule
-----------AutoRestartRequiredNotificationDismissal
-----------BranchReadinessLevel
-----------DeferFeatureUpdatesPeriodInDays
-----------DeferQualityUpdatesPeriodInDays
-----------DeferUpdatePeriod
-----------DeferUpgradePeriod
-----------EngagedRestartDeadline
-----------EngagedRestartSnoozeSchedule
-----------EngagedRestartTransitionSchedule
-----------ExcludeWUDriversInQualityUpdate
-----------IgnoreMOAppDownloadLimit
-----------IgnoreMOUpdateDownloadLimit
-----------PauseDeferrals
-----------PauseFeatureUpdates
-----------PauseQualityUpdates
-----------RequireDeferUpgrade
-----------RequireUpdateApproval
-----------ScheduleImminentRestartWarning
-----------ScheduledInstallDay
-----------ScheduledInstallTime
-----------ScheduleRestartWarning
-----------SetAutoRestartNotificationDisable
-----------UpdateServiceUrl
-----------UpdateServiceUrlAlternate
```
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
@ -674,9 +711,38 @@ Example
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following shows the Update CSP in tree format.
![provisioning csp update.](images/provisioning-csp-update.png)
```console
./Vendor/MSFT
Update
----ApprovedUpdates
--------Approved Update Guid
------------ApprovedTime
----FailedUpdates
--------Failed Update Guid
------------HResult
------------Status
------------RevisionNumber
----InstalledUpdates
--------Installed Update Guid
------------RevisionNumber
----InstallableUpdates
--------Installable Update Guid
------------Type
------------RevisionNumber
----PendingRebootUpdates
--------Pending Reboot Update Guid
------------InstalledTime
------------RevisionNumber
----LastSuccessfulScanTime
----DeferUpgrade
----Rollback
--------QualityUpdate
--------FeatureUpdate
--------QualityUpdateStatus
--------FeatureUpdateStatus
```
<a href="" id="update"></a>**Update**
The root node.

34
windows/client-management/mdm/deviceinstanceservice-csp.md
View File

@ -24,9 +24,27 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile.
The following diagram shows the DeviceInstanceService configuration service provider in tree format.
The following shows the DeviceInstanceService configuration service provider in tree format.
![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png)
```console
./Vendor/MSFT
DeviceInstanceService
------------Roaming
------------PhoneNumber
------------IMEI
------------IMSI
------------Identity
---------------Identity1
------------------Roaming
------------------PhoneNumber
------------------IMEI
------------------IMSI
---------------Identity2
------------------PhoneNumber
------------------IMEI
------------------IMSI
------------------Roaming
```
<a href="" id="roaming"></a>**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
@ -36,34 +54,34 @@ Supported operation is **Get**.
Returns **True** if the device is roaming; otherwise **False**.
<a href="" id="phonenumber"></a>**PhoneNumber**
A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
A string that represents the phone number of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imei"></a>**IMEI**
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imsi"></a>**IMSI**
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="identity"></a>**Identity**
The parent node to group per SIM specific information in case of dual SIM mode.
The parent node to group per SIM-specific information in dual SIM mode.
<a href="" id="identity1"></a>**Identity1**
The parent node to group SIM1 specific information in case of dual SIM mode.
The parent node to group SIM1 specific information in dual SIM mode.
<a href="" id="identity2"></a>**Identity2**
The parent node to group SIM2 specific information in case of dual SIM mode.
The parent node to group SIM2 specific information in dual SIM mode.
## Examples

28
windows/client-management/mdm/devicelock-csp.md
View File

@ -30,9 +30,33 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
The following image shows the DeviceLock configuration service provider in tree format.
The following shows the DeviceLock configuration service provider in tree format.
![devicelock csp.](images/provisioning-csp-devicelock.png)
```console
./Vendor/MSFT
DeviceLock
--------Provider
----------ProviderID
-------------DevicePasswordEnabled
-------------AllowSimpleDevicePassword
-------------MinDevicePasswordLength
-------------AlphanumericDevicePasswordRequired
-------------MaxDevicePasswordFailedAttempts
-------------DevicePasswordExpiration
-------------DevicePasswordHistory
-------------MaxInactivityTimeDeviceLock
-------------MinDevicePasswordComplexCharacters
----------DeviceValue
-------------DevicePasswordEnabled
-------------AllowSimpleDevicePassword
-------------MinDevicePasswordLength
-------------AlphanumericDevicePasswordRequired
-------------MaxDevicePasswordFailedAttempts
-------------DevicePasswordExpiration
-------------DevicePasswordHistory
-------------MaxInactivityTimeDeviceLock
-------------MinDevicePasswordComplexCharacters
```
<a href="" id="provider"></a>**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.

104
windows/client-management/mdm/enterprise-app-management.md
View File

@ -39,9 +39,109 @@ Windows 10 lets you inventory all apps deployed to a user and all apps for all
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
The following shows the EnterpriseModernAppManagement CSP in a tree format.
![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png)
```console
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
EnterpriseAppManagement
----AppManagement
--------UpdateScan
--------LastScanError
--------AppInventoryResults
--------AppInventoryQuery
--------RemovePackage
--------AppStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemovable
----------ReleaseManagement
------------ReleaseManagementKey
--------------ChannelId
--------------ReleaseId
--------------EffectiveRelease
-----------------ChannelId
-----------------ReleaseId
--------nonStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
--------System
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
----AppInstallation
--------PackageFamilyName
----------StoreInstall
----------HostedInstall
----------LastError
----------LastErrorDesc
----------Status
----------ProgressStatus
----AppLicenses
--------StoreLicenses
----------LicenseID
------------LicenseCategory
------------LicenseUsage
------------RequesterID
------------AddLicense
------------GetLicenseFromStore
```
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).

30
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -21,9 +21,35 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
The following shows the EnterpriseAppManagement configuration service provider in tree format.
![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png)
```console
./Vendor/MSFT
EnterpriseAppManagement
----EnterpriseID
--------EnrollmentToken
--------StoreProductID
--------StoreUri
--------CertificateSearchCriteria
--------Status
--------CRLCheck
--------EnterpriseApps
------------Inventory
----------------ProductID
--------------------Version
--------------------Title
--------------------Publisher
--------------------InstallDate
------------Download
----------------ProductID
--------------------Version
--------------------Name
--------------------URL
--------------------Status
--------------------LastError
--------------------LastErrorDesc
--------------------DownloadInstall
```
<a href="" id="enterpriseid"></a>***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.

11
windows/client-management/mdm/filesystem-csp.md
View File

@ -22,9 +22,16 @@ The FileSystem configuration service provider is used to query, add, modify, and
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png)
```console
./Vendor/MSFT
FileSystem
----file name
----file directory
--------file name
--------file directory
```
<a href="" id="filesystem"></a>**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.

21
windows/client-management/mdm/hotspot-csp.md
View File

@ -25,9 +25,26 @@ The HotSpot configuration service provider is used to configure and enable Inter
The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png)
```console
./Vendor/MSFT
HotSpot
-------Enabled
-------DedicatedConnections
-------TetheringNAIConnection
-------MaxUsers
-------MaxBluetoothUsers
-------MOHelpNumber
-------MOInfoLink
-------MOAppLink
-------MOHelpMessage
-------EntitlementRequired
-------EntitlementDll
-------EntitlementInterval
-------PeerlessTimeout
-------PublicConnectionTimeout
```
<a href="" id="enabled"></a>**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.

13
windows/client-management/mdm/messaging-csp.md
View File

@ -15,9 +15,18 @@ manager: dansimp
The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
The following diagram shows the Messaging configuration service provider in tree format.
The following shows the Messaging configuration service provider in tree format.
![messaging csp.](images/provisioning-csp-messaging.png)
```console
./User/Vendor/MSFT
Messaging
----AuditingLevel
----Auditing
--------Messages
----------Count
----------RevisionId
----------Data
```
<a href="" id="--user-msft-applocker"></a>**./User/Vendor/MSFT/Messaging**

49
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -66,13 +66,13 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
## Disable MDM enrollments
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
Here is the corresponding registry key:
Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Value: DisableRegistration
@ -82,17 +82,6 @@ The following scenarios do not allow MDM enrollments:
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users cannot enroll in MDM. Only admin users can enroll.
- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
## Enrollment migration
**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
To manually trigger enrollment migration, you can run MDMMaintenenceTask.
**Mobile devices:** After the MDM client upgrade from Windows Phone 8.1 to Windows 10 Mobile, enrollment migration is performed during the first boot after the upgrade.
## Enrollment error messages
@ -143,49 +132,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
<td><p>s:</p></td>
<td><p>MessageFormat</p></td>
<td><p>MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</p></td>
<td><p>Message format is bad</p></td>
<td><p>Invalid message from the Mobile Device Management (MDM) server.</p></td>
<td><p>80180001</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>Authentication</p></td>
<td><p>MENROLL_E_DEVICE_AUTHENTICATION_ERROR</p></td>
<td><p>User not recognized</p></td>
<td><p>The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.</p></td>
<td><p>80180002</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>Authorization</p></td>
<td><p>MENROLL_E_DEVICE_AUTHORIZATION_ERROR</p></td>
<td><p>User not allowed to enroll</p></td>
<td><p>The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.</p></td>
<td><p>80180003</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>CertificateRequest</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</p></td>
<td><p>Failed to get certificate</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR</p></td>
<td><p>The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.</p></td>
<td><p>80180004</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>EnrollmentServer</p></td>
<td><p>MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</p></td>
<td></td>
<td>The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.</td>
<td><p>80180005</p></td>
</tr>
<tr class="even">
<td><p>a:</p></td>
<td><p>InternalServiceFault</p></td>
<td><p>MENROLL_E_DEVICE_INTERNALSERVICE_ERROR</p></td>
<td><p>The server hit an unexpected issue</p></td>
<td><p> There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.</p></td>
<td><p>80180006</p></td>
</tr>
<tr class="odd">
<td><p>a:</p></td>
<td><p>InvalidSecurity</p></td>
<td><p>MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</p></td>
<td><p>Cannot parse the security header</p></td>
<td><p>The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.</p></td>
<td><p>80180007</p></td>
</tr>
</tbody>
@ -242,43 +231,43 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
<tr class="odd">
<td><p>DeviceCapReached</p></td>
<td><p>MENROLL_E_DEVICECAPREACHED</p></td>
<td><p>User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.</p></td>
<td><p>The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.</p></td>
<td><p>80180013</p></td>
</tr>
<tr class="even">
<td><p>DeviceNotSupported</p></td>
<td><p>MENROLL_E_DEVICENOTSUPPORTED</p></td>
<td><p>Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.</p></td>
<td><p>The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.</p></td>
<td><p>80180014</p></td>
</tr>
<tr class="odd">
<td><p>NotSupported</p></td>
<td><p>MENROLL_E_NOTSUPPORTED</p></td>
<td><p>Mobile device management generally not supported (would save an admin call)</p></td>
<td><p>MENROLL_E_NOT_SUPPORTED</p></td>
<td><p>Mobile Device Management (MDM) is generally not supported for this device.</p></td>
<td><p>80180015</p></td>
</tr>
<tr class="even">
<td><p>NotEligibleToRenew</p></td>
<td><p>MENROLL_E_NOTELIGIBLETORENEW</p></td>
<td><p>Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.</p></td>
<td><p>The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.</p></td>
<td><p>80180016</p></td>
</tr>
<tr class="odd">
<td><p>InMaintenance</p></td>
<td><p>MENROLL_E_INMAINTENANCE</p></td>
<td><p>Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.</p></td>
<td><p>The Mobile Device Management (MDM) server states your account is in maintenance, try again later.</p></td>
<td><p>80180017</p></td>
</tr>
<tr class="even">
<td><p>UserLicense</p></td>
<td><p>MENROLL_E_USERLICENSE</p></td>
<td><p>License of user is in bad state and blocking the enrollment. The user needs to call the admin.</p></td>
<td><p>MENROLL_E_USER_LICENSE</p></td>
<td><p>There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.</p></td>
<td><p>80180018</p></td>
</tr>
<tr class="odd">
<td><p>InvalidEnrollmentData</p></td>
<td><p>MENROLL_E_ENROLLMENTDATAINVALID</p></td>
<td><p>The server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>80180019</p></td>
</tr>
</tbody>

46
windows/client-management/mdm/napdef-csp.md
View File

@ -25,13 +25,41 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png)
```console
NAPDEF
----NAPAUTHINFO
------AUTHNAME
------AUTHSECRET
------AUTHTYPE
----BEARER
----INTERNET
----LOCAL-ADDR
----LOCAL-ADDRTYPE
----NAME
----NAP-ADDRESS
----NAP-ADDRTYPE
----NAPID
```
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png)
```console
NAPDEF
--NAPID
----NAPAUTHINFO
------AUTHNAME
------AUTHSECRET
------AUTHTYPE
----BEARER
----INTERNET
----LOCAL-ADDR
----LOCAL-ADDRTYPE
----NAME
----NAP-ADDRESS
----NAP-ADDRTYPE
```
<a href="" id="napauthinfo"></a>**NAPAUTHINFO**
Defines a group of authentication settings.
@ -106,26 +134,26 @@ The following table shows the Microsoft custom elements that this configuration
</colgroup>
<thead>
<tr class="header">
<th>ELements</th>
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p>
<p>Note that some GPRS parameters will not necessarily contain the exact same value as was set.</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>

61
windows/client-management/mdm/passportforwork-csp.md
View File

@ -21,15 +21,68 @@ The PassportForWork configuration service provider is used to provision Windows
 
### User configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
The following shows the PassportForWork configuration service provider in tree format.
![passportforwork csp.](images/provisioning-csp-passportforwork.png)
```console
./User/Vendor/MSFT
PassportForWork
-------TenantId
----------Policies
-------------UsePassportForWork
-------------RequireSecurityDevice
-------------EnablePinRecovery
-------------PINComplexity
----------------MinimumPINLength
----------------MaximumPINLength
----------------UppercaseLetters
----------------LowercaseLetters
----------------SpecialCharecters
----------------Digits
----------------History
----------------Expiration
```
### Device configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
The following shows the PassportForWork configuration service provider in tree format.
![passportforwork diagram.](images/provisioning-csp-passportforwork2.png)
```console
./Device/Vendor/MSFT
PassportForWork
-------TenantId
----------Policies
-------------UsePassportForWork
-------------RequireSecurityDevice
-------------ExcludeSecurityDevices
----------------TPM12
-------------EnablePinRecovery
-------------UserCertificateForOnPremAuth
-------------PINComplexity
----------------MinimumPINLength
----------------MaximumPINLength
----------------UppercaseLetters
----------------LowercaseLetters
----------------SpecialCharacters
----------------Digits
----------------History
----------------Expiration
-------------Remote
----------------UseRemotePassport
-------------UseHelloCertificatesAsSmartCardCertificates
-------UseBiometrics
-------Biometrics
----------UseBiometrics
----------FacialFeatureUse
-------DeviceUnlock
----------GroupA
----------GroupB
----------Plugins
-------DynamicLock
----------DynamicLock
----------Plugins
-------SecurityKey
----------UseSecurityKeyForSignin
```
<a href="" id="passportforwork"></a>**PassportForWork**
Root node for PassportForWork configuration service provider.

20
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -42,9 +42,25 @@ The Policy configuration service provider has the following sub-categories:
> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![policy csp diagram.](images/provisioning-csp-policy.png)
```console
./Vendor/MSFT
Policy
-------Config
----------AreaName
-------------PolicyName
-------Result
----------AreaName
-------------PolicyName
-------ConfigOperations
----------ADMXInstall
-------------AppName
----------------Policy
------------------UniqueID
----------------Preference
------------------UniqueID
```
<a href="" id="--vendor-msft-policy"></a>**./Vendor/MSFT/Policy**

3
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1551,7 +1551,8 @@ ADMX Info:
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>

53
windows/client-management/mdm/pxlogical-csp.md
View File

@ -19,15 +19,56 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png)
```console
PXLOGICAL
----DOMAIN
----NAME
----PORT
-------PORTNBR
-------SERVICE
----PUSHENABLED
----PROXY-ID
----TRUST
----PXPHYSICAL
-------DOMAIN
-------PHYSICAL-PROXY-ID
-------PORT
---------PORTNBR
---------SERVICE
-------PUSHENABLED
-------PXADDR
-------PXADDRTYPE
-------TO-NAPID
```
The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png)
The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
```console
PXLOGICAL
--PROXY-ID
----DOMAIN
----NAME
----PORT
-------PORTNBR
-------SERVICE
----PUSHENABLED
----TRUST
----PXPHYSICAL
-------PHYSICAL-PROXY-ID
----------DOMAIN
----------PORT
-------------PORTNBR
-------------SERVICE
----------PUSHENABLED
----------PXADDR
----------PXADDRTYPE
----------TO-NAPID
```
<a href="" id="pxphysical"></a>**PXPHYSICAL**
Defines a group of logical proxy settings.
@ -37,7 +78,7 @@ The element's mwid attribute is a Microsoft provisioning XML attribute, and is o
<a href="" id="domain"></a>**DOMAIN**
Specifies the domain associated with the proxy (for example, "\*.com").
A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon delimited string of all domains associated with the proxy.
A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy.
<a href="" id="name"></a>**NAME**
Specifies the name of the logical proxy.

14
windows/client-management/mdm/securitypolicy-csp.md
View File

@ -23,9 +23,13 @@ The SecurityPolicy configuration service provider is used to configure security
For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
The following shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png)
```console
./Vendor/MSFT
SecurityPolicy
----PolicyID
```
<a href="" id="policyid"></a>***PolicyID***
Defines the security policy identifier as a decimal value.
@ -48,7 +52,7 @@ The following security policies are supported.
<tbody>
<tr class="odd">
<td><p>4104</p>
<p>Hex:1008</p></td>
<p>Hex: 1008</p></td>
<td><p>TPS Policy</p></td>
<td><p>This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.</p>
<p>Default value: 1</p>
@ -58,7 +62,7 @@ The following security policies are supported.
</tr>
<tr class="even">
<td><p>4105</p>
<p>Hex:1009</p></td>
<p>Hex: 1009</p></td>
<td><p>Message Authentication Retry Policy</p></td>
<td><p>This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.</p>
<p>Default value: 3</p>
@ -66,7 +70,7 @@ The following security policies are supported.
</tr>
<tr class="odd">
<td><p>4108</p>
<p>Hex:100c</p></td>
<p>Hex: 100c</p></td>
<td><p>Service Loading Policy</p></td>
<td><p>This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.</p>
<p>Default value: 256 (SECROLE_KNOWN_PPG)</p>

82
windows/client-management/mdm/vpn-csp.md
View File

@ -23,7 +23,7 @@ The VPN configuration service provider allows the MDM server to configure the VP
Important considerations:
- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN.
- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is critical for forced tunnel VPN.
- VPN configuration commands must be wrapped with an Atomic command as shown in the example below.
@ -31,9 +31,61 @@ Important considerations:
- For the VPN CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the VPN configuration service provider in tree format.
The following shows the VPN configuration service provider in tree format.
![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png)
```console
./Vendor/MSFT
VPN
-----ProfileName
---------Server
---------TunnelType
---------ThirdParty
-------------Name
-------------AppID
-------------CustomStoreURL
-------------CustomConfiguration
---------RoleGroup
---------Authentication
-------------Method
-------------Certificate
---------------Issuer
---------------EKU
---------------CacheLifeTimeProtectedCert
-------------MultiAuth
---------------StartURL
---------------EndURL
-------------EAP
---------Proxy
-------------Automatic
-------------Manual
---------------Server
---------------Port
-------------BypassProxyforLocal
---------SecuredResources
-------------AppPublisherNameList
---------------AppPublisherName
-------------AppAllowedList
---------------AppAllowedList
-------------NetworkAllowedList
---------------NetworkAllowedList
-------------NameSapceAllowedList
---------------NameSapceAllowedList
-------------ExcudedAppList
---------------ExcudedAppList
-------------ExcludedNetworkList
---------------ExcludedNetworkList
-------------ExcludedNameSpaceList
---------------ExcludedNameSpaceList
-------------DNSSuffixSearchList
---------------DNSSuffixSearchList
---------Policies
-------------RememberCredentials
-------------SplitTunnel
-------------BypassforLocal
-------------TrustedNetworkDetection
-------------ConnectionType
---------DNSSuffix
```
<a href="" id="profilename"></a>***ProfileName***
Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
@ -48,12 +100,12 @@ Supported operations are Get, Add, and Replace.
Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com.
<a href="" id="tunneltype"></a>**TunnelType**
Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Optional, but required when deploying a third-party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Value type is chr. Supported operations are Get and Add.
<a href="" id="thirdparty"></a>**ThirdParty**
Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Optional, but required if deploying third-party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Supported operations are Get and Add.
@ -73,17 +125,17 @@ Valid values:
- Checkpoint Mobile VPN
<a href="" id="thirdparty-appid"></a>**ThirdParty/AppID**
Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Optional, but required when deploying a third-party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="thirdparty-customstoreurl"></a>**ThirdParty/CustomStoreURL**
Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app.
Optional, but required if an enterprise is deploying a third-party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the third-party SSL-VPN plugin app.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="thirdparty-customconfiguration"></a>**ThirdParty/CustomConfiguration**
Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Optional. This is an HTML encoded XML blob for SSL-VPN plugin-specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Value type is char. Supported operations are Get, Add, Replace, and Delete.
@ -98,7 +150,7 @@ Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a col
Supported operations are Get and Add.
<a href="" id="authentication-method"></a>**Authentication/Method**
Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Required for IKEv2 profiles and optional for third-party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Supported operations are Get and Add.
@ -114,7 +166,7 @@ Optional node. A collection of nodes that enables simpler authentication experie
Supported operations are Get and Add.
<a href="" id="authentication-certificate-issuer"></a>**Authentication/Certificate/Issuer**
Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering.
Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used with EKU for more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@ -123,7 +175,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.
 
<a href="" id="authentication-certificate-eku"></a>**Authentication/Certificate/EKU**
Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering.
Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this with ISSUER for a more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@ -175,16 +227,16 @@ Default is False.
Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported..
<a href="" id="securedresources-appallowedlist-appallowedlist"></a>**SecuredResources/AppAllowedList/AppAllowedList**
Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps.
Optional. Specifies one or more ProductIDs for the enterprise line-of-business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is autotriggered, VPN is triggered automatically by these apps.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Value type is chr.
Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u.
<a href="" id="securedresources-networkallowedlist-networkallowedlist"></a>**SecuredResources/NetworkAllowedList/NetworkAllowedList**
Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, theyll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks.
Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, theyll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is autotriggered, the VPN is triggered automatically by these protected networks.
Supported operations are Get, Add, Replace, and Delete.
@ -202,7 +254,7 @@ Value type is chr.
An example is \*.corp.contoso.com.
<a href="" id="securedresources-excluddedapplist-excludedapplist"></a>**SecuredResources/ExcluddedAppList/ExcludedAppList**
Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Optional. Specifies one or more ProductIDs for enterprise line-of-business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Supported operations are Get, Add, Replace, and Delete.

14
windows/client-management/mdm/w4-application-csp.md
View File

@ -21,11 +21,17 @@ The default security roles are defined in the root characteristic, and map to ea
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application.
 
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning.
![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png)
```console
APPLICATION
----APPID
----NAME
----TO-PROXY
----TO-NAPID
----ADDR
----MS
```
<a href="" id="appid"></a>**APPID**
Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".

32
windows/client-management/mdm/w7-application-csp.md
View File

@ -19,11 +19,37 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png)
```console
APPLICATION
---APPADDR
------ADDR
------ADDRTYPE
------PORT
---------PORTNBR
---APPAUTH
------AAUTHDATA
------AAUTHLEVEL
------AAUTHNAME
------AAUTHSECRET
------AAUTHTYPE
---AppID
---BACKCOMPATRETRYDISABLED
---CONNRETRYFREQ
---DEFAULTENCODING
---INIT
---INITIALBACKOFTIME
---MAXBACKOFTIME
---NAME
---PROTOVER
---PROVIDER-ID
---ROLE
---TO-NAPID
---USEHWDEVID
---SSLCLIENTCERTSEARCHCRITERIA
```
> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.

17
windows/client-management/mdm/wifi-csp.md
View File

@ -29,9 +29,22 @@ Programming considerations:
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure.
The following image shows the WiFi configuration service provider in tree format.
The following shows the WiFi configuration service provider in tree format.
```console
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
WiFi
---Profile
------SSID
---------WlanXML
---------Proxy
---------ProxyPacUrl
---------ProxyWPAD
---------WiFiCost
```
![wi-fi csp diagram.](images/provisioning-csp-wifi.png)
The following list shows the characteristics and parameters.

20
windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
View File

@ -17,9 +17,25 @@ ms.date: 11/01/2017
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png)
```console
./Device/Vendor/MSFT
WindowsAdvancedThreatProtection
----Onboarding
----HealthState
--------LastConnected
--------SenseIsRunning
--------OnboardingState
--------OrgId
----Configuration
--------SampleSharing
--------TelemetryReportingFrequency
----Offboarding
----DeviceTagging
--------Group
--------Criticality
```
The following list describes the characteristics and parameters.

94
windows/client-management/mdm/wmi-providers-supported-in-windows.md
View File

@ -86,19 +86,19 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones" data-raw-source="[&lt;strong&gt;MDM_BrowserSecurityZones&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones)"><strong>MDM_BrowserSecurityZones</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings" data-raw-source="[&lt;strong&gt;MDM_BrowserSettings&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings)"><strong>MDM_BrowserSettings</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate" data-raw-source="[&lt;strong&gt;MDM_Certificate&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate)"><strong>MDM_Certificate</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment" data-raw-source="[&lt;strong&gt;MDM_CertificateEnrollment&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment)"><strong>MDM_CertificateEnrollment</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-client" data-raw-source="[&lt;strong&gt;MDM_Client&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client)"><strong>MDM_Client</strong></a></td>
@ -106,7 +106,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting" data-raw-source="[&lt;strong&gt;MDM_ConfigSetting&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting)"><strong>MDM_ConfigSetting</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo" data-raw-source="[&lt;strong&gt;MDM_DeviceRegistrationInfo&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo)"><strong>MDM_DeviceRegistrationInfo</strong></a></td>
@ -114,11 +114,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy" data-raw-source="[&lt;strong&gt;MDM_EASPolicy&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy)"><strong>MDM_EASPolicy</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority" data-raw-source="[&lt;strong&gt;MDM_MgMtAuthority&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority)"><strong>MDM_MgMtAuthority</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><strong>MDM_MsiApplication</strong></td>
@ -138,7 +138,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions" data-raw-source="[&lt;strong&gt;MDM_Restrictions&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions)"><strong>MDM_Restrictions</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser" data-raw-source="[&lt;strong&gt;MDM_RestrictionsUser&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser)"><strong>MDM_RestrictionsUser</strong></a></td>
@ -146,7 +146,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus" data-raw-source="[&lt;strong&gt;MDM_SecurityStatus&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus)"><strong>MDM_SecurityStatus</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader" data-raw-source="[&lt;strong&gt;MDM_SideLoader&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader)"><strong>MDM_SideLoader</strong></a></td>
@ -158,11 +158,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates" data-raw-source="[&lt;strong&gt;MDM_Updates&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates)"><strong>MDM_Updates</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger" data-raw-source="[&lt;strong&gt;MDM_VpnApplicationTrigger&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger)"><strong>MDM_VpnApplicationTrigger</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><strong>MDM_VpnConnection</strong></td>
@ -174,27 +174,27 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile" data-raw-source="[&lt;strong&gt;MDM_WirelessProfile&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile)"><strong>MDM_WirelessProfile</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml" data-raw-source="[&lt;strong&gt;MDM_WirelesssProfileXML&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml)"><strong>MDM_WirelesssProfileXML</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel" data-raw-source="[&lt;strong&gt;MDM_WNSChannel&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel)"><strong>MDM_WNSChannel</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration" data-raw-source="[&lt;strong&gt;MDM_WNSConfiguration&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration)"><strong>MDM_WNSConfiguration</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile" data-raw-source="[&lt;strong&gt;MSFT_NetFirewallProfile&lt;/strong&gt;](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile)"><strong>MSFT_NetFirewallProfile</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection" data-raw-source="[&lt;strong&gt;MSFT_VpnConnection&lt;/strong&gt;](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection)"><strong>MSFT_VpnConnection</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct" data-raw-source="[&lt;strong&gt;SoftwareLicensingProduct&lt;/strong&gt;](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct)"><strong>SoftwareLicensingProduct</strong></a></td>
@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | |
| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
|--------------------------------------------------------------------------|------------------------------------------|
[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark.](images/checkmark.png)
[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark.](images/checkmark.png)
[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes
[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes
[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) |
[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png)
[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png)
[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark.](images/checkmark.png)
[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes
[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes
[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes
[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) |
[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png)
[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark.](images/checkmark.png)
[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes
[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes
[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) |
[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png)
[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes
[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) |
[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) |
[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) |
[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) |
[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark.](images/checkmark.png)
[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes
[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) |
[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark.](images/checkmark.png)
[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes
[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png)
[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes
[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) |
[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) |
[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png)
[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes
[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) |
[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark.](images/checkmark.png)
[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes
[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) |
[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) |
[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) |
@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) |
[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) |
[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark.](images/checkmark.png)
[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png)
[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes
[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes
[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) |
[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) |
[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) |
[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) |
[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark.](images/checkmark.png)
[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark.](images/checkmark.png)
[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes
[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes
[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) |
[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) |
[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark.](images/checkmark.png)
[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes
[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) |
[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark.](images/checkmark.png)
[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes
[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) |
[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark.](images/checkmark.png)
[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes
[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) |
[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark.](images/checkmark.png)
[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes
[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** |