deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #762 from MicrosoftDocs/FromPrivateRepo

Browse Source 
From private repo
This commit is contained in:
Alma Jenks 2018-04-20 15:41:28 -07:00 committed by GitHub
commit 6063d63f28
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 285 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
browsers/edge/available-policies.md
View File

@ -3,12 +3,13 @@ description: Microsoft Edge works with Group Policy and Microsoft Intune to help
ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165
author: shortpatti author: shortpatti
ms.author: pashort ms.author: pashort
manager: elizapo
ms.prod: edge ms.prod: edge
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 4/5/2018 #Previsou release date 09/13/2017 ms.date: 4/20/2018 #Previous release date 09/13/2017
--- ---
# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
@ -73,20 +74,6 @@ Your browsing data is the information that Microsoft Edge remembers and stores a
|Data type | Integer | |Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.</li><li>**1** - Browsing data is cleared on exit.</li></ul> | |Allowed values |<ul><li>**0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.</li><li>**1** - Browsing data is cleared on exit.</li></ul> |
## Allow configuration updates for the Books Library
>*Supporteded versions: Windows 10*
Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data.
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[AllowConfigurationUpdateForBooksLibrary ](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |
|Supported devices |Desktop |
|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Disable. Microsoft Edge cannot retrieve a configuration.</li><li>**1 (default)** - Enable (default). Microsoft Edge can retrieve a configuration for Books Library.</li></ul> |
## Allow Cortana ## Allow Cortana
>*Supported versions: Windows 10, version 1607 or later* >*Supported versions: Windows 10, version 1607 or later*
@ -117,19 +104,6 @@ F12 developer tools is a suite of tools to help you build and debug your webpage
|Data type | Integer | |Data type | Integer |
|Allowed values |<ul><li>**0** - The F12 Developer Tools are disabled.</li><li>**1 (default)** - The F12 Developer Tools are enabled.</li></ul> | |Allowed values |<ul><li>**0** - The F12 Developer Tools are disabled.</li><li>**1 (default)** - The F12 Developer Tools are enabled.</li></ul> |
## Allow extended telemetry for the Books tab
>*Supporteded versions: Windows 10*
If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft.
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |
|Supported devices |Desktop<br>Mobile |
|URI full path | ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry |
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Disable. Only basic diagnostic data is sent.</li><li>**1** - Enable. Both Basic and additional diagnostic data is sent.</li></ul> |
## Allow Extensions ## Allow Extensions
>*Supporteded versions: Windows 10, version 1607 or later* >*Supporteded versions: Windows 10, version 1607 or later*
@ -197,7 +171,7 @@ This policy setting lets you configure what appears when a New Tab page is opene
## Always Enable book library ## Always Enable book library
>*Supporteded versions: Windows 10* >*Supporteded versions: Windows 10, version 1709 or later*
This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation. This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation.
@ -598,19 +572,7 @@ This policy setting specifies whether you see an additional page in Microsoft Ed
|Data type | Integer | |Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Doesnt show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul> | |Allowed values |<ul><li>**0 (default)** - Doesnt show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul> |
## User shared folder for books
>*Supported versions: Windows 10*
This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks |
|Data type | Integer |
|Allowed values |<ul><li>**0** - No shared folder.</li><li>**1** - Use as shared folder.</li></ul> |
## Related topics ## Related topics

5
devices/surface-hub/device-reset-surface-hub.md
View File

@ -60,6 +60,9 @@ If you see a blank screen for long periods of time during the **Reset device** p
In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support. In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support.
>[!NOTE]
>The **Recover from the cloud** process requires an open internet connection (no proxy, or other authentications). An ethernet connection is recommended.
### Recover a Surface Hub in a bad state ### Recover a Surface Hub in a bad state
If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem. If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem.
@ -77,8 +80,6 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. 1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch.
2. The device should automatically boot into Windows RE. 2. The device should automatically boot into Windows RE.
3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.)
>[!NOTE]
>When using **Recover from the cloud**, an ethernet connection is recommended.
![Recover from the cloud](images/recover-from-cloud.png) ![Recover from the cloud](images/recover-from-cloud.png)

2
windows/client-management/mdm/TOC.md
View File

@ -70,6 +70,8 @@
## [Configuration service provider reference](configuration-service-provider-reference.md) ## [Configuration service provider reference](configuration-service-provider-reference.md)
### [AccountManagement CSP](accountmanagement-csp.md) ### [AccountManagement CSP](accountmanagement-csp.md)
#### [AccountManagement DDF file](accountmanagement-ddf.md) #### [AccountManagement DDF file](accountmanagement-ddf.md)
### [Accounts CSP](accounts-csp.md)
#### [Accounts DDF file](accounts-ddf-file.md)
### [ActiveSync CSP](activesync-csp.md) ### [ActiveSync CSP](activesync-csp.md)
#### [ActiveSync DDF file](activesync-ddf-file.md) #### [ActiveSync DDF file](activesync-ddf-file.md)
### [AllJoynManagement CSP](alljoynmanagement-csp.md) ### [AllJoynManagement CSP](alljoynmanagement-csp.md)

51
windows/client-management/mdm/accounts-csp.md Normal file
View File

@ -0,0 +1,51 @@
---
title: Accounts CSP
description: The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group.
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 04/17/2018
---
# Accounts CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group. This CSP was added in Windows 10, version 1803.
The following diagram shows the Accounts configuration service provider in tree format.
![Accounts CSP diagram](images/provisioning-csp-accounts.png)
<a href="" id="accounts"></a>**./Device/Vendor/MSFT/Accounts**
Root node.
<a href="" id="domain"></a>**Domain**
Interior node for the account domain information.
<a href="" id="domain-computername"></a>**Domain/ComputerName**
This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%.
Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.
Supported operation is Add.
<a href="" id="users"></a>**Users**
Interior node for the user account information.
<a href="" id="users-username"></a>**Users/_UserName_**
This node specifies the username for a new local user account. This setting can be managed remotely.
<a href="" id="users-username-password"></a>**Users/_UserName_/Password**
This node specifies the password for a new local user account. This setting can be managed remotely.
Supported operation is Add.
<a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**
This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
Supported operation is Add.

179
windows/client-management/mdm/accounts-ddf-file.md Normal file
View File

@ -0,0 +1,179 @@
---
title: Accounts DDF file
description: XML file containing the device description framework
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 04/17/2018
---
# Accounts CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider.
The XML below is for Windows 10, version 1803.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Accounts</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
<MIME>com.microsoft/1.0/MDM/Accounts</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Domain</NodeName>
<DFProperties>
<AccessType>
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ComputerName</NodeName>
<DFProperties>
<AccessType>
<Add />
</AccessType>
<Description>This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:&lt;# of digits&gt;% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ComputerName</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Users</NodeName>
<DFProperties>
<AccessType>
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
</AccessType>
<Description>This node specifies the username for a new local user account. This setting can be managed remotely.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>UserName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Password</NodeName>
<DFProperties>
<AccessType>
<Add />
</AccessType>
<Description>This node specifies the password for a new local user account. This setting can be managed remotely. </Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Password</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LocalUserGroup</NodeName>
<DFProperties>
<AccessType>
<Add />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```

30
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: nickbrower author: nickbrower
ms.date: 03/23/2018 ms.date: 04/20/2018
--- ---
# Configuration service provider reference # Configuration service provider reference
@ -64,6 +64,34 @@ Footnotes:
<!--EndSKU--> <!--EndSKU-->
<!--EndCSP--> <!--EndCSP-->
<!--StartCSP-->
[Accounts CSP](accounts-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP--> <!--StartCSP-->
[ActiveSync CSP](activesync-csp.md) [ActiveSync CSP](activesync-csp.md)

BIN
windows/client-management/mdm/images/provisioning-csp-accounts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.9 KiB

9
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1340,7 +1340,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<tr> <tr>
<td style="vertical-align:top">[AccountManagement CSP](accountmanagement-csp.md)</td> <td style="vertical-align:top">[AccountManagement CSP](accountmanagement-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p> <td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</ul>
</td></tr> </td></tr>
<tr> <tr>
<td style="vertical-align:top">[RootCATrustedCertificates CSP](rootcacertificates-csp.md)</td> <td style="vertical-align:top">[RootCATrustedCertificates CSP](rootcacertificates-csp.md)</td>
@ -1356,6 +1355,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>ProxySettingsPerUser</li> <li>ProxySettingsPerUser</li>
</ul> </ul>
</td></tr> </td></tr>
<tr>
<td style="vertical-align:top">[Accounts CSP](accounts-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
</tbody> </tbody>
</table> </table>
@ -1654,6 +1657,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</ul> </ul>
</td></tr> </td></tr>
<tr> <tr>
<td style="vertical-align:top">[Accounts CSP](accounts-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td> <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p> <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
<ul> <ul>

2
windows/client-management/mdm/policy-csp-kioskbrowser.md
View File

@ -223,7 +223,7 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Enables kiosk browser's end session button. When the policy is enabled, the kiosk browser enables a button to reset the browser by navigating back to the default URL and clearing the browsing data (cache, cookies, etc). When the user clicks on the button, the app will prompt the user for confirmation to end the session. Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user clicks on the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk broswser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL.
<!--/Description--> <!--/Description-->
<!--SupportedValues--> <!--SupportedValues-->

2
windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -311,7 +311,7 @@ In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data t
### Full level ### Full level
The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro.
Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.

3
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -83,9 +83,6 @@ Follow the [best practices guidance for developing a kiosk app for assigned acce
The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.
## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)

19
windows/security/identity-protection/vpn/vpn-conditional-access.md
View File

@ -7,9 +7,10 @@ ms.sitesec: library
ms.pagetype: security, networking ms.pagetype: security, networking
author: shortpatti author: shortpatti
ms.author: pashort ms.author: pashort
manager: elizapo
ms.reviewer: ms.reviewer:
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 04/17/2018 ms.date: 04/20/2018
--- ---
# VPN and conditional access # VPN and conditional access
@ -44,14 +45,13 @@ Conditional Access Platform components used for Device Compliance include the fo
- Encryption compliance - Encryption compliance
- Device health attestation state (validated against attestation service after query) - Device health attestation state (validated against attestation service after query)
The following client-side components are also required: The following client-side components are also required:
- [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx) - [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx)
- [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings - [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings
- Trusted Platform Module (TPM) - Trusted Platform Module (TPM)
## VPN device compliance ## VPN device compliance
According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certs to the NTAuth store in on-prem AD, your user's cloud cert will chain and KDC will issue TGT and TGS tickets to them. According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certificates to the NTAuth store in on-prem AD, your user's cloud certificate will chain and KDC will issue TGT and TGS tickets to them.
Server-side infrastructure requirements to support VPN device compliance include: Server-side infrastructure requirements to support VPN device compliance include:
@ -77,6 +77,10 @@ Two client-side configuration service providers are leveraged for VPN device com
- Provisions the Health Attestation Certificate received from the HAS - Provisions the Health Attestation Certificate received from the HAS
- Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
>[!NOTE]
>Enabling SSO is not necessarily required unless you want VPN users to be issued Kerberos tickets to access on-premises resources using a certificate issued by the on-premises CA; not the cloud certificate issued by AAD.
## Client connection flow ## Client connection flow
The VPN client side connection flow works as follows: The VPN client side connection flow works as follows:
@ -94,13 +98,6 @@ When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Ena
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
![conditional access in profile](images/vpn-conditional-access-intune.png)
>[!NOTE]
>In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profiles successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the users device yet.
## Learn more about Conditional Access and Azure AD Health ## Learn more about Conditional Access and Azure AD Health
- [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/) - [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/)
@ -112,9 +109,7 @@ The following image shows conditional access options in a VPN Profile configurat
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
## Related topics ## Related topics
- [VPN technical guide](vpn-guide.md) - [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md) - [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md) - [VPN routing decisions](vpn-routing.md)