From 6ca623063c8a755d0b2fea8a9f5e77590ac02e3f Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 26 Oct 2023 10:25:49 -0400
Subject: [PATCH] CloudDesktop CSP Changes
---
.../client-management/mdm/clouddesktop-csp.md | 174 +++++++++++++-----
.../mdm/clouddesktop-ddf-file.md | 56 +++++-
.../mdm/personalization-csp.md | 125 ++++++++++++-
.../mdm/personalization-ddf.md | 90 ++++++++-
4 files changed, 388 insertions(+), 57 deletions(-)
diff --git a/windows/client-management/mdm/clouddesktop-csp.md b/windows/client-management/mdm/clouddesktop-csp.md
index 81b438b379..5c33e0afc1 100644
--- a/windows/client-management/mdm/clouddesktop-csp.md
+++ b/windows/client-management/mdm/clouddesktop-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/23/2023
+ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -26,16 +26,70 @@ ms.topic: reference
The following list shows the CloudDesktop configuration service provider nodes:
- ./Device/Vendor/MSFT/CloudDesktop
+ - [BootToCloudPCEnhanced](#boottocloudpcenhanced)
- [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode)
+
+## BootToCloudPCEnhanced
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/CloudDesktop/BootToCloudPCEnhanced
+```
+
+
+
+
+This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not Configured. |
+| 1 | Enable Boot to Cloud Shared PC Mode. |
+| 2 | Enable Boot to Cloud Personal Mode (Cloud only). |
+
+
+
+
+
+
+
+
## EnableBootToCloudSharedPCMode
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.22631.2050] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -80,66 +134,86 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to
-## EnableBootToCloudSharedPCMode technical reference
+## BootToCloudPCEnhanced technical reference
-EnableBootToCloudSharedPCMode setting is used to configure **Boot to Cloud** feature for shared user mode. When you enable this setting, multiple policies are applied to achieve the intended behavior.
+BootToCloudPCEnhanced is the setting used to configure **Boot to Cloud** feature either for shared mode or personal mode. When you enable this setting, multiple policies are applied to achieve the intended behavior. If you wish to customize the **Boot to Cloud** experience, you can utilize the [BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) policy, which provides the flexibility to tailor the experience according to your requirements.
> [!NOTE]
-> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared user mode.
+> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared and personal mode.
-### MDM Policies
+### Boot to Cloud Shared PC Mode
-When this mode is enabled, these MDM policies are applied for the Device scope (all users):
+When the Shared PC mode is enabled by setting BootToCloudPCEnhanced value to 1:
-| Setting | Value | Value Description |
-|----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
-| [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
-| [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
-| [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider) | Enabled | Configures default credential provider to password provider |
-| [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
-| [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
+- Following MDM policies are applied for the Device scope (all users):
-### Group Policies
+ | Setting | Value | Value Description |
+ |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
+ | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
+ | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
+ | [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider) | Enabled | Configures default credential provider to password provider |
+ | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
+ | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
-When this mode is enabled, these local group policies are configured for all users:
+- Following local group policies are configured for all users:
-| Policy setting | Status |
-|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
-| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
-| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
-| Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
-| System/Logon/Block user from showing account details on sign-in | Enabled |
-| System/Logon/Enumerate local users on domain-joined computers | Disabled |
-| System/Logon/Hide entry points for Fast User Switching | Enabled |
-| System/Logon/Show first sign-in animation | Disabled |
-| System/Logon/Turn off app notifications on the lock screen | Enabled |
-| System/Logon/Turn off picture password sign-in | Enabled |
-| System/Logon/Turn on convenience PIN sign-in | Disabled |
-| Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
-| Windows Components/Biometrics/Allow the use of biometrics | Disabled |
-| Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
-| Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
-| Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
-| Windows Components/File History/Turn off File History | Enabled |
-| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
-| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
-| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
-| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
-| Windows Components/Microsoft Passport for Work | Disabled |
-| System/Ctrl+Alt+Del Options/Remove Task Manager | Enabled |
-| System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
-| Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
-| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
-| System/Logon/Do not process the legacy run list | Enabled |
+ | Policy setting | Status |
+ |------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
+ | Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
+ | Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
+ | Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
+ | System/Logon/Block user from showing account details on sign-in | Enabled |
+ | System/Logon/Enumerate local users on domain-joined computers | Disabled |
+ | System/Logon/Hide entry points for Fast User Switching | Enabled |
+ | System/Logon/Show first sign-in animation | Disabled |
+ | System/Logon/Turn off app notifications on the lock screen | Enabled |
+ | System/Logon/Turn off picture password sign-in | Enabled |
+ | System/Logon/Turn on convenience PIN sign-in | Disabled |
+ | Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
+ | Windows Components/Biometrics/Allow the use of biometrics | Disabled |
+ | Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
+ | Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
+ | Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
+ | Windows Components/File History/Turn off File History | Enabled |
+ | Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
+ | Windows Components/Windows Hello for Business/Use biometrics | Disabled |
+ | Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
+ | Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
+ | Windows Components/Microsoft Passport for Work | Disabled |
+ | System/Ctrl+Alt+Del Options/Remove Task Manager | Enabled |
+ | System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
+ | Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
+ | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
+ | System/Logon/Do not process the legacy run list | Enabled |
-### Registry
+- Following registry changes are performed:
-When this mode is enabled, these registry changes are performed:
+ | Registry setting | Status |
+ |----------------------------------------------------------------------------------------------|--------|
+ | Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
+ | Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 |
-| Registry setting | Status |
-|----------------------------------------------------------------------------------------------|--------|
-| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
-| Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 |
+### Boot to Cloud Personal Mode
+
+When the Personal mode is enabled by setting BootToCloudPCEnhanced value to 2:
+
+- Following MDM policies are applied for the Device scope (all users):
+
+ | Setting | Value | Value Description |
+ |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
+ | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
+ | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
+ | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
+ | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
+
+- Following local group policies are configured for all users:
+
+ | Policy setting | Status |
+ |------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
+ | System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
+ | Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
+ | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
+ | System/Logon/Do not process the legacy run list | Enabled |
diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md
index 8128e3e6e5..daaccf8c6c 100644
--- a/windows/client-management/mdm/clouddesktop-ddf-file.md
+++ b/windows/client-management/mdm/clouddesktop-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -45,11 +45,55 @@ The following XML file contains the device description framework (DDF) for the C
- 22631.2050
- 1.0
- 0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;
+ 99.9.99999
+ 9.9
+ 0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;
+
+ BootToCloudPCEnhanced
+
+
+
+
+
+
+
+ 0
+ This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.
+
+
+
+
+
+
+
+
+
+ Boot to Cloud PC Enhanced
+
+
+
+
+ 99.9.99999
+ 9.9
+
+
+
+ 0
+ Not Configured
+
+
+ 1
+ Enable Boot to Cloud Shared PC Mode
+
+
+ 2
+ Enable Boot to Cloud Personal Mode (Cloud only)
+
+
+
+
EnableBootToCloudSharedPCMode
@@ -74,6 +118,9 @@ The following XML file contains the device description framework (DDF) for the C
+
+ 88.8.88888
+
false
@@ -84,6 +131,7 @@ The following XML file contains the device description framework (DDF) for the C
Boot to cloud shared pc mode enabled
+
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 5e4eb9b6d2..febec1248d 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Personalization CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,6 +16,8 @@ ms.topic: reference
# Personalization CSP
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
@@ -28,12 +30,133 @@ The Personalization CSP can set the lock screen and desktop background images. S
The following list shows the Personalization configuration service provider nodes:
- ./Vendor/MSFT/Personalization
+ - [CompanyLogoStatus](#companylogostatus)
+ - [CompanyLogoUrl](#companylogourl)
+ - [CompanyName](#companyname)
- [DesktopImageStatus](#desktopimagestatus)
- [DesktopImageUrl](#desktopimageurl)
- [LockScreenImageStatus](#lockscreenimagestatus)
- [LockScreenImageUrl](#lockscreenimageurl)
+
+## CompanyLogoStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/CompanyLogoStatus
+```
+
+
+
+
+This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## CompanyLogoUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/CompanyLogoUrl
+```
+
+
+
+
+A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## CompanyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/CompanyName
+```
+
+
+
+
+The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^.{1,30}$` |
+
+
+
+
+
+
+
+
## DesktopImageStatus
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index a57ddb1e63..d9f8bf627c 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the P
10.0.16299
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -146,6 +146,92 @@ The following XML file contains the device description framework (DDF) for the P
+
+ CompanyLogoUrl
+
+
+
+
+
+
+
+ A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 2.0
+
+
+
+
+
+
+ CompanyLogoStatus
+
+
+
+
+ This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 2.0
+
+
+
+
+ CompanyName
+
+
+
+
+
+
+
+ The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 2.0
+
+
+ ^.{1,30}$
+
+
+
```