Merge remote-tracking branch 'refs/remotes/origin/master' into atp-tomeralpert

2025-06-22 13:53:39 +00:00 · 2017-05-31 13:15:52 -07:00
parent 0811b4057a 74ec47d91b
commit 6d4a3b38d8
8 changed files with 354 additions and 131 deletions
--- a/windows/access-protection/enterprise-certificate-pinning.md
+++ b/windows/access-protection/enterprise-certificate-pinning.md
@ -71,141 +71,41 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ
 The PinRules element can have the following attributes. 
 For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). 

- **Duration** or **NextUpdate**
-
-    Specifies when the Pin Rules will expire. 
-    Either is required. 
-    **NextUpdate** takes precedence if both are specified. 
-    
-    **Duration**, represented as an XML TimeSpan data type, does not allow years and months. 
-    You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. 
-    
-    **Required?** Yes. At least one is required.
-
- **LogDuration** or **LogEndDate**
-
-    Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
-    
-    **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. 
-    
-    You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. 
-    
-    If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes.
-    
-    **Required?** No.
-
- **ListIdentifier**
-
-    Provides a friendly name for the list of pin rules. 
-    Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL).
-
-    **Required?** No.
+| Attribute | Description | Required |
+|-----------|-------------|----------|
+|  **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified. <br>  **Duration**, represented as an XML TimeSpan data type, does not allow years and months. You represent the **NextUpdate** attribute as a XML DateTime data type in UTC.  | **Required?** Yes. At least one is required. |
+| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. <br>  **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. <br>  You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. <br>  If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | 
+| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). | No. |

 #### PinRule Element    

-The **PinRule** element can have the following attributes: 
+The **PinRule** element can have the following attributes. 

- **Name**
-
-    Uniquely identifies the **PinRule**. 
-    Windows uses this attribute to identify the element for a parsing error or for verbose output. 
-    The attribute is not included in the generated certificate trust list (CTL).
-
-    **Required?** Yes.
-
- **Error**
-
-    Describes the action Windows performs when it encounters a PIN mismatch. 
-    You can choose from the following string values:
-        - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
-        - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
-        - **None** - The default value.  No error is returned. You can use this setting to audit the pin rules without introducing any user friction.      
-
-    **Required?** No.
-
- **Log**  
-
-    A Boolean value represent as string that equals **true** or **false**. 
-    By default, logging is enabled (**true**).
-
-    **Required?** No.
+| Attribute | Description | Required |
+|-----------|-------------|----------|
+| **Name**  | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute is not included in the generated certificate trust list (CTL). | Yes.|
+| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values: <br>- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. <br>- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site. <br>- **None** - The default value.  No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. |
+| **Log** | A Boolean value represent as string that equals **true** or **false**. By default, logging is enabled (**true**). | No. |

 #### Certificate element 

-The **Certificate** element can have the following attributes:
+The **Certificate** element can have the following attributes.

- **File**
-
-    Path to a file containing one or more certificates. 
-    Where the certificate(s) can be encoded as:
-        - single certificate
-        - p7b
-        - sst.
-
-    These files can also be Base64 formatted. 
-    All **Site** elements included in the same **PinRule** element can match any of these certificates.
-    
-    **Required?** Yes (File, Directory or Base64 must be present).
-
- **Directory** 
-
-    Path to a directory containing one or more of the above certificate files. 
-    Skips any files not containing any certificates.    
-
-    **Required?** Yes (File, Directory or Base64 must be present).
-
- **Base64**
-
-    Base64 encoded certificate(s). 
-    Where the certificate(s) can be encoded as:
-        - single certificate
-        - p7b
-        - sst.
-
-    This allows the certificates to be included in the XML file without a file directory dependency.
-
-    > [!Note]
-    > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule.    
-
-    **Required?** Yes (File, Directory or Base64 must be present).
-
- **EndDate** 
-
-    Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.  
-
-    If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
-
-    If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
-
-    For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).
-
-    **Required?** No. 
+| Attribute | Description | Required |
+|-----------|-------------|----------|
+| **File**  | Path to a file containing one or more certificates.  Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br>- sst <br> These files can also be Base64 formatted.  All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory or Base64 must be present). |
+| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory or Base64 must be present). | 
+| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br> - sst <br> This allows the certificates to be included in the XML file without a file directory dependency. <br> Note: <br> You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule.  | Yes (File, Directory or Base64 must be present). |
+| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. <br>If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.<br> If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.<br> For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|

 #### Site element

-The **Site** element can have the following attributes:
+The **Site** element can have the following attributes.

- **Domain** 
-
-    Contains the DNS name to be matched for this pin rule. 
-    When creating the certificate trust list, the parser normalizes the input name string value as follows:
-        - If the DNS name has a leading "*" it is removed.
-        - Non-ASCII DNS name are converted to ASCII Puny Code.
-        - Upper case ASCII characters are converted to lower case.
-
-    If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. 
-    For example, ".xyz.com" would match "abc.xyz.com".
-
-    **Required?** Yes.
-
- **AllSubdomains**
-
-    By default, wildcard left hand label matching is restricted to a single left hand label. 
-    This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. 
-    
-    For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.
-    
-    **Required?** No. 
+| Attribute | Description | Required |
+|-----------|-------------|----------|
+| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows: <br>- If the DNS name has a leading "*" it is removed. <br>- Non-ASCII DNS name are converted to ASCII Puny Code. <br>- Upper case ASCII characters are converted to lower case. <br>If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
+| **AllSubdomains** | By default, wildcard left hand label matching is restricted to a single left hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.<br>For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.|
    
 ### Create a Pin Rules Certificate Trust List

@ -302,10 +202,6 @@ Sign-in to the reference computer using domain administrator equivalent credenti

 To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.

-```code
-HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
-```
-
 | Name | Value |
 |------|-------|
 | Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config |
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -141,6 +141,7 @@
 #### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md)
 #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
 ### [FileSystem CSP](filesystem-csp.md)
+### [Firewall CSP](firewall-csp.md)
 ### [HealthAttestation CSP](healthattestation-csp.md)
 #### [HealthAttestation DDF](healthattestation-ddf.md)
 ### [HotSpot CSP](hotspot-csp.md)
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -13,7 +13,13 @@ author: nickbrower

 A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.

-For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). See the [list of CSPs supported in Windows Holographic](#hololens) and the [list of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) for additional information.
+For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). 
+
+Additional lists:
+- [List of CSPs supported in Windows Holographic](#hololens)
+- [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport)
+- [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport)
+- [List of CSPs supported in Windows 10 S](#windows10s)

 The following tables show the configuration service providers support in Windows 10.  

@ -2426,4 +2432,55 @@ Footnotes:
 - [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
 - [Update CSP](update-csp.md)
 - [VPNv2 CSP](vpnv2-csp.md)
- [WiFi CSP](wifi-csp.md)
+- [WiFi CSP](wifi-csp.md)
+
+## <a href="" id="windows10s"></a>CSPs supported in Windows 10 S
+
+The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that Office CSP and EnterpriseDesktop CSP are not available in Windows 10 S. Here is the list:
+
+- [ActiveSync CSP](activesync-csp.md)
+- [APPLICATION CSP](application-csp.md)
+- [AppLocker CSP](applocker-csp.md)
+- [BOOTSTRAP CSP](bootstrap-csp.md)
+- [CellularSettings CSP](cellularsettings-csp.md)
+- [CertificateStore CSP](certificatestore-csp.md)
+- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
+- [CM_CellularEntries CSP](cm-cellularentries-csp.md)
+- [Defender CSP](defender-csp.md)
+- [DevDetail CSP](devdetail-csp.md)
+- [DeviceManageability CSP](devicemanageability-csp.md)
+- [DeviceStatus CSP](devicestatus-csp.md)
+- [DevInfo CSP](devinfo-csp.md)
+- [DiagnosticLog CSP](diagnosticlog-csp.md)
+- [DMAcc CSP](dmacc-csp.md)
+- [DMClient CSP](dmclient-csp.md)
+- [EMAIL2 CSP](email2-csp.md)
+- [EnterpriseAPN CSP](enterpriseapn-csp.md)
+- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
+- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
+- [HealthAttestation CSP](healthattestation-csp.md)
+- [NAP CSP](nap-csp.md)
+- [NAPDEF CSP](napdef-csp.md)
+- [NetworkProxy CSP](networkproxy-csp.md)
+- [NodeCache CSP](nodecache-csp.md)
+- [PassportForWork CSP](passportforwork-csp.md)
+- [Policy CSP](policy-configuration-service-provider.md)
+- [Provisioning CSP](provisioning-csp.md)
+- [PROXY CSP](proxy-csp.md)
+- [PXLOGICAL CSP](pxlogical-csp.md)
+- [Reboot CSP](reboot-csp.md)
+- [RemoteFind CSP](remotefind-csp.md)
+- [RemoteWipe CSP](remotewipe-csp.md)
+- [Reporting CSP](reporting-csp.md)
+- [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
+- [SecureAssessment CSP](secureassessment-csp.md)
+- [SecurityPolicy CSP](securitypolicy-csp.md)
+- [SharedPC CSP](sharedpc-csp.md)
+- [Storage CSP](storage-csp.md)
+- [SUPL CSP](supl-csp.md)
+- [Update CSP](update-csp.md)
+- [VPNv2 CSP](vpnv2-csp.md)
+- [WiFi CSP](wifi-csp.md)
+- [Win32AppInventory CSP](win32appinventory-csp.md)
+- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
+- [WindowsLicensing CSP](windowslicensing-csp.md)
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@ -0,0 +1,246 @@
+---
+title: Firewall CSP
+description: Firewall CSP
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Firewall CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device.  Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.  This CSP is new in the next major update to Windows 10.
+ 
+Firewall configuration commands must be wrapped in an Atomic block in SyncML.
+
+The following diagram shows the Firewall configuration service provider in tree format. 
+
+![firewall csp](images/provisioning-csp-firewall.png)
+
+<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/Firewall**
+<p style="margin-left: 20px">Root node for the Firewall configuration service provider.</p>
+
+<a href="" id="mdmstore"></a>**MdmStore**
+<p style="margin-left: 20px">Interior node.</p>
+<p style="margin-left: 20px">Supported operation is Get.</p>
+
+<a href="" id="global"></a>**MdmStore/Global**
+<p style="margin-left: 20px">Interior node.</p>
+<p style="margin-left: 20px">Supported operations are Get and Replace. </p>
+
+<a href="" id="policyversionsupported"></a>**MdmStore/Global/PolicyVersionSupported**
+<p style="margin-left: 20px">DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
+<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
+
+<a href="" id="currentprofiles"></a>**MdmStore/Global/CurrentProfiles**
+<p style="margin-left: 20px">DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE  for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
+<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
+
+<a href="" id="disablestatefulftp"></a>**MdmStore/Global/DisableStatefulFtp**
+<p style="margin-left: 20px">This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace. </p>
+
+<a href="" id="saidletime"></a>**MdmStore/Global/SaIdleTime**
+<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/TPresharedKeyEncodingBD**
+<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="ipsecexempt"></a>**MdmStore/Global/IPsecExempt**
+<p style="margin-left: 20px">This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="crlcheck"></a>**MdmStore/Global/CRLcheck**
+<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="policyversion"></a>**MdmStore/Global/PolicyVersion**
+<p style="margin-left: 20px">This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.</p>
+<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
+
+<a href="" id="binaryversionsupported"></a>**MdmStore/Global/BinaryVersionSupported**
+<p style="margin-left: 20px">This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.</p>
+<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
+
+<a href="" id="opportunisticallymatchauthsetperkm"></a>**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
+
+<a href="" id="enablepacketqueue"></a>**MdmStore/Global/EnablePacketQueue**
+<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="domainprofile"></a>**MdmStore/DomainProfile**
+<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
+
+<a href="" id="privateprofile"></a>**MdmStore/PrivateProfile**
+<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
+
+<a href="" id="publicprofile"></a>**MdmStore/PublicProfile**
+<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
+
+<a href="" id="enablefirewall"></a>**/EnableFirewall**
+<p style="margin-left: 20px">This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="disablestealthmode"></a>**/DisableStealthMode**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="shielded"></a>**/Shielded**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="disableunicastresponsestomulticastbroadcast"></a>**/DisableUnicastResponsesToMulticastBroadcast**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="disableinboundnotifications"></a>**/DisableInboundNotifications**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="authappsallowuserprefmerge"></a>**/AuthAppsAllowUserPrefMerge**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="globalportsallowuserprefmerge"></a>**/GlobalPortsAllowUserPrefMerge**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="allowlocalpolicymerge"></a>**/AllowLocalPolicyMerge**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="allowlocalipsecpolicymerge"></a>**/AllowLocalIpsecPolicyMerge**
+<p style="margin-left: 20px">This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
+<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
+<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="disablestealthmodeipsecsecuredpacketexemption"></a>**/DisableStealthModeIpsecSecuredPacketExemption**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="firewallrules"></a>**FirewallRules**
+<p style="margin-left: 20px">A list of rules controlling traffic through the Windows Firewall.  Each Rule ID is OR'ed.  Within each rule ID each Filter type is AND'ed.</p>
+
+<a href="" id="firewallrulename"></a>**FirewallRules/_FirewallRuleName_**
+<p style="margin-left: 20px">Unique alpha numeric identifier for the rule.  The rule name must not include a forward slash (/).</p>
+
+<a href="" id="app"></a>**FirewallRules/_FirewallRuleName_/App**
+<p style="margin-left: 20px">Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:</p>
+<ul>
+<li>PackageFamilyName</li>
+<li>FilePath</li>
+<li>FQBN</li>
+<li>ServiceName</li>
+</ul>
+<p style="margin-left: 20px">Supported operation is Get.</p>
+
+<a href="" id="packagefamilyname"></a>**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
+<p style="margin-left: 20px">This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="filepath"></a>**FirewallRules/_FirewallRuleName_/App/FilePath**
+<p style="margin-left: 20px">This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="fqbn"></a>**FirewallRules/_FirewallRuleName_/App/Fqbn**
+<p style="margin-left: 20px">Fully Qualified Binary Name</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="servicename"></a>**FirewallRules/_FirewallRuleName_/App/ServiceName**
+<p style="margin-left: 20px">This is a service name used in cases when a service, not an application, is sending or receiving traffic.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="protocol"></a>**FirewallRules/_FirewallRuleName_/Protocol**
+<p style="margin-left: 20px">0-255 number representing the ip protocol (TCP = 6, UDP = 17)</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="localportranges"></a>**FirewallRules/_FirewallRuleName_/LocalPortRanges**
+<p style="margin-left: 20px">Comma separated list of ranges. For example, 100-120,200,300-320.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="remoteportranges"></a>**FirewallRules/_FirewallRuleName_/RemotePortRanges**
+<p style="margin-left: 20px">Comma separated list of ranges, For example, 100-120,200,300-320.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="localaddressranges"></a>**FirewallRules/_FirewallRuleName_/LocalAddressRanges**
+<p style="margin-left: 20px">Comma separated list of local addresses covered by the rule. The default value is "\*". Valid tokens include:</p>
+<ul>
+<li>"\*" indicates any local address. If present, this must be the only token included.</li>
+<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
+<li>A valid IPv6 address.</li>
+<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
+<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="remoteaddressranges"></a>**FirewallRules/_FirewallRuleName_/RemoteAddressRanges**
+<p style="margin-left: 20px">List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include:</p>
+<ul>
+<li>"\*" indicates any remote address. If present, this must be the only token included.</li>
+<li>"Defaultgateway"</li>
+<li>"DHCP"</li>
+<li>"DNS"</li>
+<li>"WINS"</li>
+<li>"Intranet"</li>
+<li>"RemoteCorpNetwork"</li>
+<li>"Internet"</li>
+<li>"PlayToRenderers"</li>
+<li>"LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.</li>
+<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
+<li>A valid IPv6 address.</li>
+<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
+<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
+<p style="margin-left: 20px">Specifies the description of the rule.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="enabled"></a>**FirewallRules/_FirewallRuleName_/Enabled**
+<p style="margin-left: 20px">Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+If not specified - a new rule is disabled by default.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
+<p style="margin-left: 20px">Specifies the action for the rule.</p>
+<p style="margin-left: 20px">Supported operation is Get.</p>
+
+<a href="" id="type"></a>**FirewallRules/_FirewallRuleName_/Action/Type**
+<p style="margin-left: 20px">Specifies the action the rule enforces. Supported values:</p>
+<ul>
+<li>0 - Block</li>
+<li>1 - Allow</li>
+</ul>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
+<p style="margin-left: 20px">List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
+<p style="margin-left: 20px">Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="friendlyname"></a>**FirewallRules/_FirewallRuleName_/FriendlyName**
+<p style="margin-left: 20px">Specifies the friendly name of the rule. The string must not contain the "|" character.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="name"></a>**FirewallRules/_FirewallRuleName_/Name**
+<p style="margin-left: 20px">Name of the rule.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
--- a/windows/client-management/mdm/images/provisioning-csp-firewall.png
+++ b/windows/client-management/mdm/images/provisioning-csp-firewall.png
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -880,6 +880,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Ownership</li>
 </ul>
 </td></tr>
+<tr class="odd">
+<td style="vertical-align:top">MDM support for Windows 10 S</td>
+<td style="vertical-align:top"><p>Updated the following topics to indicate MDM support in Windows 10 S.</p>
+<ul>
+<li>[Configuration service provider reference](configuration-service-provider-reference.md)</li>
+<li>[Policy CSP](policy-configuration-service-provider.md)</li>
+</ul>
+</td></tr>
 </tbody>
 </table> 

@ -1208,7 +1216,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>EnterpriseDataProtection/RetrieveByCount/Type</li>
 </ul>
 </td></tr>
-<tr class="even">
+<tr class="odd">
 <td style="vertical-align:top">[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)</td>
 <td style="vertical-align:top"><p>Added following deep link parameters to the table:</p>
 <ul>
@ -1220,6 +1228,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Ownership</li>
 </ul>
 </td></tr>
+<tr class="even">
+<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
+<td style="vertical-align:top"><p>Added new CSP in the next major update to Windows 10.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">MDM support for Windows 10 S</td>
+<td style="vertical-align:top"><p>Updated the following topics to indicate MDM support in Windows 10 S.</p>
+<ul>
+<li>[Configuration service provider reference](configuration-service-provider-reference.md)</li>
+<li>[Policy CSP](policy-configuration-service-provider.md)</li>
+</ul>
+</td></tr>
 </tbody>
 </table>

--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -107,6 +107,9 @@ The following diagram shows the Policy configuration service provider in tree fo

 <p style="margin-left: 20px">Supported operations are Add and Get. Does not support Delete.

+> [!Note]  
+> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S.
+
 <!--StartPolicies-->
 <hr/>

--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@ -64,7 +64,7 @@ There are three categories of apps that might be pinned to a taskbar:
 * Apps pinned by the enterprise, such as in an unattended Windows setup

 >[!NOTE]
- >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
+ >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file.
   
 The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).