From 6fe235e54a56a319248bfe59b5b077240eb25bd3 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 11 Nov 2021 10:06:53 +0530 Subject: [PATCH] HTMLTableConversionToMD-batch 04 --- windows/client-management/mdm/get-seats.md | 118 +---- .../mdm/healthattestation-csp.md | 325 +++----------- windows/client-management/mdm/hotspot-csp.md | 33 +- ...rver-side-mobile-application-management.md | 42 +- ...ent-tool-for-windows-store-for-business.md | 23 +- .../mdm/mobile-device-enrollment.md | 147 +------ windows/client-management/mdm/nap-csp.md | 33 +- windows/client-management/mdm/napdef-csp.md | 39 +- windows/client-management/mdm/office-csp.md | 158 +------ .../mdm/oma-dm-protocol-support.md | 284 ++---------- .../mdm/policy-csp-abovelock.md | 61 +-- .../mdm/policy-csp-accounts.md | 150 ++----- .../mdm/policy-csp-activexcontrols.md | 32 +- .../policy-csp-admx-activexinstallservice.md | 33 +- .../mdm/policy-csp-admx-addremoveprograms.md | 411 ++++-------------- 15 files changed, 308 insertions(+), 1581 deletions(-) diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index a510b2460c..f58ed76669 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -1,6 +1,6 @@ --- title: Get seats -description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business. +description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business. ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F ms.reviewer: manager: dansimp @@ -18,118 +18,34 @@ The **Get seats** operation retrieves the information about active seats in the ## Request - ---- - - - - - - - - - - - - -
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}

+**GET:** + +```http +https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults} +``` -  ### URI parameters The following parameters may be specified in the request URI. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

continuationToken

string

Optional.

maxResults

int32

Optional. Default = 25, Maximum = 100

+|Parameter|Type|Description| +|--- |--- |--- | +|productId|string|Required. Product identifier for an application that is used by the Store for Business.| +|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| +|continuationToken|string|Optional.| +|maxResults|int32|Optional. Default = 25, Maximum = 100| -  ## Response ### Response body The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

-

Reason: Missing parameter or invalid parameter

-

Details: String

404

Not found

409

Conflict

Reason: Not online

- -  - -  - - +|Error code|Description|Retry|Data field| +|--- |--- |--- |--- | +|400|Invalid parameters|No|Parameter name
Reason: Missing parameter or invalid parameter
Details: String| +|404|Not found||| +|409|Conflict||Reason: Not online| diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 32bdbb1eca..b29bed482b 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -551,77 +551,16 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes ![healthattestation service diagram.](images/healthattestation_2.png) - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
DHA-Service typeDescriptionOperation cost
Device Health Attestation – Cloud

(DHA-Cloud)

DHA-Cloud is a Microsoft owned and operated DHA-Service that is:

-
    -
  • Available in Windows for free
    • -
  • Running on a high-availability and geo-balanced cloud infrastructure
    • -
  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
    • -
  • Accessible to all enterprise-managed devices via following: -
      -
    • FQDN = has.spserv.microsoft.com) port
      • -
    • Port = 443
      • -
    • Protocol = TCP
      • -
    -
    • -
-		No cost
Device Health Attestation – On Premise

(DHA-OnPrem)

DHA-OnPrem refers to DHA-Service that is running on premises:

-
    -
  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
    • -
  • Hosted on an enterprise owned and managed server device/hardware
    • -
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
    • -

  • Accessible to all enterprise-managed devices via following:

    -
      -
    • FQDN = (enterprise assigned)
      • -
    • Port = (enterprise assigned)
      • -
    • Protocol = TCP
      • -
    -
    • -
The operation cost of running one or more instances of Server 2016 on-premises.
Device Health Attestation - Enterprise-Managed Cloud

(DHA-EMC)

DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.

-
    -
  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
    • -
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
    • -

  • Accessible to all enterprise-managed devices via following:

    -
      -
    • FQDN = (enterprise assigned)
      • -
    • Port = (enterprise assigned)
      • -
    • Protocol = TCP
      • -
    -
    • -
The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
+|DHA-Service type|Description|Operation cost| +|--- |--- |--- | +|Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
  • Available in Windows for free
  • Running on a high-availability and geo-balanced cloud infrastructure
  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
  • Accessible to all enterprise-managed devices via following:
    • | +|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
  • Hosted on an enterprise owned and managed server device/hardware
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following:
    • | +|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following:
    • | ### CSP diagram and node descriptions - -The following shows the Device HealthAttestation configuration service provider in tree format. +The following shows the Device HealthAttestation configuration service provider in tree format. + ``` ./Vendor/MSFT HealthAttestation @@ -1263,214 +1202,48 @@ Each of these are described in further detail in the following sections, along w ### **Device HealthAttestation CSP status and error codes** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Error codeError nameDescription
    0HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZEDThis is the initial state for devices that have never participated in a DHA-Session.
    1HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTEDThis state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
    2HEALTHATTESTATION_CERT_RETRIEVAL_FAILEDThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
    3HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETEThis state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.
    4HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAILDeprecated in Windows 10, version 1607.
    5HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAILDHA-CSP failed to get a claim quote.
    6HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READYDHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
    7HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAILDHA-CSP failed in retrieving Windows AIK
    8HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAILDeprecated in Windows 10, version 1607.
    9HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSIONInvalid TPM version (TPM version is not 1.2 or 2.0)
    10HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAILNonce was not found in the registry.
    11HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAILCorrelation ID was not found in the registry.
    12HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAILDeprecated in Windows 10, version 1607.
    13HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAILDeprecated in Windows 10, version 1607.
    14HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAILFailure in Encoding functions. (Extremely unlikely scenario)
    15HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAILDeprecated in Windows 10, version 1607.
    16HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XMLDHA-CSP failed to load the payload it received from DHA-Service
    17HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XMLDHA-CSP received a corrupted response from DHA-Service.
    18HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XMLDHA-CSP received an empty response from DHA-Service.
    19HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EKDHA-CSP failed in decrypting the AES key from the EK challenge.
    20HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EKDHA-CSP failed in decrypting the health cert with the AES key.
    21HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUBDHA-CSP failed in exporting the AIK Public Key.
    22HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLYDHA-CSP failed in trying to create a claim with AIK attestation data.
    23HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUBDHA-CSP failed in appending the AIK Pub to the request blob.
    24HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERTDHA-CSP failed in appending the AIK Cert to the request blob.
    25HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLEDHA-CSP failed to obtain a Session handle.
    26HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLEDHA-CSP failed to connect to the DHA-Service.
    27HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLEDHA-CSP failed to create an HTTP request handle.
    28HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTIONDHA-CSP failed to set options.
    29HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERSDHA-CSP failed to add request headers.
    30HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUESTDHA-CSP failed to send the HTTP request.
    31HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSEDHA-CSP failed to receive a response from the DHA-Service.
    32HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERSDHA-CSP failed to query headers when trying to get HTTP status code.
    33HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSEDHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
    34HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSEDHA-CSP received an empty response along with an HTTP error code from DHA-Service.
    35HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USERDHA-CSP failed to impersonate user.
    36HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATORDHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
    0xFFFFHEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWNDHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
    400Bad_Request_From_ClientDHA-CSP has received a bad (malformed) attestation request.
    404Endpoint_Not_ReachableDHA-Service is not reachable by DHA-CSP
    +|Error code|Error name|Description| +|--- |--- |--- | +|0|HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED|This is the initial state for devices that have never participated in a DHA-Session.| +|1|HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED|This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.| +|2|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED|This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.| +|3|HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE|This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.| +|4|HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL|Deprecated in Windows 10, version 1607.| +|5|HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL|DHA-CSP failed to get a claim quote.| +|6|HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY|DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.| +|7|HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL|DHA-CSP failed in retrieving Windows AIK| +|8|HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL|Deprecated in Windows 10, version 1607.| +|9|HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION|Invalid TPM version (TPM version is not 1.2 or 2.0)| +|10|HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL|Nonce was not found in the registry.| +|11|HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL|Correlation ID was not found in the registry.| +|12|HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL|Deprecated in Windows 10, version 1607.| +|13|HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL|Deprecated in Windows 10, version 1607.| +|14|HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL|Failure in Encoding functions. (Extremely unlikely scenario)| +|15|HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL|Deprecated in Windows 10, version 1607.| +|16|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML|DHA-CSP failed to load the payload it received from DHA-Service| +|17|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML|DHA-CSP received a corrupted response from DHA-Service.| +|18|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML|DHA-CSP received an empty response from DHA-Service.| +|19|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK|DHA-CSP failed in decrypting the AES key from the EK challenge.| +|20|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK|DHA-CSP failed in decrypting the health cert with the AES key.| +|21|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB|DHA-CSP failed in exporting the AIK Public Key.| +|22|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY|DHA-CSP failed in trying to create a claim with AIK attestation data.| +|23|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB|DHA-CSP failed in appending the AIK Pub to the request blob.| +|24|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT|DHA-CSP failed in appending the AIK Cert to the request blob.| +|25|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE|DHA-CSP failed to obtain a Session handle.| +|26|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE|DHA-CSP failed to connect to the DHA-Service.| +|27|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE|DHA-CSP failed to create an HTTP request handle.| +|28|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION|DHA-CSP failed to set options.| +|29|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS|DHA-CSP failed to add request headers.| +|30|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST|DHA-CSP failed to send the HTTP request.| +|31|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE|DHA-CSP failed to receive a response from the DHA-Service.| +|32|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS|DHA-CSP failed to query headers when trying to get HTTP status code.| +|33|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE|DHA-CSP received an empty response from DHA-Service even though HTTP status was OK.| +|34|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE|DHA-CSP received an empty response along with an HTTP error code from DHA-Service.| +|35|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER|DHA-CSP failed to impersonate user.| +|36|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR|DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.| +|0xFFFF|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN|DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.| +|400|Bad_Request_From_Client|DHA-CSP has received a bad (malformed) attestation request.| +|404|Endpoint_Not_Reachable|DHA-Service is not reachable by DHA-CSP| ### DHA-Report V3 schema diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 0672037cf9..ab23f17606 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -186,34 +186,11 @@ The DLL must be code signed in a specific way, see [Sign binaries and packages]( During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values. - ---- - - - - - - - - - - - - - - - - - - - - -
    ValueDescription

    ENTITLEMENT_SUCCESS

    The device is allowed to connect to the server.

    ENTITLEMENT_FAILED

    The device is not allowed to connect to the server

    ENTITLEMENT_UNAVAILABLE

    The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.

    - - +|Value|Description| +|--- |--- | +|**ENTITLEMENT_SUCCESS**|The device is allowed to connect to the server.| +|**ENTITLEMENT_FAILED**|The device is not allowed to connect to the server| +|**ENTITLEMENT_UNAVAILABLE**|The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.| The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit. diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 68633b48af..65f11b56b4 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -129,40 +129,8 @@ If the MAM device is properly configured for MDM enrollment, then the Enroll onl We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Update channelPrimary purposeLOB Tattoo availabilityDefault update channel for the products
    Current channelProvide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. March 9 2017

    Visio Pro for Office 365

    -

    Project Desktop Client

    -

    Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)

    Deferred channelProvide users with new features of Office only a few times a year.October 10 2017Microsoft 365 Apps for enterprise
    First release for Deferred channelProvide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. June 13 2017
    \ No newline at end of file +|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products| +|--- |--- |--- |--- | +|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365
    Project Desktop Client
    Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)| +|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise| +|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017|| diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index f2da07d4e2..af0d01f75e 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -34,26 +34,11 @@ For additional information about Store for Business, see the TechNet topics in [ The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages. - ---- - - - - - - - - - - -

    Application data

    The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.

    Licensing models

    Offline vs. Online

    -

    Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.

    -

    Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.

    +- **Application data**:The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications. - +- **Licensing models**: + - **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services. + - **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store. ### Offline-licensed application distribution diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index d1ada9afe6..8b9380767e 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -110,75 +110,15 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma ``` - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NamespaceSubcodeErrorDescriptionHRESULT

    s:

    MessageFormat

    MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

    Invalid message from the Mobile Device Management (MDM) server.

    80180001

    s:

    Authentication

    MENROLL_E_DEVICE_AUTHENTICATION_ERROR

    The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.

    80180002

    s:

    Authorization

    MENROLL_E_DEVICE_AUTHORIZATION_ERROR

    The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.

    80180003

    s:

    CertificateRequest

    MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR

    The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.

    80180004

    s:

    EnrollmentServer

    MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

    		The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.

    80180005

    a:

    InternalServiceFault

    MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

    There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.

    80180006

    a:

    InvalidSecurity

    MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

    The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.

    80180007

    +|Namespace|Subcode|Error|Description|HRESULT| +|--- |--- |--- |--- |--- | +|s:|MessageFormat|MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|Invalid message from the Mobile Device Management (MDM) server.|80180001| +|s:|Authentication|MENROLL_E_DEVICE_AUTHENTICATION_ERROR|The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.|80180002| +|s:|Authorization|MENROLL_E_DEVICE_AUTHORIZATION_ERROR|The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.|80180003| +|s:|CertificateRequest|MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR|The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.|80180004| +|s:|EnrollmentServer|MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.|80180005| +|a:|InternalServiceFault|MENROLL_E_DEVICE_INTERNALSERVICE_ERROR|There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.|80180006| +|a:|InvalidSecurity|MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.|80180007| In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example: @@ -212,66 +152,15 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. ``` - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    SubcodeErrorDescriptionHRESULT

    DeviceCapReached

    MENROLL_E_DEVICECAPREACHED

    The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.

    80180013

    DeviceNotSupported

    MENROLL_E_DEVICENOTSUPPORTED

    The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.

    80180014

    NotSupported

    MENROLL_E_NOT_SUPPORTED

    Mobile Device Management (MDM) is generally not supported for this device.

    80180015

    NotEligibleToRenew

    MENROLL_E_NOTELIGIBLETORENEW

    The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.

    80180016

    InMaintenance

    MENROLL_E_INMAINTENANCE

    The Mobile Device Management (MDM) server states your account is in maintenance, try again later.

    80180017

    UserLicense

    MENROLL_E_USER_LICENSE

    There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.

    80180018

    InvalidEnrollmentData

    MENROLL_E_ENROLLMENTDATAINVALID

    The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.

    80180019

    +|Subcode|Error|Description|HRESULT| +|--- |--- |--- |--- | +|DeviceCapReached|MENROLL_E_DEVICECAPREACHED|The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.|80180013| +|DeviceNotSupported|MENROLL_E_DEVICENOTSUPPORTED|The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.|80180014| +|NotSupported|MENROLL_E_NOT_SUPPORTED|Mobile Device Management (MDM) is generally not supported for this device.|80180015| +|NotEligibleToRenew|MENROLL_E_NOTELIGIBLETORENEW|The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.|80180016| +|InMaintenance|MENROLL_E_INMAINTENANCE|The Mobile Device Management (MDM) server states your account is in maintenance, try again later.|80180017| +|UserLicense|MENROLL_E_USER_LICENSE|There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.|80180018| +|InvalidEnrollmentData|MENROLL_E_ENROLLMENTDATAINVALID|The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.|80180019| TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index 89d18c8eff..a46cce0ddf 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -87,34 +87,11 @@ Required. Specifies the type of address used to identify the destination network The following table shows some commonly used ADDRTYPE values and the types of connection that corresponds with each value. - ---- - - - - - - - - - - - - - - - - - - - - -
    ADDRTYPE ValueConnection Type

    E164

    RAS connections

    APN

    GPRS connections

    ALPHA

    Wi-Fi-based connections

    - -  +|ADDRTYPE Value|Connection Type| +|--- |--- | +|E164|RAS connections| +|APN|GPRS connections| +|ALPHA|Wi-Fi-based connections| ***NAPX*/AuthInfo** Optional node. Specifies the authentication information, including the protocol, user name, and password. diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index bf9a0bc281..2c7ac27df6 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -127,39 +127,12 @@ The name of the *NAPID* element is the same as the value passed during initial b The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    ElementsAvailable

    Parm-query

    Yes

    -

    Note that some GPRS parameters will not necessarily contain the exact same value as was set.

    Noparm

    Yes

    Nocharacteristic

    Yes

    Characteristic-query

    Yes

    - - +|Elements|Available| +|--- |--- | +|Parm-query|Yes
    Note that some GPRS parameters will not necessarily contain the exact same value as was set.| +|Noparm|Yes| +|Nocharacteristic|Yes| +|Characteristic-query|Yes| ## Related topics diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 7516e3c411..e6f3f66cd6 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -151,140 +151,24 @@ To get the current status of Office 365 on the device. ## Status code - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StatusDescriptionComment
    0Installation succeededOK
    997Installation in progress
    13ERROR_INVALID_DATA -

    Cannot verify signature of the downloaded Office Deployment Tool (ODT)

    		Failure
    1460ERROR_TIMEOUT -

    Failed to download ODT

    		Failure
    1602 ERROR_INSTALL_USEREXIT -

    User cancelled the installation

    		Failure
    1603ERROR_INSTALL_FAILURE -

    Failed any pre-req check.

    -
      -
    • SxS (Tried to install when 2016 MSI is installed)
      • -
    • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)
      • -
    -    		Failure
    17000ERROR_PROCESSPOOL_INITIALIZATION -

    Failed to start C2RClient

    		Failure
    17001ERROR_QUEUE_SCENARIO -

    Failed to queue installation scenario in C2RClient

    		Failure
    17002ERROR_COMPLETING_SCENARIO -

    Failed to complete the process. Possible reasons:

    -
      -
    • Installation cancelled by user
      • -
    • Installation cancelled by another installation
      • -
    • Out of disk space during installation
      • -
    • Unknown language ID
      • -
    		Failure
    17003ERROR_ANOTHER_RUNNING_SCENARIO -

    Another scenario is running

    		Failure
    17004ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP -

    Possible reasons:

    -
      -
    • Unknown SKUs
      • -
    • Content does't exist on CDN -
      • such as trying to install an unsupported LAP, like zh-sg
        • -
      • CDN issue that content is not available
      -
      • -
    • Signature check issue, such as failed the signature check for Office content
      • -
    • User cancelled -
    -    		Failure
    17005ERROR_SCENARIO_CANCELLED_AS_PLANNEDFailure
    17006ERROR_SCENARIO_CANCELLED -

    Blocked update by running apps

    		Failure
    17007ERROR_REMOVE_INSTALLATION_NEEDED -

    The client is requesting client clean up in a "Remove Installation" scenario

    		Failure
    17100ERROR_HANDLING_COMMAND_LINE -

    C2RClient command line error

    		Failure
    0x80004005E_FAIL -

    ODT cannot be used to install Volume license

    		Failure
    0x8000ffff E_UNEXPECTED -

    Tried to uninstall when there is no C2R Office on the machine.

    		Failure
    \ No newline at end of file +|Status|Description|Comment| +|--- |--- |--- | +|0|Installation succeeded|OK| +|997|Installation in progress|| +|13|ERROR_INVALID_DATA
    Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure| +|1460|ERROR_TIMEOUT
    Failed to download ODT|Failure| +|1602|ERROR_INSTALL_USEREXIT
    User cancelled the installation|Failure| +|1603|ERROR_INSTALL_FAILURE
    Failed any pre-req check.
  • SxS (Tried to install when 2016 MSI is installed)
  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure| +|17000|ERROR_PROCESSPOOL_INITIALIZATION +Failed to start C2RClient|Failure| +|17001|ERROR_QUEUE_SCENARIO +Failed to queue installation scenario in C2RClient|Failure| +|17002|ERROR_COMPLETING_SCENARIO
    Failed to complete the process. Possible reasons:
  • Installation cancelled by user
  • Installation cancelled by another installation
  • Out of disk space during installation
  • Unknown language ID|Failure| +|17003|ERROR_ANOTHER_RUNNING_SCENARIO
    Another scenario is running|Failure| +|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
    Possible reasons:
  • Unknown SKUs
  • Content does't exist on CDN
  • Signature check issue, such as failed the signature check for Office content
  • User cancelled|Failure| +|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure| +|17006|ERROR_SCENARIO_CANCELLED
    Blocked update by running apps|Failure| +|17007|ERROR_REMOVE_INSTALLATION_NEEDED
    The client is requesting client clean up in a "Remove Installation" scenario|Failure| +|17100|ERROR_HANDLING_COMMAND_LINE
    C2RClient command line error|Failure| +|0x80004005|E_FAIL
    ODT cannot be used to install Volume license|Failure| +|0x8000ffff|E_UNEXPECTED
    Tried to uninstall when there is no C2R Office on the machine.|Failure| diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 5e8ad6957f..8fac08e56a 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -35,113 +35,17 @@ The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA The following table shows the OMA DM standards that Windows uses. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    General areaOMA DM standard that is supported

    Data transport and session

      -

    • Client-initiated remote HTTPS DM session over SSL.

      • -

    • Remote HTTPS DM session over SSL.

      • -

    • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.

      • -

    • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.

      • -

    Bootstrap XML

      -

    • OMA Client Provisioning XML.

      • -

    DM protocol commands

    The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.

    -
      -

    • Add (Implicit Add supported)

      • -

    • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.

      • -

    • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.

      • -

    • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists

      • -

    • Exec: Invokes an executable on the client device

      • -

    • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format

      • -

    • Replace: Overwrites data on the client device

      • -

    • Result: Returns the data results of a Get command to the DM server

      • -

    • Sequence: Specifies the order in which a group of commands must be processed

      • -

    • Status: Indicates the completion status (success or failure) of an operation

      • -
    -

    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:

    -
      -

    • SyncBody

      • -

    • Atomic

      • -

    • Sequence

      • -
    -

    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

    -

    If Atomic elements are nested, the following status codes are returned:

    -
      -

    • The nested Atomic command returns 500.

      • -

    • The parent Atomic command returns 507.

      • -
    -

    For more information about the Atomic command, see OMA DM protocol common elements.

    -

    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.

    -

    LocURI cannot start with "/".

    -

    Meta XML tag in SyncHdr is ignored by the device.

    OMA DM standard objects

      -

    • DevInfo

      • -

    • DevDetail

      • -

    • OMA DM DMS account objects (OMA DM version 1.2)

      • -

    Security

      -

    • Authenticate DM server initiation notification SMS message (not used by enterprise management)

      • -

    • Application layer Basic and MD5 client authentication

      • -

    • Authenticate server with MD5 credential at application level

      • -

    • Data integrity and authentication with HMAC at application level

      • -

    • SSL level certificate based client/server authentication, encryption, and data integrity check

      • -

    Nodes

    In the OMA DM tree, the following rules apply for the node name:

    -
      -

    • "." can be part of the node name.

      • -

    • The node name cannot be empty.

      • -

    • The node name cannot be only the asterisk (*) character.

      • -

    Provisioning Files

    Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.

    -

    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.

    -
    -Note

    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.

    -
    -
    - -

    WBXML support

    Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.

    Handling of large objects

    In Windows 10, version 1511, client support for uploading large objects to the server was added.

    +|General area|OMA DM standard that is supported| +|--- |--- | +|Data transport and session|
  • Client-initiated remote HTTPS DM session over SSL.
  • Remote HTTPS DM session over SSL.
  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.| +|Bootstrap XML|OMA Client Provisioning XML.| +|DM protocol commands|The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
  • Add (Implicit Add supported)
  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
  • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
  • Exec: Invokes an executable on the client device
  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
  • Replace: Overwrites data on the client device
  • Result: Returns the data results of a Get command to the DM server
  • Sequence: Specifies the order in which a group of commands must be processed
  • Status: Indicates the completion status (success or failure) of an operation
    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
  • SyncBody
  • Atomic
  • Sequence
    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
    If Atomic elements are nested, the following status codes are returned:
  • The nested Atomic command returns 500.
  • The parent Atomic command returns 507.
    For more information about the Atomic command, see OMA DM protocol common elements.
    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
    LocURI cannot start with "/".
    Meta XML tag in SyncHdr is ignored by the device.| +|OMA DM standard objects|DevInfo
  • DevDetail
  • OMA DM DMS account objects (OMA DM version 1.2)| +|Security|
  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
  • Application layer Basic and MD5 client authentication
  • Authenticate server with MD5 credential at application level
  • Data integrity and authentication with HMAC at application level
  • SSL level certificate based client/server authentication, encryption, and data integrity check| +|Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "" can be part of the node name.
  • The node name cannot be empty.
  • The node name cannot be only the asterisk (*) character.| +|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | +|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| +|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| @@ -149,99 +53,26 @@ The following table shows the OMA DM standards that Windows uses. Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ElementDescription

    Chal

    Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.

    Cmd

    Specifies the name of an OMA DM command referenced in a Status element.

    CmdID

    Specifies the unique identifier for an OMA DM command.

    CmdRef

    Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.

    Cred

    Specifies the authentication credential for the originator of the message.

    Final

    Indicates that the current message is the last message in the package.

    LocName

    Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.

    LocURI

    Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

    MsgID

    Specifies a unique identifier for an OMA DM session message.

    MsgRef

    Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.

    RespURI

    Specifies the URI that the recipient must use when sending a response to this message.

    SessionID

    Specifies the identifier of the OMA DM session associated with the containing message.

    -
    -Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes. -
    -
    - -

    Source

    Specifies the message source address.

    SourceRef

    Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.

    Target

    Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.

    TargetRef

    Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.

    VerDTD

    Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.

    VerProto

    Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.

    - +|Element|Description| +|--- |--- | +|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.| +|Cmd|Specifies the name of an OMA DM command referenced in a Status element.| +|CmdID|Specifies the unique identifier for an OMA DM command.| +|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.| +|Cred|Specifies the authentication credential for the originator of the message.| +|Final|Indicates that the current message is the last message in the package.| +|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.| +|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.| +|MsgID|Specifies a unique identifier for an OMA DM session message.| +|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| +|RespURI|Specifies the URI that the recipient must use when sending a response to this message.| +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
    | +|Source|Specifies the message source address.| +|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| +|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| +|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.| +|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.| +|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.| ## Device management session @@ -257,52 +88,13 @@ A DM session can be divided into two phases: The following table shows the sequence of events during a typical DM session. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StepActionDescription

    1

    DM client is invoked to call back to the management server

    -

    Enterprise scenario – The device task schedule invokes the DM client.

    The MO server sends a server trigger message to invoke the DM client.

    -

    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    -

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.

    2

    The device sends a message, over an IP connection, to initiate the session.

    This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.

    3

    The DM server responds, over an IP connection (HTTPS).

    The server sends initial device management commands, if any.

    4

    The device responds to server management commands.

    This message includes the results of performing the specified device management operations.

    5

    The DM server terminates the session or sends another command.

    The DM session ends, or Step 4 is repeated.

    - - +|Step|Action|Description| +|--- |--- |--- | +|1|DM client is invoked to call back to the management server

    Enterprise scenario – The device task schedule invokes the DM client.|The MO server sends a server trigger message to invoke the DM client.

    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.| +|2|The device sends a message, over an IP connection, to initiate the session.|This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.| +|3|The DM server responds, over an IP connection (HTTPS).|The server sends initial device management commands, if any.| +|4|The device responds to server management commands.|This message includes the results of performing the specified device management operations.| +|5|The DM server terminates the session or sends another command.|The DM session ends, or Step 4 is repeated.| The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index c3d8c37963..b1b74f16be 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -38,33 +38,13 @@ manager: dansimp **AboveLock/AllowCortanaAboveLock** - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    EnterpriseYesYes
    EducationYesYes
    +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -105,28 +85,13 @@ The following list shows the supported values: **AboveLock/AllowToasts** - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYes, starting in Windows 10, version 1607Yes
    EnterpriseYes, starting in Windows 10, version 1607Yes
    EducationYes, starting in Windows 10, version 1607Yes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes, starting in Windows 10, version 1607|Yes| +|Enterprise|Yes, starting in Windows 10, version 1607|Yes| +|Education|Yes, starting in Windows 10, version 1607|Yes|
    diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index ed466fe64a..795f89e92c 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -40,43 +40,15 @@ manager: dansimp **Accounts/AllowAddingNonMicrosoftAccountsManually** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    EnterpriseYesYes
    EducationYesYes
    MobileYesYes
    Mobile EnterpriseYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|
    @@ -114,48 +86,16 @@ The following list shows the supported values: **Accounts/AllowMicrosoftAccountConnection** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    MobileYesYes
    Mobile EnterpriseYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|
    @@ -190,48 +130,16 @@ The following list shows the supported values: **Accounts/AllowMicrosoftAccountSignInAssistant** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    MobileYesYes
    Mobile EnterpriseYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|
    diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 95c9e7d80b..60248d3ecc 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -40,31 +40,13 @@ manager: dansimp **ActiveXControls/ApprovedInstallationSites** - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index c574952e31..0b63ffc56d 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -40,31 +40,14 @@ manager: dansimp **ADMX_ActiveXInstallService/AxISURLZonePolicies** - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +
    diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index dfb1da857f..de3506d5e5 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -70,20 +70,10 @@ manager: dansimp **ADMX_AddRemovePrograms/DefaultCategory** - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No|
    @@ -135,34 +125,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromCDorFloppy** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    Business
    EnterpriseYesYes
    Education
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business||| +|Enterprise|Yes|Yes| +|Education|||
    @@ -212,38 +182,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromInternet** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -294,38 +240,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromNetwork** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -377,38 +299,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddPage** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -456,38 +354,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddRemovePrograms** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -535,38 +409,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoChooseProgramsPage** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -615,37 +465,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoRemovePage** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -693,38 +520,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoServices** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -775,38 +578,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoSupportInfo** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -856,38 +635,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoWindowsSetupPage** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|