diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 189e952207..3cf570a193 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -37,20 +37,20 @@ These tools were included in previous versions of Windows. The associated docume - [Computer Management](https://support.microsoft.com/kb/308423) - [Defragment and Optimize Drives](https://go.microsoft.com/fwlink/p/?LinkId=708488) - [Disk Cleanup](https://go.microsoft.com/fwlink/p/?LinkID=698648) -- [Event Viewer](https://go.microsoft.com/fwlink/p/?LinkId=708491) -- [iSCSI Initiator](https://go.microsoft.com/fwlink/p/?LinkId=708492) -- [Local Security Policy](https://go.microsoft.com/fwlink/p/?LinkId=708493) +- [Event Viewer](/previous-versions/windows/it-pro/windows-2000-server/cc938674(v=technet.10)) +- [iSCSI Initiator](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10)) +- [Local Security Policy](/previous-versions/tn-archive/dd277395(v=technet.10)) - [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494) -- [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495) -- [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496) +- [Performance Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749115(v=ws.11)) +- [Print Management](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731857(v=ws.11)) - [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive) -- [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry) -- [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497) -- [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498) +- [Registry Editor](/windows/win32/sysinfo/registry) +- [Resource Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883276(v=ws.10)) +- [Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772408(v=ws.11)) - [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499) - [System Information]( https://go.microsoft.com/fwlink/p/?LinkId=708500) -- [Task Scheduler](https://go.microsoft.com/fwlink/p/?LinkId=708501) -- [Windows Firewall with Advanced Security](https://go.microsoft.com/fwlink/p/?LinkId=708503) +- [Task Scheduler](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766428(v=ws.11)) +- [Windows Firewall with Advanced Security](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754274(v=ws.11)) - [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507) > [!TIP] @@ -58,7 +58,5 @@ These tools were included in previous versions of Windows. The associated docume ## Related topics -[Diagnostic Data Viewer](https://docs.microsoft.com/windows/privacy/diagnostic-data-viewer-overview) - - +[Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index c27a78fa4c..739e349c4a 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -33,13 +33,13 @@ See [Advanced troubleshooting 802.1X authentication data collection](data-collec ## Troubleshooting -Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications. +Viewing [NPS authentication status events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications. NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article. -Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. +Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. -In the event message, scroll to the very bottom, and then check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. +In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. ![example of an audit failure](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

@@ -69,7 +69,7 @@ By default, this log isn't enabled. To enable this log, expand **Event Viewer (L ![screenshot of event viewer](images/capi.png) For information about how to analyze CAPI2 event logs, see -[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). +[Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication: @@ -85,7 +85,7 @@ If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both ‎ > [!NOTE] -> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/), see the instructions under the **Help** menu in Network Monitor. Here's an example: +> If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example: ![ETL parse](images/etl.png) @@ -115,5 +115,5 @@ Even if audit policy appears to be fully enabled, it sometimes helps to disable ## Additional references -[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)
-[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx) +[Troubleshooting Windows Vista 802.11 Wireless Connections](/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
+[Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10)) \ No newline at end of file diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 29e2d01d30..f1594dd088 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -99,7 +99,7 @@ The Startup Repair tool automatically fixes many common problems. The tool also To do this, follow these steps. > [!NOTE] -> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). +> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). 1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088). @@ -231,7 +231,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto - Specific error code is displayed. For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) + - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) - The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. @@ -274,7 +274,7 @@ Disable any service that you find to be faulty, and try to start the computer ag For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows). If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement: -[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/) +[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64) > [!NOTE] > If the computer is a domain controller, try Directory Services Restore mode (DSRM). @@ -310,7 +310,7 @@ To troubleshoot this Stop error, follow these steps to filter the drivers: For additional troubleshooting steps, see the following articles: -- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) +- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) To fix problems that occur after you install Windows updates, check for pending updates by using these steps: @@ -361,13 +361,13 @@ If the computer does not start, follow these steps: If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles: -- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump) +- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md) For more information about page file problems in Windows 10 or Windows Server 2016, see the following: -- [Introduction to page files](https://docs.microsoft.com/windows/client-management/introduction-page-file) +- [Introduction to page files](./introduction-page-file.md) For more information about Stop errors, see the following Knowledge Base article: -- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors) +- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md) If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines: @@ -381,7 +381,7 @@ If the dump file shows an error that is related to a driver (for example, window ```dos SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows ``` - For more information, see [Using System File Checker (SFC) To Fix Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/) + For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) - If there is disk corruption, run the check disk command: ```dos @@ -397,4 +397,4 @@ If the dump file shows an error that is related to a driver (for example, window 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. > [!NOTE] -> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start). +> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start). \ No newline at end of file diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index ff1064cbbf..a024756b85 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -29,7 +29,7 @@ This workflow involves knowledge and use of [TextAnalysisTool](https://github.co This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. > [!NOTE] -> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario. +> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario. Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. @@ -237,8 +237,8 @@ This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disas ### Resources -[802.11 Wireless Tools and Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
-[Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
+[802.11 Wireless Tools and Settings](/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
+[Understanding 802.1X authentication for wireless networks](/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
## Example ETW capture @@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta In the following example, the **View** settings are configured to **Show Only Filtered Lines**. -![TAT filter example](images/tat.png) +![TAT filter example](images/tat.png) \ No newline at end of file diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 3e360929de..89776f9222 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -22,14 +22,14 @@ ms.topic: article - Windows 10 -From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). +From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). ![Remote Desktop Connection client](images/rdp.png) ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. -- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. +- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. - The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. @@ -64,7 +64,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu - Adding users using policy - Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). + Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). > [!TIP] > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. @@ -83,8 +83,8 @@ The table below lists the supported configurations for remotely connecting to an > [!NOTE] -> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). +> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). ## Related topics -[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop) +[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop) \ No newline at end of file diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md index 835007dc33..ac31619d20 100644 --- a/windows/client-management/generate-kernel-or-complete-crash-dump.md +++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md @@ -102,12 +102,12 @@ To do this, follow these steps: 9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction. -If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](https://docs.microsoft.com/azure/virtual-machines/linux/serial-console-nmi-sysrq). +If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq). ### Use the keyboard -[Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard) +[Forcing a System Crash from the Keyboard](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard) ### Use Debugger -[Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger) +[Forcing a System Crash from the Debugger](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger) \ No newline at end of file diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md index 0511eea424..a7d84c9fb8 100644 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md @@ -63,7 +63,7 @@ Even though Azure AD Join on Windows 10 Mobile provides the best overall experi - You can add access to Azure AD-backed resources on the device without resetting the device. -However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=734996) +However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](/azure/active-directory/devices/enterprise-state-roaming-overview) Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM. @@ -88,7 +88,7 @@ An added work account provides the same SSO experience in browser apps like Offi - **Windows Hello** - Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004) + Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](/windows/security/identity-protection/hello-for-business/hello-identity-verification) - **Conditional access** @@ -202,9 +202,4 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo   -  - - - - - +  \ No newline at end of file diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index 7d344924f1..eb40236d6f 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -42,7 +42,7 @@ You can use the same management tools to manage all device types running Windows ## Learn more -[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx) +[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) @@ -58,16 +58,11 @@ You can use the same management tools to manage all device types running Windows [Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207) -Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=613208) +Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/) -  - - - - - +  \ No newline at end of file diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 2950a6c6d9..a177277d07 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -39,7 +39,7 @@ Policy paths: ## Configuring the Group Policy -The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). +The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). >[!NOTE] > When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. @@ -47,6 +47,4 @@ The Group Policy can be configured in one of two ways: specify a list of pages t Here are some examples: - To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. -- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. - - +- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. \ No newline at end of file diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index f4a048f445..c0e59a2033 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -28,7 +28,7 @@ This six-minute video demonstrates how users can bring in a new retail device an > [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA] >[!NOTE] - >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](https://docs.microsoft.com/information-protection/deploy-use/migrate-portal) + >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: @@ -53,42 +53,42 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/). +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/). -- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). +- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages). -- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction). +- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction). -You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. +You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. ## Identity and Authentication -You can use Windows 10 and services like [Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-whatis/) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. +You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. You can envision user and device management as falling into these two categories: - **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. + - For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. - - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device. + - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows 10, if you have an on-premises [Active Directory](https://technet.microsoft.com/windows-server-docs/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/), when employee devices are joined, they automatically register with Azure AD. This provides: + With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This provides: - Single sign-on to cloud and on-premises resources from everywhere - - [Enterprise roaming of settings](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) + - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview) - - [Conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/) to corporate resources based on the health or configuration of the device + - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device - - [Windows Hello for Business](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport) + - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) - Windows Hello - Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction) client or Group Policy. + Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy. -For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/). +For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview). As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. @@ -109,7 +109,7 @@ Your configuration requirements are defined by multiple factors, including the l ## Updating and Servicing -With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). +With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. @@ -123,18 +123,18 @@ There are a variety of steps you can take to begin the process of modernizing de **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-gp) +**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md#policies-supported-by-gp) **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: -- [Co-management for Windows 10 devices](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-overview) -- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-prepare) -- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-switch-workloads) -- [Co-management dashboard in Configuration Manager](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-dashboard) +- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview) +- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare) +- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads) +- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard) ## Related topics -- [What is Intune?](https://docs.microsoft.com//mem/intune/fundamentals/what-is-intune) -- [Windows 10 Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) -- [Windows 10 Configuration service Providers](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) +- [What is Intune?](//mem/intune/fundamentals/what-is-intune) +- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md) +- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 68d135449d..ed73942dd5 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -39,7 +39,7 @@ The name of the folder in which you store the mandatory profile must use the cor | Windows 10, versions 1507 and 1511 | N/A | v5 | | Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 | -For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). +For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). ## Mandatory user profile @@ -57,9 +57,9 @@ First, you create a default user profile with the customizations that you want, > [!NOTE] > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). -1. [Create an answer file (Unattend.xml)](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. +1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). +1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10). > [!NOTE] > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. @@ -77,7 +77,7 @@ First, you create a default user profile with the customizations that you want, > > ![Microsoft Bing Translator package error](images/sysprep-error.png) > - > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. + > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. 1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. @@ -151,4 +151,4 @@ When a user is configured with a mandatory profile, Windows 10 starts as though - [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies) - [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps) - [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight) -- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm) +- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm) \ No newline at end of file diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 149457d576..88e6dfa194 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -430,4 +430,4 @@ ### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) #### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md) ### [WiredNetwork CSP](wirednetwork-csp.md) -#### [WiredNetwork DDF file](wirednetwork-ddf-file.md) +#### [WiredNetwork DDF file](wirednetwork-ddf-file.md) \ No newline at end of file diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 5bfdda98df..4a4b41b531 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -13,7 +13,7 @@ ms.date: 09/10/2020 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. The following shows the ApplicationControl CSP in tree format. @@ -140,7 +140,7 @@ Value type is char. ## Microsoft Endpoint Manager (MEM) Intune Usage Guidance -For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). +For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). ## Generic MDM Server Usage Guidance @@ -289,7 +289,7 @@ The following is an example of Delete command: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). +The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge @@ -315,4 +315,4 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa ```powershell Get-CimInstance -Namespace $namespace -ClassName $policyClassName -``` +``` \ No newline at end of file diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index bfc182df79..8b3779b672 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -209,7 +209,7 @@ Data type is Base64. Supported operations are Get, Add, Delete, and Replace. > [!NOTE] -> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP. +> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. **AppLocker/EnterpriseDataProtection** Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). @@ -267,7 +267,7 @@ Supported operations are Get, Add, Delete, and Replace. You can pair a Windows Phone (Windows 10 Mobile, version 1511) to your desktop using the Device Portal on the phone to get the various types of information, including publisher name and product name of apps installed on the phone. This procedure describes pairing your phone to your desktop using WiFi. -If this procedure does not work for you, try the other methods for pairing described in [Device Portal for Mobile](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal-mobile). +If this procedure does not work for you, try the other methods for pairing described in [Device Portal for Mobile](/windows/uwp/debug-test-perf/device-portal-mobile). **To find Publisher and PackageFullName for apps installed on Windows 10 Mobile** @@ -279,7 +279,7 @@ If this procedure does not work for you, try the other methods for pairing descr If you get a certificate error, continue to the web page. - If you get an error about not reaching the web page, then you should try the other methods for pairing described in [Device Portal for Mobile](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal-mobile). + If you get an error about not reaching the web page, then you should try the other methods for pairing described in [Device Portal for Mobile](/windows/uwp/debug-test-perf/device-portal-mobile). 6. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). 7. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. @@ -1915,13 +1915,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 15937b2e7c..56a30ede2e 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -21,7 +21,7 @@ manager: dansimp ### EnterpriseAppVManagement CSP node structure -[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) +[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md) ![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png) @@ -56,7 +56,7 @@ manager: dansimp

Dynamic policy examples:

-[Dynamic configuration processing](https://technet.microsoft.com/itpro/windows/manage/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing) +[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing)

AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages.

@@ -85,9 +85,9 @@ manager: dansimp

A complete list of App-V policies can be found here:

-[ADMX-backed policy reference](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed) +[ADMX-backed policy reference](./policy-configuration-service-provider.md) -[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) +[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md) ### SyncML examples @@ -135,7 +135,7 @@ manager: dansimp

Complete list of App-V policies can be found here:

-[Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider) +[Policy CSP](./policy-configuration-service-provider.md) #### SyncML with package published for a device (global to all users for that device) @@ -453,4 +453,4 @@ manager: dansimp -``` +``` \ No newline at end of file diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 1ab4588011..1054511f90 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -16,9 +16,9 @@ ms.date: 09/18/2018 The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. -For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211) +For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) - In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). + In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). > [!Warning] > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. @@ -44,9 +44,9 @@ AssignedAccess Root node for the CSP. **./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** -A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). +A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). -For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211) +For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. @@ -80,7 +80,7 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. **./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. @@ -142,7 +142,7 @@ Additionally, the Status payload includes the following fields: Supported operation is Get. **./Device/Vendor/MSFT/AssignedAccess/ShellLauncher** -Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](https://docs.microsoft.com/windows/configuration/kiosk-shelllauncher). +Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher). > [!Note] > You cannot set both ShellLauncher and KioskModeApp at the same time on the device. @@ -1422,7 +1422,7 @@ ShellLauncherConfiguration Get ## Windows Holographic for Business edition example -This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/hololens/hololens-provisioning). +This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning). ```xml @@ -1478,4 +1478,4 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C -``` +``` \ No newline at end of file diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 378e0e0f1e..2e6f10e562 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -37,7 +37,7 @@ Windows 10 introduces a new way to configure and deploy corporate owned Windows Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD. > [!IMPORTANT] -> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. +> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license. ### BYOD scenario @@ -92,11 +92,11 @@ The following diagram illustrates the high-level flow involved in the actual enr ![azure ad enrollment flow](images/azure-ad-enrollment-flow.png) -The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic. +The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic. ## Make the MDM a reliable party of Azure AD -To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). +To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). ### Add a cloud-based MDM @@ -154,7 +154,7 @@ To add an on-premises MDM application to the tenant, there is an entry under the Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. -For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](https://go.microsoft.com/fwlink/p/?LinkId=613671). +For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](/previous-versions/azure/dn499820(v=azure.100)). ### Key management and security guidelines @@ -364,7 +364,7 @@ The following claims are expected in the access token passed by Windows to the T > [!NOTE] > There is no device ID claim in the access token because the device may not yet be enrolled at this time. -To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). +To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). Here's an example URL. @@ -632,7 +632,7 @@ Additional claims may be present in the Azure AD token, such as: Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens: -- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](https://go.microsoft.com/fwlink/p/?LinkId=613820). +- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](/previous-versions/dotnet/framework/security/json-web-token-handler). - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). ## Device Alert 1224 for Azure AD user token diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 3db06e4963..5c8c3df694 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -892,7 +892,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1. > [!IMPORTANT] -> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview). +> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](/windows/device-security/bitlocker/bitlocker-overview). > [!Warning] > When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. @@ -1408,4 +1408,4 @@ The following example is provided to show proper format and should not be taken ``` - + \ No newline at end of file diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index c0c9fdf44c..72ce55063b 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -42,7 +42,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro - Windows 10 devices - Windows Imaging and Configuration Designer (ICD) tool - To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113) and [Getting started with Windows ICD](https://msdn.microsoft.com/library/windows/hardware/dn916112). + To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows ICD](/windows/configuration/provisioning-packages/provisioning-install-icd). - Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.) - Wi-Fi credentials, computer name scheme, and anything else required by your organization. @@ -128,9 +128,9 @@ Using the ICD, create a provisioning package using the enrollment information re Here's the list of topics about applying a provisioning package: -- [Apply a package on the first-run setup screen (out-of-the-box experience)](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment#apply-package) - topic in Technet. -- [Apply a package to a Windows 10 desktop edition image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN -- [Apply a package to a Windows 10 Mobile image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN. +- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet. +- [Apply a package to a Windows 10 desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN +- [Apply a package to a Windows 10 Mobile image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN. - [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below ## Apply a package from the Settings menu @@ -153,18 +153,12 @@ If all immediate attempts fail, a delayed task is launched to try provisioning a It will also retry to apply the provisioning each time it is launched, if started from somewhere else as well. -In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](https://msdn.microsoft.com/library/windows/desktop/aa383561.aspx)). +In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)). ## Other provisioning topics Here are links to step-by-step provisioning topics in Technet. -- [Provision PCs with apps and certificates for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-with-apps-and-certificates) -- [Provision PCs with common settings for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment) - - - - - - +- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) +- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 565fd3436d..7e678df3f2 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -17,7 +17,7 @@ ms.date: 06/26/2017 This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). > [!Note] -> To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107). +> To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). ## In this topic @@ -504,4 +504,4 @@ The following example shows the encoded provisioning XML. -``` +``` \ No newline at end of file diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index b75d0c3393..1773a5a569 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -233,7 +233,7 @@ Required. Specifies the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). -For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). +For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). Value type is chr. @@ -728,9 +728,3 @@ Configure the device to automatically renew an MDM client certificate with the s - - - - - - diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 556ff58e7a..5f319c9900 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -552,7 +552,7 @@ This article lists new and updated articles for the Mobile Device Management (MD

Added a new section:

@@ -918,7 +918,7 @@ This article lists new and updated articles for the Mobile Device Management (MD

Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

-The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2 +The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

- + \ No newline at end of file diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 7f3e3f9aea..1e66232f8b 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -117,7 +117,7 @@ If a blob already exists, the Add operation will fail. If Replace is called on t If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. -In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** Password that protects the PFX blob. This is required if the PFX is password protected. @@ -216,7 +216,7 @@ Required. Specifies the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). -For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). +For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). Data type is string. @@ -700,4 +700,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index dcf8eec173..3227294e86 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -16,7 +16,7 @@ ms.date: 09/18/2020 A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. -For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download). +For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download). Additional lists: @@ -2817,4 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 8a3242f3d3..9f021cbaac 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -309,7 +309,7 @@ Supported operation is Get. **Health/QuickScanOverdue** Indicates whether a Windows Defender quick scan is overdue for the device. -A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default). +A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default). The data type is a Boolean. @@ -318,7 +318,7 @@ Supported operation is Get. **Health/FullScanOverdue** Indicates whether a Windows Defender full scan is overdue for the device. -A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default). +A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default). The data type is a Boolean. @@ -518,8 +518,8 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender AV diagnostic data](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) -- [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices) +- [Microsoft Defender AV diagnostic data](/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) +- [Collect investigation package from devices](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices) **Scan** Node that can be used to start a Windows Defender scan on a device. @@ -542,4 +542,4 @@ Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 382d2d379a..2f1ccdb53c 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -14,7 +14,7 @@ ms.date: 06/26/2018 # DeveloperSetup CSP -The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. +The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. > [!NOTE] > The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM. @@ -79,4 +79,4 @@ If authentication is enabled, HttpPort will redirect the user t **DevicePortal/Connection/HttpsPort**

An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service. -

The only supported operation is Replace. +

The only supported operation is Replace. \ No newline at end of file diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index eb09896b90..c792f232c5 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -36,7 +36,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to - Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested. - Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs. -The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526707). +The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md). @@ -60,13 +60,13 @@ This section describes how this is done. The following diagram shows the server- MSDN provides much information about the Server-Server sync protocol. In particular: -- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](https://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. +- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. +- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. Some important highlights: -- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. -- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](https://msdn.microsoft.com/library/dd304816.aspx) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. +- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. +- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. - For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). > **Note**  On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number). @@ -74,7 +74,7 @@ Some important highlights: ## Examples of update metadata XML structure and element descriptions -The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). Some of the key elements are described below: +The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below: - **UpdateID** – The unique identifier for an update - **RevisionNumber** – Revision number for the update in case the update was modified. @@ -108,8 +108,8 @@ The following procedure describes a basic algorithm for a metadata sync service: - Initialization, composed of the following: 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative). - Sync periodically (we recommend once every 2 hours - no more than once/hour). - 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). - 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720)), and: + 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). + 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and: - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB. - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. - Remove updates from the "needed update IDs to fault in" list once they have been brought in. @@ -710,7 +710,7 @@ Supported operations are Get and Add. **ApprovedUpdates/***Approved Update Guid* Specifies the update GUID. -To auto-approve a class of updates, you can specify the [Update Classifications](https://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the [Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85)) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. Supported operations are Get and Add. @@ -968,10 +968,3 @@ The following diagram and screenshots show the process flow of the device update ![mdm device update management screenshot](images/deviceupdatescreenshot3.png)![mdm device update management screenshot](images/deviceupdatescreenshot4.png)![mdm device update management screenshot](images/deviceupdatescreenshot5.png)![mdm device update management screenshot](images/deviceupdatescreenshot6.png)![mdm device update management screenshot](images/deviceupdatescreenshot7.png)![mdm device update management screenshot](images/deviceupdatescreenshot8.png)![mdm device update management screenshot](images/deviceupdatescreenshot9.png) - - - - - - - diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 826af867cb..0dd72c26d2 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -292,14 +292,14 @@ Added in Windows, version 1607. Integer that specifies the status of the batter Supported operation is Get. **DeviceStatus/Battery/EstimatedChargeRemaining** -Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx). +Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. **DeviceStatus/Battery/EstimatedRuntime** -Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx). +Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. @@ -349,9 +349,4 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s - 4 - VBS not running -Supported operation is Get. - - - - - +Supported operation is Get. \ No newline at end of file diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 99f4ef73c5..3ef1008019 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -814,7 +814,7 @@ The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used - [Collector-based tracing](#collector-based-tracing) - [Channel-based tracing](#channel-based-tracing) -The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](https://docs.microsoft.com/windows/win32/etw/about-event-tracing). +The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](/windows/win32/etw/about-event-tracing). ### Collector-based tracing @@ -1608,4 +1608,4 @@ To read a log file: 5. Set **BlockIndexToRead** to initialize read start point. 6. Get **BlockData** for upload log block. 7. Increase **BlockIndexToRead**. -8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**. +8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**. \ No newline at end of file diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index b9ed5780d0..46dd29b427 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -25,7 +25,7 @@ ms.date: 06/26/2017 # DMProcessConfigXMLFiltered function > [!Important] -> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses. +> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses. Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios. @@ -81,7 +81,7 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered( *pbstrXmlOut*


@@ -224,12 +224,5 @@ if ( bstr != NULL ) ## See also -[**SysFreeString**](https://msdn.microsoft.com/library/windows/hardware/ms221481) - - - - - - - +[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring) diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 7ccca3fe88..71084c5230 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -288,16 +288,10 @@ Alternatively, you can use the following procedure to create an EAP configuratio 1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering. > [!NOTE] -> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) article. +> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article.     -  - - - - - - +  \ No newline at end of file diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index d79b428c0e..cf55a692b9 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -17,7 +17,7 @@ manager: dansimp This is a step-by-step guide to configuring ADMX-backed policies in MDM. -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX-backed policies)](https://docs.microsoft.com/windows/client-management/mdm/policy-csps-admx-backed) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. +Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX-backed policies)](/windows/client-management/mdm/policy-csps-admx-backed) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: - Find the policy from the list ADMX-backed policies. @@ -25,17 +25,17 @@ Summary of steps to enable a policy: - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. - Create the data payload for the SyncML. -See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-microsoft-intune/) for a walk-through using Intune. +See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune. >[!TIP] ->Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](https://docs.microsoft.com/intune/administrative-templates-windows) +>Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) ## Enable a policy > [!NOTE] -> See [Understanding ADMX-backed policies in Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies). +> See [Understanding ADMX-backed policies in Policy CSP](./understanding-admx-backed-policies.md). -1. Find the policy from the list [ADMX-backed policies](policy-csps-admx-backed.md). You need the following information listed in the policy description. +1. Find the policy from the list [ADMX-backed policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. - GP English name - GP name - GP ADMX file name @@ -308,5 +308,4 @@ The \ payload is empty. Here an example to set AppVirtualization/Publishin -``` - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 08073b46d6..45373ce3f7 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -20,24 +20,24 @@ The enrollment into Intune is triggered by a group policy created on your local Requirements: - AD-joined PC running Windows 10, version 1709 or later - The enterprise has configured a mobile device management (MDM) service -- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad) +- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad) - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) -- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. +- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. > [!TIP] > For additional information, see the following topics: -> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) -> - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) -> - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm) +> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) +> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) +> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. > [!NOTE] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) +In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins) For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. @@ -48,7 +48,7 @@ The following steps demonstrate required settings using the Intune service: ![Intune license verification](images/auto-enrollment-intune-license-verification.png) -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) @@ -133,7 +133,7 @@ Requirements: > [!Tip] > You can avoid this behavior by using Conditional Access Policies in Azure AD. - Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). + Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). 6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account. @@ -268,15 +268,15 @@ To collect Event Viewer logs: ### Related topics -- [Group Policy Management Console](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx) -- [Create and Edit a Group Policy Object](https://technet.microsoft.com/library/cc754740(v=ws.11).aspx) -- [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) -- [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) -- [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) +- [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) +- [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11)) +- [Link a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)) +- [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11)) +- [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11)) - [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) -- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) +- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) \ No newline at end of file diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index 7bb30dc47f..376975321c 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -11,7 +11,7 @@ ms.date: 05/21/2019 # EnrollmentStatusTracking CSP -During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status). +During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status). ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information. diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 4be89ba1e5..9a0893f98e 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -143,7 +143,7 @@ EnterpriseAppVManagement

Used to perform App-V synchronization.

**AppVPublishing/Sync/PublishXML** -

Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.

+

Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.

Supported operations are Get, Delete, and Execute.

@@ -155,5 +155,4 @@ EnterpriseAppVManagement **AppVDynamicPolicy/*ConfigurationId*/Policy**

XML for App-V Policy Configuration documents for publishing packages.

-

Value type is xml. Supported operations are Add, Get, Delete, and Replace.

- +

Value type is xml. Supported operations are Add, Get, Delete, and Replace.

\ No newline at end of file diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 7221f719d1..e2c08ce80d 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -20,7 +20,7 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. -To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). +To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile). The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. ``` @@ -261,7 +261,7 @@ Entry | Description ----------- | ------------ Settings | Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI. -For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page. +For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page. Here is an example for Windows 10, version 1703. @@ -1188,7 +1188,7 @@ Supported operations are Get and Replace. **Locale/Language/** -The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](https://go.microsoft.com/fwlink/p/?LinkID=189567). +The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). The language setting is configured in the Default User profile only. @@ -1678,4 +1678,4 @@ The following table lists the product ID and AUMID for each app that is included Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp - + \ No newline at end of file diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 8e674ed1e6..3b596b6652 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -14,7 +14,7 @@ ms.date: 08/09/2017 # EnterpriseDataProtection CSP -The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). +The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). > [!Note] > To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). @@ -26,8 +26,8 @@ While WIP has no hard dependency on VPN, for best results you should configure V To learn more about WIP, see the following articles: -- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) -- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) +- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) The following shows the EnterpriseDataProtection CSP in tree format. ``` @@ -76,8 +76,8 @@ Changing the primary enterprise ID is not supported and may cause unexpected beh Here are the steps to create canonical domain names: 1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. -2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. -3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). +2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. +3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). Supported operations are Add, Get, Replace, and Delete. Value type is string. @@ -353,9 +353,3 @@ Supported operation is Get. Value type is integer. - - - - - - diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 6a9673e330..60cff29616 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -541,7 +541,7 @@ Properties can be specified in the package, passed through the command line, mod Here's a list of references: -- [Using Windows Installer](https://technet.microsoft.com/library/cc782896.aspx) +- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10)) - [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx) - SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D) @@ -568,10 +568,3 @@ Here's a list of references: - - - - - - - diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 01d4daf010..858a51a88b 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -18,7 +18,7 @@ This section provides an example of the mobile device enrollment protocol using The <AuthenticationServiceURL> element the discovery response message specifies web authentication broker page start URL. -For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). ## In this topic @@ -627,4 +627,4 @@ The following code shows sample provisioning XML (presented in the preceding pac - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. -- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. +- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. \ No newline at end of file diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 0e039ef35a..e54cf6bbd7 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -18,7 +18,7 @@ The Firewall configuration service provider (CSP) allows the mobile device manag Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. -For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/library/mt620101.aspx). +For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac). The following shows the Firewall configuration service provider in tree format. ``` @@ -118,7 +118,7 @@ Firewall

Value type in integer. Supported operation is Get.

**MdmStore/Global/CurrentProfiles** -

Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

+

Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

Value type in integer. Supported operation is Get.

**MdmStore/Global/DisableStatefulFtp** @@ -132,12 +132,12 @@ Firewall

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

**MdmStore/Global/PresharedKeyEncoding** -

Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

Default value is 1.

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

**MdmStore/Global/IPsecExempt** -

This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

Default value is 0.

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

@@ -369,7 +369,7 @@ Sample syncxml to provision the firewall settings to evaluate

Boolean value. Supported operations are Get and Replace.

**FirewallRules/_FirewallRuleName_/Profiles** -

Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

+

Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

If not specified, the default is All.

Value type is integer. Supported operations are Get and Replace.

@@ -421,4 +421,4 @@ Sample syncxml to provision the firewall settings to evaluate **FirewallRules/_FirewallRuleName_/Name**

Name of the rule.

-

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

\ No newline at end of file diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index f4a14359a1..36a979715e 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -90,7 +90,7 @@ Optional. Reference to a localized string, provided by the mobile operator, that `@,-` -Where `` is the path to the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx) on MSDN. +Where `` is the path to the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](/windows/win32/intl/using-registry-string-redirection) on MSDN. > **Note**  MOAppLink is required to use the MOHelpMessage setting. @@ -165,7 +165,7 @@ For mobile operator networks that require an entitlement check, the OEM must pro The `EntitlementDll` parm of the HotSpot configuration service provider must be set to a string that is the path to this DLL. -The DLL must be code signed in a specific way, see [Sign binaries and packages](https://msdn.microsoft.com/library/windows/hardware/dn789217(v=vs.85).aspx). +The DLL must be code signed in a specific way, see [Sign binaries and packages](/previous-versions/windows/hardware/code-signing/dn789217(v=vs.85)). During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values. @@ -207,10 +207,3 @@ The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEn - - - - - - - diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 57d1c57718..08a455f462 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -28,7 +28,7 @@ Regular non-admin users can enroll to MAM.  ## Integration with Windows Information Protection -MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  +MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  To make applications WIP-aware, app developers need to include the following data in the app resource file. @@ -50,7 +50,7 @@ MAM and MDM services in an organization could be provided by different vendors. ## MAM enrollment -MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](https://msdn.microsoft.com/library/mt221945.aspx). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  +MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  Below are protocol changes for MAM enrollment:  - MDM discovery is not supported. @@ -146,7 +146,7 @@ We have updated Skype for Business to work with MAM. The following table explain -Current channel +Current channel Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. March 9 2017

Visio Pro for Office 365

@@ -154,15 +154,15 @@ We have updated Skype for Business to work with MAM. The following table explain

Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)

-Deferred channel +Deferred channel Provide users with new features of Office only a few times a year. October 10 2017 Microsoft 365 Apps for enterprise -First release for Deferred channel +First release for Deferred channel Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. June 13 2017 - + \ No newline at end of file diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index aef061ccd2..4339466ef0 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -22,7 +22,7 @@ There are two parts to the Windows 10 management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). ## MDM security baseline @@ -48,7 +48,7 @@ For more details about the MDM policies defined in the MDM security baseline and - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) -For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows). +For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows). @@ -83,14 +83,7 @@ When an organization wants to move to MDM to manage devices, they should prepare - [Configuration service provider reference](configuration-service-provider-reference.md) - [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) - [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) -- [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) +- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) - - - - - - - diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index f1f4f5b05f..12e50c7af7 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -28,7 +28,7 @@ Here's the list of the available capabilities: - Custom Line of Business app support –Enables management and distribution of enterprise applications through the Store for Business. - Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices. -For additional information about Store for Business, see the TechNet topics in [Microsoft Store for Business](https://technet.microsoft.com/library/mt606951.aspx). +For additional information about Store for Business, see the TechNet topics in [Microsoft Store for Business](/microsoft-store/). ## Management services @@ -74,14 +74,14 @@ The Store for Business services rely on Azure Active Directory for authenticatio To learn more about Azure AD and how to register your application within Azure AD, here are some topics to get you started: - Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) -- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021) -- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623023) +- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](/azure/active-directory/develop/quickstart-register-app) +- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](/azure/active-directory/develop/authentication-vs-authorization) For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026). ## Configure your Azure AD application -See [Quickstart: Register an application with the Microsoft identity platform](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app) for the steps to configure your Azure AD app. +See [Quickstart: Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app) for the steps to configure your Azure AD app. ## Azure AD Authentication for MTS @@ -122,9 +122,3 @@ The diagram below shows the call patterns for acquiring a new or updated applica - [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md) - [Get seats assigned to a user](get-seats-assigned-to-a-user.md) - - - - - - diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 061a5abdb2..32f9b5ee66 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -32,7 +32,7 @@ The enrollment process includes the following steps: ## Enrollment protocol -There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). The enrollment process involves the following steps: @@ -40,7 +40,7 @@ The enrollment process involves the following steps: The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. ### Certificate enrollment policy -The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619345) +The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) ### Certificate enrollment The certificate enrollment is an implementation of the MS-WSTEP protocol. @@ -291,4 +291,4 @@ TraceID is a freeform text node which is logged. It should identify the server s - [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) - [Federated authentication device enrollment](federated-authentication-device-enrollment.md) - [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) \ No newline at end of file diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index e6dc9c5ed6..41f53199cc 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -20,7 +20,7 @@ ms.date: 10/20/2020 This article provides information about what's new in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## What’s new in MDM for Windows 10, version 20H2 @@ -104,7 +104,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s | New or updated article | Description | |-----|-----| -| The [The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2](https://docs.microsoft.com/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692?redirectedfrom=MSDN) | The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
-ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
- DomainName - fully qualified domain name if the device is domain-joined. | +| The [The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) | The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
-ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
- DomainName - fully qualified domain name if the device is domain-joined. | | [Firewall CSP](firewall-csp.md) | Added new CSP in Windows 10, version 1709. | | [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. | | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
[WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md) | New CSP added in Windows 10, version 1709. Also added the DDF topic. | @@ -116,9 +116,9 @@ For details about Microsoft mobile device management protocols for Windows 10 s | [Office CSP](office-csp.md) | Added the following setting in Windows 10, version 1709:
- Installation/CurrentStatus | | [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF articles. | | [Bitlocker CSP](bitlocker-csp.md) | Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. | -| [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) | Added new policies. | +| [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) | Added new policies. | | Microsoft Store for Business and Microsoft Store | Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. | -| [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) | New features in the Settings app:
- User sees installation progress of critical policies during MDM enrollment.
- User knows what policies, profiles, apps MDM has configured
- IT helpdesk can get detailed MDM diagnostic information using client tools
For details, see [Managing connection](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#manage-connections) and [Collecting diagnostic logs](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#collecting-diagnostic-logs).| +| [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) | New features in the Settings app:
- User sees installation progress of critical policies during MDM enrollment.
- User knows what policies, profiles, apps MDM has configured
- IT helpdesk can get detailed MDM diagnostic information using client tools
For details, see [Managing connection](./mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](./mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs).| | [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) | Added new topic to introduce a new Group Policy for automatic MDM enrollment. | | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1709:
- Authentication/AllowAadPasswordReset
- Authentication/AllowFidoDeviceSignon
- Browser/LockdownFavorites
- Browser/ProvisionFavorites
- Cellular/LetAppsAccessCellularData
- Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
- Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
- Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
- CredentialProviders/DisableAutomaticReDeploymentCredentials
- DeviceGuard/EnableVirtualizationBasedSecurity
- DeviceGuard/RequirePlatformSecurityFeatures
- DeviceGuard/LsaCfgFlags
- DeviceLock/MinimumPasswordAge
- ExploitGuard/ExploitProtectionSettings
- Games/AllowAdvancedGamingServices
- Handwriting/PanelDefaultModeDocked
- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
- LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
- LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
- LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
- LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
- LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
- LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
- LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
- LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
- LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
- Power/DisplayOffTimeoutOnBattery
- Power/DisplayOffTimeoutPluggedIn
- Power/HibernateTimeoutOnBattery
- Power/HibernateTimeoutPluggedIn
- Power/StandbyTimeoutOnBattery
- Power/StandbyTimeoutPluggedIn
- Privacy/EnableActivityFeed
- Privacy/PublishUserActivities
- Defender/AttackSurfaceReductionOnlyExclusions
- Defender/AttackSurfaceReductionRules
- Defender/CloudBlockLevel
- Defender/CloudExtendedTimeout
- Defender/ControlledFolderAccessAllowedApplications
- Defender/ControlledFolderAccessProtectedFolders
- Defender/EnableControlledFolderAccess
- Defender/EnableNetworkProtection
- Education/DefaultPrinterName
- Education/PreventAddingNewPrinters
- Education/PrinterNames
- Search/AllowCloudSearch
- Security/ClearTPMIfNotReady
- Settings/AllowOnlineTips
- Start/HidePeopleBar
- Storage/AllowDiskHealthModelUpdates
- System/DisableEnterpriseAuthProxy
- System/LimitEnhancedDiagnosticDataWindowsAnalytics
- Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
- Update/DisableDualScan
- Update/ManagePreviewBuilds
- Update/ScheduledInstallEveryWeek
- Update/ScheduledInstallFirstWeek
- Update/ScheduledInstallFourthWeek
- Update/ScheduledInstallSecondWeek
- Update/ScheduledInstallThirdWeek
- WindowsDefenderSecurityCenter/CompanyName
- WindowsDefenderSecurityCenter/DisableAppBrowserUI
- WindowsDefenderSecurityCenter/DisableEnhancedNotifications
- WindowsDefenderSecurityCenter/DisableFamilyUI
- WindowsDefenderSecurityCenter/DisableHealthUI
- WindowsDefenderSecurityCenter/DisableNetworkUI
- WindowsDefenderSecurityCenter/DisableNotifications
- WindowsDefenderSecurityCenter/DisableVirusUI
- WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
- WindowsDefenderSecurityCenter/Email
- WindowsDefenderSecurityCenter/EnableCustomizedToasts
- WindowsDefenderSecurityCenter/EnableInAppCustomization
- WindowsDefenderSecurityCenter/Phone
- WindowsDefenderSecurityCenter/URL
- WirelessDisplay/AllowMdnsAdvertisement
- WirelessDisplay/AllowMdnsDiscovery | @@ -145,7 +145,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s | [BitLocker CSP](bitlocker-csp.md) | Added the new CSP.

Added the following setting:
- AllowWarningForOtherDiskEncryption | | [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
Added the following settings:
- RevokeOnMDMHandoff
- SMBAutoEncryptedFileExtensions | | [DynamicManagement CSP](dynamicmanagement-csp.md) | Added the new CSP. | -| [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management) | New mobile application management (MAM) support added in Windows 10, version 1703. | +| [Implement server-side support for mobile application management on Windows](./implement-server-side-mobile-application-management.md) | New mobile application management (MAM) support added in Windows 10, version 1703. | | [PassportForWork CSP](passportforwork-csp.md) | Added the following new node and settings:
- _TenantId_/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
- _TenantId_/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
- _TenantId_/Policies/EnablePinRecovery | | [Office CSP](office-csp.md) | Added the new CSP. | | [Personalization CSP](personalization-csp.md) | Added the new CSP. | @@ -161,13 +161,13 @@ For details about Microsoft mobile device management protocols for Windows 10 s | [NodeCache CSP](nodecache-csp.md) | Added following settings:
- ChangedNodesData
- AutoSetExpectedValue | | [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) | Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF articles of various CSPs. | | [RemoteWipe CSP](remotewipe-csp.md) | Added new setting in Windows 10, version 1703:
- doWipeProtected | -| [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) | Added new classes and properties. | -| [Understanding ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies) | Added a section describing SyncML examples of various ADMX elements. | -| [Win32 and Desktop Bridge app policy configuration](https://docs.microsoft.com/windows/client-management/mdm/win32-and-centennial-app-policy-configuration) | New article. | -| [Deploy and configure App-V apps using MDM](https://docs.microsoft.com/windows/client-management/mdm/appv-deploy-and-config) | Added a new article describing how to deploy and configure App-V apps using MDM. | +| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes and properties. | +| [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md) | Added a section describing SyncML examples of various ADMX elements. | +| [Win32 and Desktop Bridge app policy configuration](./win32-and-centennial-app-policy-configuration.md) | New article. | +| [Deploy and configure App-V apps using MDM](./appv-deploy-and-config.md) | Added a new article describing how to deploy and configure App-V apps using MDM. | | [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) | Added new setting in the March service release of Windows 10, version 1607.
- MSI/UpgradeCode/[Guid] | | [Reporting CSP](reporting-csp.md) | Added new settings in Windows 10, version 1703.
- EnterpriseDataProtection/RetrieveByTimeRange/Type
- EnterpriseDataProtection/RetrieveByCount/Type | -| [Connect your Windows 10-based device to work using a deep link](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#connect-your-windows-10-based-device-to-work-using-a-deep-link) | Added following deep link parameters to the table:
- Username
- Servername
- Accesstoken
- Deviceidentifier
- Tenantidentifier
- Ownership | +| [Connect your Windows 10-based device to work using a deep link](./mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link) | Added following deep link parameters to the table:
- Username
- Servername
- Accesstoken
- Deviceidentifier
- Tenantidentifier
- Ownership | | MDM support for Windows 10 S | Updated the following articles to indicate MDM support in Windows 10 S.
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [Policy CSP](policy-configuration-service-provider.md) | | [TPMPolicy CSP](tpmpolicy-csp.md) | Added the new CSP. | @@ -192,7 +192,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s | [Win32AppInventory CSP](win32appinventory-csp.md) | New CSP. | | [SharedPC CSP](sharedpc-csp.md) | New CSP. | | [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | New CSP. | -| [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) | Added new classes for Windows 10, version 1607. | +| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes for Windows 10, version 1607. | | [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) | Article renamed from "Enrollment UI".

Completely updated enrollment procedures and screenshots. | | [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
[UnifiedWriteFilter DDF File](unifiedwritefilter-ddf.md) | Added the following new setting for Windows 10, version 1607:
- NextSession/HORMEnabled | | [CertificateStore CSP](certificatestore-csp.md)
[CertificateStore DDF file](certificatestore-ddf-file.md) | Added the following new settings in Windows 10, version 1607:
- My/WSTEP/Renew/LastRenewalAttemptTime
- My/WSTEP/Renew/RenewNow | @@ -457,7 +457,7 @@ Alternatively you can use the following procedure to create an EAP Configuration 8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering. > [!NOTE] -> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx). +> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). ### Remote PIN reset not supported in Azure Active Directory joined mobile devices @@ -478,7 +478,7 @@ If you want to use the certificate used for VPN authentication also for Kerberos ### Device management agent for the push-button reset is not working -The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. +The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. ## Frequently Asked Questions @@ -506,4 +506,4 @@ How do I turn if off? | The service can be stopped from the "Services" console o ## Change history for MDM documentation -To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md). +To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md). \ No newline at end of file diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 58e1e0a8e9..d6b675a103 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -14,7 +14,7 @@ manager: dansimp # Office CSP -The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). +The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365). This CSP was added in Windows 10, version 1703. @@ -265,4 +265,4 @@ To get the current status of Office 365 on the device. Failure - + \ No newline at end of file diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index fbb49aae1f..c73d5fdc8d 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -35,7 +35,7 @@ The following diagram shows the PassportForWork configuration service provider i Root node for PassportForWork configuration service provider. ***TenantId*** -A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](https://docs.microsoft.com/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). +A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). ***TenantId*/Policies** Node for defining the Windows Hello for Business policy settings. @@ -271,7 +271,7 @@ Scope is permanent. Supported operation is Get. **SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation. +Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation. Scope is dynamic. Supported operations are Add, Get, Replace, and Delete. @@ -500,10 +500,4 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol   -  - - - - - - +  \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 9f3f62b646..0265cea198 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -16,8 +16,8 @@ ms.date: 10/08/2020 > [!div class="op_single_selector"] > -> - [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md) -> - [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) +> - [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md) +> - [ADMX-backed policies in Policy CSP]() > - [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) @@ -1744,4 +1744,4 @@ ms.date: 10/08/2020 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 14a994d0a3..d7d340e2b5 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -16,8 +16,8 @@ ms.date: 07/18/2019 > [!div class="op_single_selector"] > -> - [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md) -> - [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) +> - [Policies in Policy CSP supported by Group Policy]() +> - [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) > - [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock) @@ -906,4 +906,4 @@ ms.date: 07/18/2019 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index 0a8beec733..0c6853e5dd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -16,9 +16,9 @@ ms.date: 09/17/2019 > [!div class="op_single_selector"] > -> - [HoloLens 2](policy-csps-supported-by-hololens2.md) -> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) -> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> - [HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md) +> - [HoloLens (1st gen) Commercial Suite]() +> - [HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md) > - [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) @@ -68,4 +68,4 @@ ms.date: 09/17/2019 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index 256ddb3528..564838b14a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -16,9 +16,9 @@ ms.date: 07/18/2019 > [!div class="op_single_selector"] > -> - [HoloLens 2](policy-csps-supported-by-hololens2.md) -> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) -> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> - [HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md) +> - [HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) +> - [HoloLens (1st gen) Development Edition]() > - [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) @@ -66,4 +66,4 @@ ms.date: 07/18/2019 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index bd4bcafd21..507b737aa0 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -16,9 +16,9 @@ ms.date: 10/08/2020 > [!div class="op_single_selector"] > -> - [HoloLens 2](policy-csps-supported-by-hololens2.md) -> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) -> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> - [HoloLens 2]() +> - [HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) +> - [HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md) > - [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) @@ -83,13 +83,13 @@ ms.date: 10/08/2020 - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 - [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 -- [RemoteLock/Lock](https://docs.microsoft.com/windows/client-management/mdm/remotelock-csp) 9 +- [RemoteLock/Lock](./remotelock-csp.md) 9 - [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) - [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) 9 - [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) 9 - [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Settings/PageVisibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) 9 +- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) @@ -124,8 +124,8 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. -- 9 - Available in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) ## Related topics -[Policy CSP](policy-configuration-service-provider.md) +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index e19d3350a5..a477aa8c1e 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -73,4 +73,4 @@ ms.date: 09/16/2019 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index e39b0aef27..763534dad3 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -15,9 +15,9 @@ ms.date: 07/22/2020 # Policies in Policy CSP supported by Microsoft Surface Hub -- [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock) -- [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [Accounts/AllowMicrosoftAccountConnection](./policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) - [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) - [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) - [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) @@ -95,4 +95,4 @@ ms.date: 07/22/2020 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 071df833d0..d7d277b03b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -100,7 +100,7 @@ The following diagram shows the Policy configuration service provider in tree fo

Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration. > [!NOTE] -> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/library/cc179097.aspx). +> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).

ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. @@ -8572,26 +8572,26 @@ The following diagram shows the Policy configuration service provider in tree fo ## Policies in Policy CSP supported by Group Policy and ADMX-backed policies in Policy CSP -- [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md) -- [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) +- [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md) +- [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) > [!NOTE] > Not all Policies in Policy CSP supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). ## Policies in Policy CSP supported by HoloLens devices -- [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md) -- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) -- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md) +- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) +- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md) ## Policies in Policy CSP supported by Windows 10 IoT - [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) ## Policies in Policy CSP supported by Microsoft Surface Hub -- [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md) +- [Policies in Policy CSP supported by Microsoft Surface Hub](./policies-in-policy-csp-supported-by-surface-hub.md) ## Policies in Policy CSP that can be set using Exchange ActiveSync (EAS) -- [Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)](policy-csps-that-can-be-set-using-eas.md) +- [Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)](./policies-in-policy-csp-that-can-be-set-using-eas.md) ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 4367ed3ed6..644ff6136e 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -230,7 +230,7 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. > [!NOTE] -> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). +> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). > [!NOTE] > If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. @@ -257,5 +257,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index e8a57b01bf..c6bcd46621 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -84,7 +84,7 @@ If you enable this policy setting, SSL cipher suites are prioritized in the orde If you disable or do not configure this policy setting, default cipher suite order is used. -For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](https://go.microsoft.com/fwlink/?LinkId=517265). +For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel). > [!TIP] @@ -200,5 +200,4 @@ Footnotes: - 8 - Available in Windows 10, version 2004 - 9 - Available in Windows 10, version 20H2 - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 7d0997f275..73c539f766 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -929,7 +929,7 @@ The following are the supported values: Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by special logons, such as the following: - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. -- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-special-logon). +- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon). Volume: Low. @@ -2994,7 +2994,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](https://docs.microsoft.com/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder). +Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder). If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. @@ -4803,5 +4803,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 2f4c7acf11..03fcf174ca 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -17,7 +17,7 @@ manager: dansimp > [!NOTE] -> To manage encryption of PCs and devices, use [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). +> To manage encryption of PCs and devices, use [BitLocker CSP](./bitlocker-csp.md).

@@ -106,5 +106,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index e65609226d..8f0000728f 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium # Policy CSP - Browser > [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). +> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). ## Browser policies @@ -2129,7 +2129,7 @@ ADMX Info: Supported values: - 0 (default) – Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. -- 1 – Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). +- 1 – Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Most restricted value: 0 @@ -2343,7 +2343,7 @@ Supported values: [!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)] -For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). +For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). @@ -2428,7 +2428,7 @@ Supported values: [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] -You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). +You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). @@ -2678,7 +2678,7 @@ Most restricted value: 0 > This policy has no effect when the Browser/HomePages policy is not configured.  > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy). @@ -2837,7 +2837,7 @@ ADMX Info: Supported values: - 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. -- 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). +- 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). @@ -3823,7 +3823,7 @@ Most restricted value: 0 [!INCLUDE [set-default-search-engine-shortdesc](../../../browsers/edge/shortdesc/set-default-search-engine-shortdesc.md)] > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy). Most restricted value: 0 @@ -3843,7 +3843,7 @@ Supported values: - Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](#browser-allowsearchenginecustomization) policy, users cannot make changes. - 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. -- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. +- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. Most restricted value: 1 @@ -4378,4 +4378,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 5844d94ceb..b1e5575610 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -102,7 +102,7 @@ The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the - \ For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group Policy -](policy-csps-supported-by-group-policy.md). +](./policies-in-policy-csp-supported-by-group-policy.md). The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**. diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 9da8c6ce2c..afbff9a990 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -77,7 +77,7 @@ manager: dansimp -This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. +This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. Most restricted value is 0. @@ -161,5 +161,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 6387efccc5..8f9ad402e3 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1161,7 +1161,7 @@ ADMX Info: Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. -For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). +For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). Value type is string. @@ -2314,7 +2314,7 @@ ADMX Info: Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. > [!NOTE] -> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). @@ -3123,5 +3123,4 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - 9 - Available in Windows 10, version 20H2. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 2eae3ea3be..64e37f5868 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -90,7 +90,7 @@ Secure Launch configuration: - 1 - Enables Secure Launch if supported by hardware - 2 - Disables Secure Launch. -For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows). +For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows). @@ -326,5 +326,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index ba86d69fad..33f0d68455 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -103,7 +103,7 @@ If you enable this policy setting, Windows is allowed to install or update any d If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -214,7 +214,7 @@ If you enable this policy setting, Windows is allowed to install or update any d If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -326,7 +326,7 @@ This setting allows device installation based on the serial number of a removabl If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -635,7 +635,7 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. -Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -752,7 +752,7 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. -Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -879,7 +879,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. -Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -955,5 +955,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index f68a71f820..7ab4c6bf71 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -184,7 +184,7 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -421,7 +421,7 @@ Specifies when the password expires (in days). If all policy values = 0 then 0; otherwise, Min policy value is the most secure value. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -488,7 +488,7 @@ The value includes the user's current password. This means that with a setting o Max policy value is the most restricted. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -619,7 +619,7 @@ This policy has different behaviors on the mobile device and desktop. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -687,7 +687,7 @@ Specifies the maximum amount of time (in minutes) allowed after the device is id -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -816,7 +816,7 @@ Enforced values for Local and Microsoft Accounts: The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). @@ -878,7 +878,7 @@ Specifies the minimum number or characters required in the PIN or password. Max policy value is the most restricted. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). @@ -1128,5 +1128,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 0d8f6b40f8..24279ffb4d 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -73,7 +73,7 @@ manager: dansimp -This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing. +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing. Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. @@ -122,5 +122,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 8550d25403..4cf594449d 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1344,7 +1344,7 @@ The following list shows the supported values: [!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)] Related policy: - [PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) + [PreventUsersFromTurningOnBrowserSyncing](#experience-preventusersfromturningonbrowsersyncing) @@ -1438,7 +1438,7 @@ _**Turn syncing off by default but don’t disable**_ [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] Related policy: - [DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) + [DoNotSyncBrowserSettings](#experience-donotsyncbrowsersetting) @@ -1574,5 +1574,4 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - 9 - Available in Windows 10, version 20H2. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 92829f957e..33e976d513 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -74,7 +74,7 @@ manager: dansimp -Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). +Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). The system settings require a reboot; the application settings do not require a reboot. @@ -129,5 +129,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 73e6d3c865..ed9d89ce2f 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -3490,7 +3490,7 @@ ADMX Info: This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. > [!Caution] -> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. +> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. @@ -20143,5 +20143,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index be0176ca9b..b7c4328ba0 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -16,7 +16,7 @@ manager: dansimp -These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). +These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).

@@ -438,5 +438,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 8b0191b9c6..a0b1076deb 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -165,7 +165,7 @@ manager: dansimp
> [!NOTE] -> To find data formats (and other policy-related details), see [Policy DDF file](https://docs.microsoft.com/windows/client-management/mdm/policy-ddf-file). +> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). **LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** @@ -3467,4 +3467,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index c320a8134e..e3b17cf340 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -96,7 +96,7 @@ Here is an example of the policy definition XML for group configuration: where: -- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. +- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. - ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R: - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. @@ -106,12 +106,12 @@ where: > [!NOTE] > When specifying member names of the user accounts, you must use following format – AzureAD/userUPN. For example, "AzureAD/user1@contoso.com" or "AzureAD/user2@contoso.co.uk". For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy. -for more information, see [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). +for more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). -See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. +See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. > [!IMPORTANT] -> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. +> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. > - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct. > - `` is not valid for the R (Restrict) action and will be ignored if present. > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. @@ -210,7 +210,7 @@ Yes, you can remove a member even if it isn't a member of the group. This will r ### How can I add a domain group as a member to a local group? -To add a domain group as a member to a local group, specify the domain group in `` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. +To add a domain group as a member to a local group, specify the domain group in `` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. ### Can I apply more than one LocalUserAndGroups policy/XML to the same device? @@ -317,4 +317,4 @@ Footnotes: Available in Windows 10, version 20H2 - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 95d9af4a93..e438503509 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -356,8 +356,8 @@ This is the list of domains that comprise the boundaries of the enterprise. Data Here are the steps to create canonical domain names: 1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. -2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. -3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). +2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. +3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). @@ -553,5 +553,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index fb3651acb0..34f3bd6b74 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -80,7 +80,7 @@ manager: dansimp -Added in Windows 10, version 1803. This policy setting blocks applications from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview). +Added in Windows 10, version 1803. This policy setting blocks applications from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview). If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs. @@ -273,5 +273,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 4b9506c5c9..6e60b430b9 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -145,8 +145,8 @@ Here's an example: ``` where: -- `` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. +- `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group. > [!NOTE] @@ -182,4 +182,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 7c7feb1aeb..13eb6fdc71 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -158,7 +158,7 @@ The following list shows the supported values: > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. +Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. @@ -411,7 +411,7 @@ The following list shows the supported values: Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**. -Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. +Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. @@ -716,5 +716,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 0b6888322b..1519ff7e40 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1936,7 +1936,7 @@ Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/. > [!IMPORTANT] > Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. -The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). +The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles). @@ -2078,7 +2078,7 @@ Here is additional SKU support information: Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy -For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/windows/configuration/configure-windows-10-taskbar). +For further details on how to customize the Start layout, please see [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](/windows/configuration/configure-windows-10-taskbar). @@ -2103,5 +2103,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 52f43753a2..a3d2099a3e 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -721,7 +721,7 @@ ADMX Info: Example for setting the device custom OMA-URI setting to enable this policy: To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. -See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/intune/custom-settings-windows-10) for information on how to create custom profiles. +See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles. @@ -740,5 +740,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 6012a60ed9..0c15cbd8fe 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -706,7 +706,7 @@ The following list shows the supported values: Allows the device to send diagnostic and usage telemetry data, such as Watson. -For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). +For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization). The following list shows the supported values for Windows 8.1: - 0 - Not allowed. @@ -1612,7 +1612,7 @@ To enable this behavior, you must complete two steps:
  • Set Allow Telemetry to level 2 (Enhanced)
    • -When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. +When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. @@ -1779,4 +1779,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 1a7026a930..fd7d92d8dd 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1991,7 +1991,7 @@ ADMX Info: Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. -For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/). +For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607). This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update." @@ -4333,7 +4333,7 @@ The following list shows the supported values: -Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information/). +Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](/windows/release-health/release-information/). ADMX Info: @@ -4607,4 +4607,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index b1a0a67245..44ac3534f2 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -18,7 +18,7 @@ manager: dansimp
    -User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx). +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). Even though strings are supported for well-known accounts and groups, it is better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. @@ -1901,4 +1901,4 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - + \ No newline at end of file diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index bcae3dceaf..ebb05242cf 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -18,13 +18,13 @@ ms.date: 09/22/2017 # Push notification support for device management -The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](https://go.microsoft.com/fwlink/p/?linkid=528800), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). +The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token that it can use to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a device management session with a device, it can utilize its token and the device ChannelURI and begin communicating with the device. For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification). -Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](https://go.microsoft.com/fwlink/p/?LinkId=733254). +Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](/previous-versions/windows/apps/jj676791(v=win.10)). Note the following restrictions related to push notifications and WNS: @@ -82,10 +82,4 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app. ![mdm push notification](images/push-notification10.png) 12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app. -  - - - - - - +  \ No newline at end of file diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 57368cb103..b86bc99ffa 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -100,7 +100,7 @@ This node will return the following status. All OMA DM errors are listed [here]( **LockAndRecoverPIN** Added in Windows 10, version 1703. This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work. -Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/passportforwork-csp#tenantid-policies-enablepinrecovery) policy is set on the client. +Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](./passportforwork-csp.md#tenantid-policies-enablepinrecovery) policy is set on the client. **NewPINValue** @@ -160,10 +160,4 @@ Initiate a remote lock and PIN reset of the device. To successfully retrieve the   -  - - - - - - +  \ No newline at end of file diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 6585261229..4d66f1b68f 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -56,16 +56,9 @@ Supported operations are Get and Replace. ## Related topics -[Set up Take a Test on multiple PCs](https://technet.microsoft.com/edu/windows/take-a-test-multiple-pcs) +[Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 14cd5810b2..1471683b35 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -19,7 +19,7 @@ Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy confi ## Background -In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](https://technet.microsoft.com/library/cc753471(v=ws.10).aspx). +In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)). ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: @@ -30,10 +30,10 @@ In a domain controller/Group Policy ecosystem, Group Policies are automatically An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM. -Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies). +Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](./policy-configuration-service-provider.md#admx-backed-policies). >[!TIP] ->Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](https://docs.microsoft.com/intune/administrative-templates-windows) +>Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) ## ADMX files and the Group Policy Editor @@ -67,7 +67,7 @@ Note that most Group Policies are a simple Boolean type. For a Boolean Group Pol > [!IMPORTANT] > Any data entry field that is displayed in the Group Policy page of the Group Policy Editor must be supplied in the encoded XML of the SyncML payload. The SyncML data payload is equivalent to the user-supplied Group Policy data through GPEdit.msc. -For more information about the Group Policy description format, see [Administrative Template File (ADMX) format](https://msdn.microsoft.com/library/aa373476(v=vs.85).aspx). Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see [policy elements](https://msdn.microsoft.com/library/dn606004(v=vs.85).aspx)). +For more information about the Group Policy description format, see [Administrative Template File (ADMX) format](/previous-versions/windows/desktop/Policy/admx-schema). Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see [policy elements](/previous-versions/windows/desktop/Policy/element-elements)). For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you will find the following occurrences: @@ -565,4 +565,4 @@ Variations of the `list` element are dictated by attributes. These attributes ar -``` +``` \ No newline at end of file diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 875bce0570..db915eb9fe 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -73,7 +73,7 @@ Update **ApprovedUpdates/***Approved Update Guid*

    Specifies the update GUID. -

    To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +

    To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.

    Supported operations are Get and Add. @@ -220,10 +220,3 @@ Added in Windows 10, version 1803. Returns the result of last RollBack FeatureUp - - - - - - - diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md index 5bdd2eaf0f..37ff112671 100644 --- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -14,16 +14,16 @@ ms.date: 06/26/2017 # Using PowerShell scripting with the WMI Bridge Provider -This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the [WMI Bridge Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx). +This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). ## Configuring per-device policy settings -This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system"). +This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system"). For all device settings, the WMI Bridge client must be executed under local system user. To do that, download the psexec tool from and run `psexec.exe -i -s cmd.exe` from an elevated admin command prompt. -The script example in this section uses the class [MDM\_Policy\_Config01\_WiFi02](https://msdn.microsoft.com/library/windows/desktop/dn905246.aspx): +The script example in this section uses the class [MDM\_Policy\_Config01\_WiFi02](/windows/win32/dmwmibridgeprov/mdm-policy-config01-wifi02): ```ManagedCPlusPlus [dynamic, provider("DMWmiBridgeProv"), InPartition("local-system")] @@ -73,7 +73,7 @@ catch [Exception] This section provides a PowerShell Cmdlet sample script to configure per-user settings through the WMI Bridge. If a class supports user settings, there must be a class level qualifier defined for InPartition("local-user"). -The script example in this section uses the class [MDM\_Policy\_User\_Config01\_Authentication02](https://msdn.microsoft.com/library/windows/desktop/mt146854.aspx): +The script example in this section uses the class [MDM\_Policy\_User\_Config01\_Authentication02](/windows/win32/dmwmibridgeprov/mdm-policy-user-config01-authentication02): ```ManagedCPlusPlus [dynamic, provider("DMWmiBridgeProv"), InPartition("local-user")] @@ -193,7 +193,7 @@ catch [Exception] This section provides a PowerShell Cmdlet sample script to invoke a WMI Bridge object method. The following script must be executed under local system user. To do that, download the psexec tool from and run `psexec.exe -i -s cmd.exe` from an elevated admin command prompt. -The script example in this section uses the [UpgradeEditionWithProductKeyMethod](https://msdn.microsoft.com/library/windows/desktop/mt599805.aspx) method of the [MDM\_WindowsLicensing](https://msdn.microsoft.com/library/windows/desktop/dn948453.aspx) class. +The script example in this section uses the [UpgradeEditionWithProductKeyMethod](/windows/win32/dmwmibridgeprov/mdm-windowslicensing-upgradeeditionwithproductkeymethod) method of the [MDM\_WindowsLicensing](/windows/win32/dmwmibridgeprov/mdm-windowslicensing) class. ```PowerShell $namespaceName = "root\cimv2\mdm\dmmap" @@ -220,11 +220,6 @@ catch [Exception] ## Related topics -[WMI Bridge Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) - -  - - - - +[WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) +  \ No newline at end of file diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 60702d4f69..2d28b2f3cc 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -15,7 +15,7 @@ ms.date: 04/02/2017 # VPN CSP -The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](https://technet.microsoft.com/library/ff687731%28v=ws.10%29.aspx). +The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)). > **Note**   The VPN CSP is deprecated in Windows 10 and it only supported in Windows 10 Mobile for backward compatibility. Use [VPNv2 CSP](vpnv2-csp.md) instead. @@ -137,7 +137,7 @@ Not Implemented. Optional. Value type is int. Supported operations are Get, Add, Replace, and Delete. **Authentication/EAP** -Required when IKEv2 is selected. Defines the EAP blob to be used for IKEv2 authentication. You can use EAP-MSCHAPv2 or EAP-TLS. EAP blob is HTML encoded XML as defined in EAP Host Config schemas. You can find the schemas in [Microsoft EAP MsChapV2 Schema](https://go.microsoft.com/fwlink/p/?LinkId=523885) and [Microsoft EAP TLS Schema](https://go.microsoft.com/fwlink/p/?LinkId=523884). +Required when IKEv2 is selected. Defines the EAP blob to be used for IKEv2 authentication. You can use EAP-MSCHAPv2 or EAP-TLS. EAP blob is HTML encoded XML as defined in EAP Host Config schemas. You can find the schemas in [Microsoft EAP MsChapV2 Schema](/openspecs/windows_protocols/ms-gpwl/03bc6492-39a9-48b6-99a3-543469f66541) and [Microsoft EAP TLS Schema](/openspecs/windows_protocols/ms-gpwl/9590925c-cba2-4ac5-b9a1-1e5292bb72cb). Supported operations are Get, Add, and Replace. @@ -294,9 +294,4 @@ An example is corp.contoso.com.   -  - - - - - +  \ No newline at end of file diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 174c633ba4..125bbfb687 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -51,7 +51,7 @@ SSID is the name of network you are connecting to, while Profile name is the nam The supported operations are Add, Get, Delete, and Replace. **WlanXML** -The XML that describes the network configuration and follows the [WLAN\_profile Schema](https://go.microsoft.com/fwlink/p/?LinkId=325608) on MSDN. +The XML that describes the network configuration and follows the [WLAN\_profile Schema](/windows/win32/nativewifi/wlan-profileschema-schema) on MSDN. Supported operations are Get, Add, Delete, and Replace. @@ -59,9 +59,9 @@ Value type is chr. The profile XML must be escaped, as shown in the examples below. -If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](https://go.microsoft.com/fwlink/p/?LinkId=523870). +If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). -> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](https://go.microsoft.com/fwlink/p/?LinkId=618963). +> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md). The supported operations are Add, Get, Delete, and Replace. @@ -233,10 +233,3 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw - - - - - - - diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index 8dc07634aa..56f387cdc1 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -15,7 +15,7 @@ ms.date: 06/26/2017 # WindowsSecurityAuditing CSP -The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) to see if this CSP and others are supported on your Windows installation. +The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](./configuration-service-provider-reference.md) to see if this CSP and others are supported on your Windows installation. The following shows the WindowsSecurityAuditing configuration service provider in tree format. ``` @@ -65,14 +65,8 @@ Enable logging of audit events. ``` -For more information about Windows security auditing, see [What's new in security auditing](https://technet.microsoft.com/itpro/windows/whats-new/security-auditing). +For more information about Windows security auditing, see [What's new in security auditing](/windows/whats-new/whats-new-windows-10-version-1507-and-1511).   -  - - - - - - +  \ No newline at end of file diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 206aa9dbc0..2f3cdf7fc7 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -52,7 +52,7 @@ Result ## MDM Bridge WMI classes -For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.microsoft.com/library/windows/hardware/dn905224). +For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). ## MDM WMI classes @@ -69,55 +69,55 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro -MDM_AppInstallJob +MDM_AppInstallJob

    Currently testing.

    -MDM_Application +MDM_Application

    Currently testing.

    -MDM_ApplicationFramework +MDM_ApplicationFramework

    Currently testing.

    -MDM_ApplicationSetting +MDM_ApplicationSetting

    Currently testing.

    -MDM_BrowserSecurityZones +MDM_BrowserSecurityZones cross mark -MDM_BrowserSettings +MDM_BrowserSettings cross mark -MDM_Certificate +MDM_Certificate cross mark -MDM_CertificateEnrollment +MDM_CertificateEnrollment cross mark -MDM_Client +MDM_Client

    Currently testing.

    -MDM_ConfigSetting +MDM_ConfigSetting cross mark -MDM_DeviceRegistrationInfo +MDM_DeviceRegistrationInfo -MDM_EASPolicy +MDM_EASPolicy cross mark -MDM_MgMtAuthority +MDM_MgMtAuthority cross mark @@ -129,39 +129,39 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro -MDM_RemoteApplication +MDM_RemoteApplication

    Test not started.

    -MDM_RemoteAppUseCookie +MDM_RemoteAppUseCookie

    Test not started.

    -MDM_Restrictions +MDM_Restrictions cross mark -MDM_RestrictionsUser +MDM_RestrictionsUser

    Test not started.

    -MDM_SecurityStatus +MDM_SecurityStatus cross mark -MDM_SideLoader +MDM_SideLoader -MDM_SecurityStatusUser +MDM_SecurityStatusUser

    Currently testing.

    -MDM_Updates +MDM_Updates cross mark -MDM_VpnApplicationTrigger +MDM_VpnApplicationTrigger cross mark @@ -169,39 +169,39 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro -MDM_WebApplication +MDM_WebApplication

    Currently testing.

    -MDM_WirelessProfile +MDM_WirelessProfile cross mark -MDM_WirelesssProfileXML +MDM_WirelesssProfileXML cross mark -MDM_WNSChannel +MDM_WNSChannel cross mark -MDM_WNSConfiguration +MDM_WNSConfiguration cross mark -MSFT_NetFirewallProfile +MSFT_NetFirewallProfile cross mark -MSFT_VpnConnection +MSFT_VpnConnection cross mark -SoftwareLicensingProduct +SoftwareLicensingProduct -SoftwareLicensingService +SoftwareLicensingService @@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro | Class | Test completed in Windows 10 for desktop | |--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -| [**wpcgameoverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -| [**wpcgamessettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -| [**wpcrating**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -| [**wpcRatingsDescriptor**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | | -| [**wpcratingssystem**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -| [**wpcsystemsettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -| [**wpcurloverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -| [**wpcusersettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -| [**wpcwebsettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | @@ -230,73 +230,73 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro | Class | Test completed in Windows 10 for desktop | |--------------------------------------------------------------------------|------------------------------------------| -[**Win32\_1394Controller**](https://msdn.microsoft.com/library/windows/hardware/aa394059) | -[**Win32\_BaseBoard**](https://msdn.microsoft.com/library/windows/hardware/aa394072) | -[**Win32\_Battery**](https://msdn.microsoft.com/library/windows/hardware/aa394074) | ![cross mark](images/checkmark.png) -[**Win32\_BIOS**](https://msdn.microsoft.com/library/windows/hardware/aa394077) | ![cross mark](images/checkmark.png) -[**Win32\_CDROMDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394081) | -[**Win32\_ComputerSystem**](https://msdn.microsoft.com/library/windows/hardware/aa394102) | ![cross mark](images/checkmark.png) -[**Win32\_ComputerSystemProduct**](https://msdn.microsoft.com/library/windows/hardware//aa394105) | ![cross mark](images/checkmark.png) -[**Win32\_CurrentTime**](https://msdn.microsoft.com/library/windows/hardware/aa394114) | ![cross mark](images/checkmark.png) -[**Win32\_Desktop**](https://msdn.microsoft.com/library/windows/hardware/aa394121) | -[**Win32\_DesktopMonitor**](https://msdn.microsoft.com/library/windows/hardware/aa394122) |![cross mark](images/checkmark.png) -[**Win32\_DiskDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394132) | ![cross mark](images/checkmark.png) -[**Win32\_DiskPartition**](https://msdn.microsoft.com/library/windows/hardware/aa394135) | -[**Win32\_DisplayConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394137) | ![cross mark](images/checkmark.png) -[**Win32\_DMAChannel**](https://msdn.microsoft.com/library/windows/hardware/aa394139) | -[**Win32\_DriverVXD**](https://msdn.microsoft.com/library/windows/hardware/aa394141) | -[**Win32\_EncryptableVolume**](https://msdn.microsoft.com/library/windows/hardware/aa376483) | -[**Win32\_Environment**](https://msdn.microsoft.com/library/windows/hardware/aa394143) | -[**Win32\_IDEController**](https://msdn.microsoft.com/library/windows/hardware/aa394155) | -[**Win32\_InfraredDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394158) | -[**Win32\_IRQResource**](https://msdn.microsoft.com/library/windows/hardware/aa394164) | -[**Win32\_Keyboard**](https://msdn.microsoft.com/library/windows/hardware/aa394166) | -[**Win32\_LoadOrderGroup**](https://msdn.microsoft.com/library/windows/hardware/aa394168) | -[**Win32\_LocalTime**](https://msdn.microsoft.com/library/windows/hardware/aa394171) | ![cross mark](images/checkmark.png) -[**Win32\_LoggedOnUser**](https://msdn.microsoft.com/library/windows/hardware/aa394172) | -[**Win32\_LogicalDisk**](https://msdn.microsoft.com/library/windows/hardware/aa394173) | ![cross mark](images/checkmark.png) -[**Win32\_MotherboardDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394204) | -[**Win32\_NetworkAdapter**](https://msdn.microsoft.com/library/windows/hardware/aa394216) | ![cross mark](images/checkmark.png) -[**Win32\_NetworkAdapterConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394217) | -[**Win32\_NetworkClient**](https://msdn.microsoft.com/library/windows/hardware/aa394219) | -[**Win32\_NetworkLoginProfile**](https://msdn.microsoft.com/library/windows/hardware/aa394221) | -[**Win32\_NetworkProtocol**](https://msdn.microsoft.com/library/windows/hardware/aa394223) | -[**Win32\_NTEventlogFile**](https://msdn.microsoft.com/library/windows/hardware/aa394225) | -[**Win32\_OperatingSystem**](https://msdn.microsoft.com/library/windows/hardware/aa394239) | ![cross mark](images/checkmark.png) -[**Win32\_OSRecoveryConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394242) | -[**Win32\_PageFileSetting**](https://msdn.microsoft.com/library/windows/hardware/aa394245) | -[**Win32\_ParallelPort**](https://msdn.microsoft.com/library/windows/hardware/aa394247) | -[**Win32\_PCMCIAController**](https://msdn.microsoft.com/library/windows/hardware/aa394251) | -[**Win32\_PhysicalMedia**](https://msdn.microsoft.com/library/windows/hardware/aa394346) | -[**Win32\_PhysicalMemory**](https://msdn.microsoft.com/library/windows/hardware/aa394347) | ![cross mark](images/checkmark.png) -[**Win32\_PnPDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394352) | -[**Win32\_PnPEntity**](https://msdn.microsoft.com/library/windows/hardware/aa394353) | -[**Win32\_PointingDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394356) | -[**Win32\_PortableBattery**](https://msdn.microsoft.com/library/windows/hardware/aa394357) | -[**Win32\_PortResource**](https://msdn.microsoft.com/library/windows/hardware/aa394359) | -[**Win32\_POTSModem**](https://msdn.microsoft.com/library/windows/hardware/aa394360) | -[**Win32\_Printer**](https://msdn.microsoft.com/library/windows/hardware/aa394363) | -[**Win32\_PrinterConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394364) | -[**Win32\_Processor**](https://msdn.microsoft.com/library/windows/hardware/aa394373) | ![cross mark](images/checkmark.png) -[**Win32\_QuickFixEngineering**](https://msdn.microsoft.com/library/windows/hardware/aa394391) | ![cross mark](images/checkmark.png) -[**Win32\_Registry**](https://msdn.microsoft.com/library/windows/hardware/aa394394) | -[**Win32\_SCSIController**](https://msdn.microsoft.com/library/windows/hardware/aa394400) | -[**Win32\_SerialPort**](https://msdn.microsoft.com/library/windows/hardware/aa394413) | -[**Win32\_SerialPortConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394414) | -[**Win32\_ServerFeature**](https://msdn.microsoft.com/library/windows/hardware/cc280268) | -[**Win32\_Service**](https://msdn.microsoft.com/library/windows/hardware/aa394418) | ![cross mark](images/checkmark.png) -[**Win32\_Share**](https://msdn.microsoft.com/library/windows/hardware/aa394435) | ![cross mark](images/checkmark.png) -[**Win32\_SoundDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394463) | -[**Win32\_SystemAccount**](https://msdn.microsoft.com/library/windows/hardware/aa394466) | -[**Win32\_SystemBIOS**](https://msdn.microsoft.com/library/windows/hardware/aa394467) | ![cross mark](images/checkmark.png) -[**Win32\_SystemDriver**](https://msdn.microsoft.com/library/windows/hardware/aa394472) | -[**Win32\_SystemEnclosure**](https://msdn.microsoft.com/library/windows/hardware/aa394474) | ![cross mark](images/checkmark.png) -[**Win32\_TapeDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394491) | -[**Win32\_TimeZone**](https://msdn.microsoft.com/library/windows/hardware/aa394498) | ![cross mark](images/checkmark.png) -[**Win32\_UninterruptiblePowerSupply**](https://msdn.microsoft.com/library/windows/hardware/aa394503) | -[**Win32\_USBController**](https://msdn.microsoft.com/library/windows/hardware/aa394504) | -[**Win32\_UTCTime**](https://msdn.microsoft.com/library/windows/hardware/aa394510) | ![cross mark](images/checkmark.png) -[**Win32\_VideoController**](https://docs.microsoft.com/windows/win32/cimwin32prov/win32-videocontroller) | +[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | +[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | +[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark](images/checkmark.png) +[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark](images/checkmark.png) +[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | +[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark](images/checkmark.png) +[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark](images/checkmark.png) +[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark](images/checkmark.png) +[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | +[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark](images/checkmark.png) +[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark](images/checkmark.png) +[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | +[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark](images/checkmark.png) +[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | +[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | +[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | +[**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | +[**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | +[**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | +[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | +[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | +[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | +[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark](images/checkmark.png) +[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | +[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark](images/checkmark.png) +[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | +[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark](images/checkmark.png) +[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | +[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | +[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | +[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | +[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | +[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark](images/checkmark.png) +[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | +[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | +[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | +[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | +[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | +[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark](images/checkmark.png) +[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | +[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | +[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | +[**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | +[**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | +[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | +[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | +[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | +[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark](images/checkmark.png) +[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark](images/checkmark.png) +[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | +[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | +[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | +[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | +[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | +[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark](images/checkmark.png) +[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark](images/checkmark.png) +[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | +[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | +[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark](images/checkmark.png) +[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | +[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark](images/checkmark.png) +[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | +[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark](images/checkmark.png) +[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | +[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | +[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark](images/checkmark.png) +[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | **Win32\_WindowsUpdateAgentVersion** | @@ -305,4 +305,4 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro [Configuration service provider reference](configuration-service-provider-reference.md) ## Related Links -[CIM Video Controller](https://docs.microsoft.com/windows/win32/cimwin32prov/cim-videocontroller) +[CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller) \ No newline at end of file diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 239c1f1379..d13f235344 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -497,7 +497,7 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Wind - Security -- [VPN](https://go.microsoft.com/fwlink/p/?LinkId=623295) and enterprise Wi-Fi management +- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management - Certificate management @@ -505,11 +505,11 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Wind - Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu -Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). +Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md). If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317). -No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference. +No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference. ## Related topics @@ -522,7 +522,4 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId= [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) -  - - - +  \ No newline at end of file diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md index e90c985fdb..8a41883885 100644 --- a/windows/client-management/reset-a-windows-10-mobile-device.md +++ b/windows/client-management/reset-a-windows-10-mobile-device.md @@ -25,14 +25,14 @@ ms.topic: article There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. - **Factory reset** restores the state of the device back to its first-boot state plus any update packages. The reset will not return device to the original factory state. To return the device to the original factory state, you must flash it with the original factory image by using the [Windows Device Recovery Tool](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). All the provisioning applied to the device by the enterprise will be lost and will need to be re-applied if needed. For details on what is removed or persists, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkID=703715). -- **"Wipe and persist" reset** preserves all the provisioning applied to the device before the reset. After the "wipe and persist" reset, all the preserved provisioning packages are automatically applied on the device and the data in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent is restored in that folder. For more information on the enterprise shared storage folder, see [EnterpriseExtFileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkId=703716). +- **"Wipe and persist" reset** preserves all the provisioning applied to the device before the reset. After the "wipe and persist" reset, all the preserved provisioning packages are automatically applied on the device and the data in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent is restored in that folder. For more information on the enterprise shared storage folder, see [EnterpriseExtFileSystem CSP](./mdm/enterpriseextfilessystem-csp.md). You can trigger a reset using your mobile device management (MDM) service, or a user can trigger a reset in the user interface (UI) or by using hardware buttons. ## Reset using MDM -The remote wipe command is sent as an XML provisioning file to the device. Since the [RemoteWipe configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=703714) uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. The remote wipe command is implemented on the device by using the **ResetPhone** function. For more information about the data that is removed as a result of the remote wipe command, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkId=703715). +The remote wipe command is sent as an XML provisioning file to the device. Since the [RemoteWipe configuration service provider (CSP)](./mdm/remotewipe-csp.md) uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. The remote wipe command is implemented on the device by using the **ResetPhone** function. For more information about the data that is removed as a result of the remote wipe command, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkId=703715). To perform a factory reset, restoring the device back to its out-of-box state, use the following syncML. @@ -91,9 +91,4 @@ If your phone is unresponsive and you can't reach **Settings**, you may be able   -  - - - - - +  \ No newline at end of file diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 4f7a2555e1..3fa7f1b6c8 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -202,4 +202,4 @@ To view system failure and recovery settings for your local computer, type **wmi ## References -[Varieties of Kernel-Mode Dump Files](https://docs.microsoft.com/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files) +[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index b774919abf..f2673f9414 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -73,8 +73,8 @@ When a computer shuts down or restarts because of a Stop error, Windows includes After you identify the hexadecimal value, use the following references to continue troubleshooting: - [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md). -- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. -- [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/). +- [Bug Check Code Reference](/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. +- [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](/archive/blogs/askcore/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners). ### Scenario 2: The computer restarts because you pressed and held the power button @@ -118,4 +118,4 @@ If you perform these checks and still cannot isolate the problem, set the system > > 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**. > 1. In the **Startup and Recovery** section, select **Settings**. -> 1. Clear the **Automatically restart** check box. +> 1. Clear the **Automatically restart** check box. \ No newline at end of file diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 959de7db9d..30dcf8c3bd 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -41,7 +41,7 @@ Any one of the following factors might cause the stop error: ## Troubleshoot this error -Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps. +Start the computer in [Windows Recovery Mode (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps. 1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088). @@ -278,4 +278,4 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the * `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` - ![SFC scannow](images/sfc-scannow.png) + ![SFC scannow](images/sfc-scannow.png) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md index 7ff85215fe..3f28ccd47b 100644 --- a/windows/client-management/troubleshoot-networking.md +++ b/windows/client-management/troubleshoot-networking.md @@ -26,11 +26,11 @@ The following topics are available to help you troubleshoot common problems rela ## Concepts and technical references -[802.1X authenticated wired access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))
    -[802.1X authenticated wireless access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))
    -[Wireless cccess deployment overview](https://docs.microsoft.com/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
    -[TCP/IP technical reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
    -[Network Monitor](https://docs.microsoft.com/windows/desktop/netmon2/network-monitor)
    -[RPC and the network](https://docs.microsoft.com/windows/desktop/rpc/rpc-and-the-network)
    -[How RPC works](https://docs.microsoft.com/windows/desktop/rpc/how-rpc-works)
    -[NPS reason codes](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))
    +[802.1X authenticated wired access overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))
    +[802.1X authenticated wireless access overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))
    +[Wireless cccess deployment overview](/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
    +[TCP/IP technical reference](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
    +[Network Monitor](/windows/desktop/netmon2/network-monitor)
    +[RPC and the network](/windows/desktop/rpc/rpc-and-the-network)
    +[How RPC works](/windows/desktop/rpc/how-rpc-works)
    +[NPS reason codes](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))
    \ No newline at end of file diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 0ed8e1db70..db3002bb91 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -78,7 +78,7 @@ To troubleshoot Stop error messages, follow these general steps: > >You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](https://support.microsoft.com/help/816071). > - >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)). + >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)). ### Memory dump collection @@ -134,7 +134,7 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols ### Advanced debugging references [Advanced Windows Debugging](https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460)
    -[Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](https://docs.microsoft.com/windows-hardware/drivers/debugger/index) +[Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](/windows-hardware/drivers/debugger/index) ### Debugging steps @@ -143,15 +143,15 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols 3. On the other computer, download the [Windows 10 SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk). 4. Start the install and choose **Debugging Tools for Windows**. This installs the WinDbg tool. 5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**.
    - a. If the computer is connected to the Internet, enter the [Microsoft public symbol server](https://docs.microsoft.com/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method.
    - b. If the computer is not connected to the Internet, you must specify a local [symbol path](https://docs.microsoft.com/windows-hardware/drivers/debugger/symbol-path). + a. If the computer is connected to the Internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method.
    + b. If the computer is not connected to the Internet, you must specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path). 6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below. ![WinDbg](images/windbg.png) 7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page. 8. A detailed bugcheck analysis will appear. See the example below. ![Bugcheck analysis](images/bugcheck-analysis.png) 9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL. -10. See [Using the !analyze Extension](https://docs.microsoft.com/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output. +10. See [Using the !analyze Extension](/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output. There are many possible causes of a bugcheck and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22: @@ -218,7 +218,7 @@ Use the following guidelines when you use Driver Verifier: - Enable concurrent verification on groups of 10–20 drivers. - Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode. -For more information, see [Driver Verifier](https://docs.microsoft.com/windows-hardware/drivers/devtest/driver-verifier). +For more information, see [Driver Verifier](/windows-hardware/drivers/devtest/driver-verifier). ## Common Windows Stop errors @@ -234,7 +234,7 @@ PAGE_FAULT_IN_NONPAGED_AREA
    Stop error code 0x000000050 | If a driver is ide SYSTEM_SERVICE_EXCEPTION
    Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files). NTFS_FILE_SYSTEM
    Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. KMODE_EXCEPTION_NOT_HANDLED
    Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.

    If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:

    Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option. -DPC_WATCHDOG_VIOLATION
    Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](https://blogs.msdn.microsoft.com/ntdebugging/2012/12/07/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012/) to find the problematic driver from the memory dump. +DPC_WATCHDOG_VIOLATION
    Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump. USER_MODE_HEALTH_MONITOR
    Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
    This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
    Event ID: 4870
    Source: Microsoft-Windows-FailoverClustering
    Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
    For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). ## Debugging examples @@ -576,4 +576,4 @@ ReadVirtual: 812d1248 not properly sign extended ## References -[Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2) +[Bug Check Code Reference](/windows-hardware/drivers/debugger/bug-check-code-reference2) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index ed2dc15ba1..b432191920 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -17,7 +17,7 @@ manager: dansimp In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic. > [!NOTE] -> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide). +> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide). To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image: @@ -61,9 +61,9 @@ Network traces which are collected using the **netsh** commands built in to Wind ## More information -[Intro to Filtering with Network Monitor 3.0](https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/)
    +[Intro to Filtering with Network Monitor 3.0](/archive/blogs/netmon/intro-to-filtering-with-network-monitor-3-0)
    [Network Monitor Filter Examples](https://blogs.technet.microsoft.com/rmilne/2016/08/11/network-monitor-filter-examples/)
    [Network Monitor Wireless Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1900.network-monitor-wireless-filtering.aspx)
    [Network Monitor TCP Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1134.network-monitor-tcp-filtering.aspx)
    [Network Monitor Conversation Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1829.network-monitor-conversation-filtering.aspx)
    -[How to setup and collect network capture using Network Monitor tool](https://blogs.technet.microsoft.com/msindiasupp/2011/08/10/how-to-setup-and-collect-network-capture-using-network-monitor-tool/)
    +[How to setup and collect network capture using Network Monitor tool](/archive/blogs/msindiasupp/how-to-setup-and-collect-network-capture-using-network-monitor-tool)
    \ No newline at end of file diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 40c0ff98c2..e41c64b649 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -146,7 +146,7 @@ If Task Manager did not help you identify the process, then use Process Explorer Steps to use Process explorer: -1. [Download Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) and run it **Elevated**. +1. [Download Process Explorer](/sysinternals/downloads/process-explorer) and run it **Elevated**. 2. Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**. 3. Select **View \ Show Lower Pane**. 4. Select **View \ Lower Pane View \ Handles**. @@ -194,7 +194,6 @@ goto loop ## Useful links -- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status - -- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/yongrhee/2018/01/09/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) +- [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status +- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index ee292cb2a6..3b6738986f 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -129,7 +129,7 @@ If the computer is no longer frozen and now is running in a good state, use the 3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump. - To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. + To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. > [!NOTE] > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146). @@ -206,7 +206,7 @@ If the physical computer is still running in a frozen state, follow these steps * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` - Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. + Make sure that the [CrashDumpEnabled](/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump` @@ -259,7 +259,7 @@ Use the one of the following methods for the application on which the virtual ma #### Microsoft Hyper-V -If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](https://docs.microsoft.com/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump. +If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump. To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell: @@ -284,4 +284,4 @@ On Windows Server 2008, you may not have enough free disk space to generate a co Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028). -For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx). +For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx). \ No newline at end of file diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md index bd9f09bfd0..9d9283a355 100644 --- a/windows/client-management/troubleshoot-windows-startup.md +++ b/windows/client-management/troubleshoot-windows-startup.md @@ -46,10 +46,10 @@ To understand the underlying cause of Windows startup problems, it's important t These articles will walk you through the resources you need to troubleshoot Windows startup issues: -- [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems) +- [Advanced troubleshooting for Windows boot problems](./advanced-troubleshooting-boot-problems.md) -- [Advanced troubleshooting for Stop error or blue screen error](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors) +- [Advanced troubleshooting for Stop error or blue screen error](./troubleshoot-stop-errors.md) -- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze) +- [Advanced troubleshooting for Windows-based computer freeze issues](./troubleshoot-windows-freeze.md) -- [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md) +- [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md) \ No newline at end of file diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index e8a8cb2a19..89ddc89a10 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -37,7 +37,7 @@ Windows 10 supports end-to-end device lifecycle management to give companies con ## Deploy Windows 10 Mobile has a built-in device management client to deploy, configure, maintain, and support smartphones. Common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT), this client provides a single interface through which mobile device management (MDM) solutions can manage any device that runs Windows 10. Because the MDM client integrates with identity management, the effort required to manage devices throughout the lifecycle is greatly reduced. -Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select the system that best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050). +Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select the system that best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](./mdm/index.md). ### Deployment scenarios @@ -176,16 +176,16 @@ IT can block the addition of a personal identity, such as an MSA or Google Accou > [!NOTE] -> In the context of [Windows-as-a-Service](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing), differentiation of MDM capabilities may change in the future. +> In the context of [Windows-as-a-Service](/windows/deployment/update/), differentiation of MDM capabilities may change in the future. ### Infrastructure choices *Applies to: Corporate and personal devices* -For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD Premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](https://technet.microsoft.com/library/mt627908.aspx). +For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD Premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](/mem/configmgr/mdm/understand/what-happened-to-hybrid). **Azure Active Directory** -Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. +Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. **Mobile Device Management** Microsoft [Intune](https://www.microsoft.com/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Microsoft 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution. @@ -193,7 +193,7 @@ Multiple MDM systems support Windows 10 and most support personal and corporate > [!NOTE] > Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Microsoft 365. -In addition, Microsoft recently added MDM capabilities powered by Intune to Microsoft 365, called Basic Mobility and Security for Microsoft 365. Basic Mobility and Security for Microsoft 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. Basic Mobility and Security for Microsoft 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information, see [Overview of Basic Mobility and Security for Microsoft 365](https://technet.microsoft.com/library/ms.o365.cc.devicepolicy.aspx). +In addition, Microsoft recently added MDM capabilities powered by Intune to Microsoft 365, called Basic Mobility and Security for Microsoft 365. Basic Mobility and Security for Microsoft 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. Basic Mobility and Security for Microsoft 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information, see [Overview of Basic Mobility and Security for Microsoft 365](/microsoft-365/admin/basic-mobility-security/overview). **Cloud services** On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect diagnostic and usage data. Windows 10 Mobile enables organizations to manage how devices consume these cloud services. @@ -217,7 +217,7 @@ MDM administrators can define and implement policy settings on any personal or c > [!NOTE] > This guide helps IT professionals understand management options available for the Windows 10 Mobile OS. Please consult your MDM system documentation to understand how these policies are enabled by your MDM vendor. -Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors. +Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors. ### Account profile @@ -234,8 +234,8 @@ Enforcing what accounts employees can use on a corporate device is important for Email and associated calendar and contacts are the primary apps that users access on their smartphones. Configuring them properly is key to the success of any mobility program. In both corporate and personal device deployment scenarios, these email account settings get deployed immediately after enrollment. Using your corporate MDM system, you can define corporate email account profiles, deploy them to devices, and manage inbox policies. -- Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [Exchange ActiveSync CSP](https://msdn.microsoft.com/library/windows/hardware/dn920017(v=vs.85).aspx). -- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](https://msdn.microsoft.com/library/windows/hardware/dn904953(v=vs.85).aspx). Microsoft Intune does not currently support the creation of an SMTP email profile. +- Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [Exchange ActiveSync CSP](./mdm/activesync-csp.md). +- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](./mdm/email2-csp.md). Microsoft Intune does not currently support the creation of an SMTP email profile. ### Device Lock restrictions @@ -265,7 +265,7 @@ Most of the device lock restriction policies have been available through Exchang Settings related to Windows Hello would be important device lock settings to configure if you are deploying devices using the corporate deployment scenario. Microsoft made it a requirement for all users to create a numeric passcode as part of Azure AD Join. This policy default requires users to select a four-digit passcode, but this can be configured with an Azure AD-registered MDM system to whatever passcode complexity your organization desires. If you are using Azure AD with an automatic MDM enrollment mechanism, these policy settings are automatically applied during device enrollment. -You may notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies are applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information. +You may notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies are applied, with the strongest policy retained. Read [PassportForWork CSP](./mdm/passportforwork-csp.md), [DeviceLock CSP](./mdm/devicelock-csp.md) (Windows Phone 8.1), and [Policy CSP](./mdm/policy-configuration-service-provider.md#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information. ### Prevent changing of settings @@ -312,7 +312,7 @@ Certificates help improve security by providing account authentication, Wi-Fi au To install certificates manually, you can post them on Microsoft Edge website or send them directly by using email, which is ideal for testing purposes. Using Simple Certificate Enrollment Protocol (SCEP) and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device, as long as the MDM system supports the SCEP or Personal Information Exchange (PFX). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired. In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings. -For more detailed information about MDM certificate management, see [Client Certificate Install CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile). +For more detailed information about MDM certificate management, see [Client Certificate Install CSP](./mdm/clientcertificateinstall-csp.md) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile). Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidentally. > [!NOTE] @@ -359,7 +359,7 @@ In addition, you can set the following device wide Wi-Fi settings: - **Allow Internet Sharing** Allows or disallows Internet sharing - **WLAN Scan Mode** Specifies how actively the device scans for Wi-Fi networks -For more detailed information about Wi-Fi connection profile settings, see [Wi-Fi CSP](https://msdn.microsoft.com/library/windows/hardware/dn904981(v=vs.85).aspx) and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx). +For more detailed information about Wi-Fi connection profile settings, see [Wi-Fi CSP](./mdm/wifi-csp.md) and [Policy CSP](./mdm/policy-configuration-service-provider.md). ### APN profiles @@ -391,7 +391,7 @@ You can define and deploy APN profiles in MDM systems that configure cellular da - **Allow user control** Allows users to connect with other APNs than the enterprise APN - **Hide view** Specifies whether the cellular UX allows the user to view enterprise APNs -For more detailed information about APN settings, see [APN CSP](https://msdn.microsoft.com/library/windows/hardware/dn958617(v=vs.85).aspx). +For more detailed information about APN settings, see [APN CSP](./mdm/enterpriseapn-csp.md). ### Proxy @@ -409,7 +409,7 @@ The following lists the Windows 10 Mobile settings for managing APN proxy settin - **Proxy connection type** The proxy connection type, supporting: Null proxy, HTTP, WAP, SOCKS4 - **Port** The port number of the proxy connection -For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.microsoft.com/library/windows/hardware/dn914762(v=vs.85).aspx). +For more details on proxy settings, see [CM_ProxyEntries CSP](./mdm/cm-proxyentries-csp.md). ### VPN @@ -460,7 +460,7 @@ In addition, you can specify per VPN profile: - No other VPN profiles can be connected or modified. - **ProfileXML** In case your MDM system does not support all the VPN settings you want to configure, you can create an XML file that defines the VPN profile you want to apply to all the fields you require. -For more details about VPN profiles, see [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776(v=vs.85).aspx). +For more details about VPN profiles, see [VPNv2 CSP](./mdm/vpnv2-csp.md). Some device-wide settings for managing VPN connections can help you manage VPNs over cellular data connections, which in turn helps reduce costs associated with roaming or data plan charges: - **Allow VPN** Specifies whether users can change VPN settings @@ -471,7 +471,7 @@ Some device-wide settings for managing VPN connections can help you manage VPNs *Applies to: Corporate and personal devices* -Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device. +Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device. Windows 10 Mobile also has the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on so you don’t need to set a policy explicitly to enable it. @@ -506,7 +506,7 @@ For compatibility with existing apps, Windows Phone 8.1 apps still run on Window Microsoft also made it easier for organizations to license and purchase UWP apps via Microsoft Store for Business and deploy them to employee devices using the Microsoft Store, or an MDM system, that can be integrated with the Microsoft Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security. -To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/windows/uwp/porting/index). +To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](/windows/uwp/get-started/universal-application-platform-guide) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](/windows/uwp/porting/). ### Microsoft Store for Business: Sourcing the right app @@ -543,7 +543,7 @@ IT administrators can control which apps are allowed to be installed on Windows Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store. -For more information, see [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx). +For more information, see [AppLocker CSP](./mdm/applocker-csp.md). In addition to controlling which apps are allowed, IT professionals can also implement additional app management settings on Windows 10 Mobile, using an MDM: @@ -557,9 +557,9 @@ In addition to controlling which apps are allowed, IT professionals can also imp - **Require Private Store Only** Specifies whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available. - **Restrict App Data to System Volume** Specifies whether app data is allowed only on the system drive or can be stored on an SD card. - **Restrict App to System Volume** Specifies whether app installation is allowed only to the system drive or can be installed on an SD card. -- **Start screen layout** An XML blob used to configure the Start screen (for more information, see [Start layout for Windows 10 Mobile](https://msdn.microsoft.com/library/windows/hardware/mt171093(v=vs.85).aspx)). +- **Start screen layout** An XML blob used to configure the Start screen (for more information, see [Start layout for Windows 10 Mobile](/windows/configuration/mobile-devices/start-layout-xml-mobile)). -Find more details on application management options in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#ApplicationManagement_AllowAllTrustedApps). +Find more details on application management options in the [Policy CSP](./mdm/policy-configuration-service-provider.md#ApplicationManagement_AllowAllTrustedApps). ### Data leak prevention @@ -603,7 +603,7 @@ The following table lists the settings that can be configured for Windows Inform * Mandatory Windows Information Protection policies. To make Windows Information Protection functional, AppLocker and network isolation settings (specifically Enterprise IP Range and Enterprise Network Domain Names) must be configured. This defines the source of all corporate data that needs protection and also ensures data written to these locations won’t be encrypted by the user’s encryption key so that others in the company can access it. -For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). +For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](./mdm/enterprisedataprotection-csp.md) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). ### Managing user activities @@ -813,7 +813,7 @@ To learn more about diagnostic, see [Configure Windows diagnostic data in your o To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning package to inject the Windows 10 Enterprise license on a Windows 10 Mobile device. Licenses can be obtained from the Volume Licensing portal. For testing purposes, you can obtain a licensing file from the MSDN download center. A valid MSDN subscription is required. -For more information on updating a device to Enterprise edition, see [WindowsLicensing CSP](https://msdn.microsoft.com/library/windows/hardware/dn904983(v=vs.85).aspx). +For more information on updating a device to Enterprise edition, see [WindowsLicensing CSP](./mdm/windowslicensing-csp.md). > [!NOTE] > We recommend using Enterprise edition only on corporate devices. Once a device has been upgraded, it cannot be downgraded. Even a device wipe or reset will not remove the enterprise license from personal devices. @@ -893,7 +893,7 @@ Pause Feature Updates for up to 35 days *Applies to: Corporate devices with Enterprise edition* -Set update client experience with [Allowautomaticupdate](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates. +Set update client experience with [Allowautomaticupdate](./mdm/policy-configuration-service-provider.md#Update_AllowAutoUpdate) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates. This can include: - Notifying users prior to downloading updates. @@ -903,7 +903,7 @@ This can include: - Automatically downloading and restarting devices without user interaction. - Turning off automatic updates. This option should be used only for systems under regulatory compliance. The device does not receive any updates. -In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, and so on) or on a specific [day of the week](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, and so on). +In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](./mdm/policy-configuration-service-provider.md#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, and so on) or on a specific [day of the week](./mdm/policy-configuration-service-provider.md#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, and so on). #### Managing the source of updates with MDM @@ -921,7 +921,7 @@ IT administrators can specify where the device gets updates from with AllowUpdat When using WSUS, set **UpdateServiceUrl** to allow the device to check for updates from a WSUS server instead of Windows Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet, usually handheld devices used for task completion, or other Windows IoT devices. -For more information, see [managing updates with Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx). +For more information, see [managing updates with Windows Server Update Services (WSUS)](/windows/deployment/deploy-whats-new). #### Querying the device update status @@ -1080,13 +1080,13 @@ A better option than wiping the entire device is to use Windows Information Prot ## Related topics -- [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050) +- [Mobile device management](./mdm/index.md) - [Enterprise Mobility + Security](https://go.microsoft.com/fwlink/p/?LinkId=723984) -- [Overview of Mobile Device Management for Office 365](https://go.microsoft.com/fwlink/p/?LinkId=734052) +- [Overview of Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/overview) - [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=722910) ## Revision History - November 2015 Updated for Windows 10 Mobile (version 1511) -- August 2016 Updated for Windows 10 Mobile Anniversary Update (version 1607) +- August 2016 Updated for Windows 10 Mobile Anniversary Update (version 1607) \ No newline at end of file diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 9274477150..f906dc759d 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -19,116 +19,116 @@ Microsoft regularly releases both updates for Windows Server. To ensure your ser This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 in an enterprise or IT pro environment. Additional topics will be added as they become available. ## Troubleshoot 802.1x Authentication -- [Advanced Troubleshooting 802.1X Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication) -- [Data collection for troubleshooting 802.1X authentication](https://docs.microsoft.com/windows/client-management/data-collection-for-802-authentication) +- [Advanced Troubleshooting 802.1X Authentication](./advanced-troubleshooting-802-authentication.md) +- [Data collection for troubleshooting 802.1X authentication](./data-collection-for-802-authentication.md) ## Troubleshoot BitLocker -- [Guidelines for troubleshooting BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/troubleshoot-bitlocker) -- [BitLocker cannot encrypt a drive: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues) -- [Enforcing BitLocker policies by using Intune: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues) -- [BitLocker Network Unlock: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues) -- [BitLocker recovery: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues) -- [BitLocker configuration: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues) -- [BitLocker cannot encrypt a drive: known TPM issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues) -- [BitLocker and TPM: other known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues) -- [Decode Measured Boot logs to track PCR changes](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs) -- [BitLocker frequently asked questions (FAQ)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions) +- [Guidelines for troubleshooting BitLocker](/windows/security/information-protection/bitlocker/troubleshoot-bitlocker) +- [BitLocker cannot encrypt a drive: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues) +- [Enforcing BitLocker policies by using Intune: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues) +- [BitLocker Network Unlock: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues) +- [BitLocker recovery: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues) +- [BitLocker configuration: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues) +- [BitLocker cannot encrypt a drive: known TPM issues](/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues) +- [BitLocker and TPM: other known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues) +- [Decode Measured Boot logs to track PCR changes](/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs) +- [BitLocker frequently asked questions (FAQ)](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions) ## Troubleshoot Bugcheck and Stop errors -- [Introduction to the page file](https://docs.microsoft.com/windows/client-management/introduction-page-file) -- [How to determine the appropriate page file size for 64-bit versions of Windows](https://docs.microsoft.com/windows/client-management/determine-appropriate-page-file-size) -- [Configure system failure and recovery options in Windows](https://docs.microsoft.com/windows/client-management/system-failure-recovery-options) -- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump) -- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors) -- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) -- [Blue Screen Data - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/blue-screen-data) -- [Bug Check Code Reference - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2) +- [Introduction to the page file](./introduction-page-file.md) +- [How to determine the appropriate page file size for 64-bit versions of Windows](./determine-appropriate-page-file-size.md) +- [Configure system failure and recovery options in Windows](./system-failure-recovery-options.md) +- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md) +- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md) +- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) +- [Blue Screen Data - Windows drivers](/windows-hardware/drivers/debugger/blue-screen-data) +- [Bug Check Code Reference - Windows drivers](/windows-hardware/drivers/debugger/bug-check-code-reference2) ## Troubleshoot Credential Guard -- [Windows Defender Credential Guard - Known issues (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-known-issues) +- [Windows Defender Credential Guard - Known issues (Windows 10)](/windows/security/identity-protection/credential-guard/credential-guard-known-issues) ## Troubleshoot Disks -- [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) -- [Windows and GPT FAQ](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-and-gpt-faq) +- [MBR2GPT](/windows/deployment/mbr-to-gpt) +- [Windows and GPT FAQ](/windows-hardware/manufacture/desktop/windows-and-gpt-faq) ## Troubleshoot Kiosk mode -- [Troubleshoot kiosk mode issues](https://docs.microsoft.com/windows/configuration/kiosk-troubleshoot) +- [Troubleshoot kiosk mode issues](/windows/configuration/kiosk-troubleshoot) ## Troubleshoot No Boot -- [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems) +- [Advanced troubleshooting for Windows boot problems](./advanced-troubleshooting-boot-problems.md) ## Troubleshoot Push Button Reset -- [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-faq) -- [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-validation) -- [Recovery components](https://docs.microsoft.com/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations) +- [Push-button reset frequently-asked questions (FAQ)](/windows-hardware/manufacture/desktop/pbr-faq) +- [Push-button reset frequently-asked questions (FAQ)](/windows-hardware/manufacture/desktop/pbr-validation) +- [Recovery components](/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations) ### Troubleshoot Power Management -- [Modern Standby FAQs](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-faqs) +- [Modern Standby FAQs](/windows-hardware/design/device-experiences/modern-standby-faqs) ## Troubleshoot Secure Boot -- [Secure Boot isn't configured correctly: troubleshooting](https://docs.microsoft.com/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting) +- [Secure Boot isn't configured correctly: troubleshooting](/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting) ## Troubleshoot Setup and Install -- [Deployment Troubleshooting and Log Files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files) +- [Deployment Troubleshooting and Log Files](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files) ## Troubleshoot Start Menu -- [Troubleshoot Start menu errors](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot) +- [Troubleshoot Start menu errors](/windows/configuration/start-layout-troubleshoot) ## Troubleshoot Subscription Activation -- [Deploy Windows 10 Enterprise licenses](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses) +- [Deploy Windows 10 Enterprise licenses](/windows/deployment/deploy-enterprise-licenses) ## Troubleshoot System Hang -- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze) +- [Advanced troubleshooting for Windows-based computer freeze issues](./troubleshoot-windows-freeze.md) ## Troubleshoot TCP/IP Communication -- [Collect data using Network Monitor](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-netmon) -- [Troubleshoot TCP/IP connectivity](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-connectivity) -- [Troubleshoot port exhaustion issues](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-port-exhaust) -- [Troubleshoot Remote Procedure Call (RPC) errors](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-rpc-errors) +- [Collect data using Network Monitor](./troubleshoot-tcpip-netmon.md) +- [Troubleshoot TCP/IP connectivity](./troubleshoot-tcpip-connectivity.md) +- [Troubleshoot port exhaustion issues](./troubleshoot-tcpip-port-exhaust.md) +- [Troubleshoot Remote Procedure Call (RPC) errors](./troubleshoot-tcpip-rpc-errors.md) ## Troubleshoot User State Migration Toolkit (USMT) -- [Common Issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues) -- [Frequently Asked Questions](https://docs.microsoft.com/windows/deployment/usmt/usmt-faq) -- [Log Files](https://docs.microsoft.com/windows/deployment/usmt/usmt-log-files) -- [Return Codes](https://docs.microsoft.com/windows/deployment/usmt/usmt-return-codes) +- [Common Issues](/windows/deployment/usmt/usmt-common-issues) +- [Frequently Asked Questions](/windows/deployment/usmt/usmt-faq) +- [Log Files](/windows/deployment/usmt/usmt-log-files) +- [Return Codes](/windows/deployment/usmt/usmt-return-codes) ## Troubleshoot Windows Hello for Business (WHFB) -- [Windows Hello for Business Frequently Asked Questions](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello errors during PIN creation (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation) -- [Event ID 300 - Windows Hello successfully created (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-event-300) +- [Windows Hello for Business Frequently Asked Questions](/windows/security/identity-protection/hello-for-business/hello-faq) +- [Windows Hello errors during PIN creation (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation) +- [Event ID 300 - Windows Hello successfully created (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-event-300) ## Troubleshoot Windows Analytics -- [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-faq-troubleshooting) +- [Frequently asked questions and troubleshooting Windows Analytics](/windows/deployment/update/windows-analytics-faq-troubleshooting) ## Troubleshoot Windows Update -- [How Windows Update works](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works) -- [Windows Update log files](https://docs.microsoft.com/windows/deployment/update/windows-update-logs) -- [Windows Update troubleshooting](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting) -- [Windows Update common errors and mitigation](https://docs.microsoft.com/windows/deployment/update/windows-update-errors) -- [Windows Update - Additional resources](https://docs.microsoft.com/windows/deployment/update/windows-update-resources) -- [Get started with Windows Update](https://docs.microsoft.com/windows/deployment/update/windows-update-overview) -- [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates) +- [How Windows Update works](/windows/deployment/update/how-windows-update-works) +- [Windows Update log files](/windows/deployment/update/windows-update-logs) +- [Windows Update troubleshooting](/windows/deployment/update/windows-update-troubleshooting) +- [Windows Update common errors and mitigation](/windows/deployment/update/windows-update-errors) +- [Windows Update - Additional resources](/windows/deployment/update/windows-update-resources) +- [Get started with Windows Update](/windows/deployment/update/windows-update-overview) +- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates) ## Troubleshoot Windows Upgrade -- [Quick fixes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes) -- [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) -- [Troubleshoot Windows 10 upgrade errors - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors) -- [Windows error reporting - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/windows-error-reporting) -- [Upgrade error codes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes) -- [Log files - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/log-files) -- [Resolution procedures - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures) +- [Quick fixes - Windows IT Pro](/windows/deployment/upgrade/quick-fixes) +- [SetupDiag](/windows/deployment/upgrade/setupdiag) +- [Troubleshoot Windows 10 upgrade errors - Windows IT Pro](/windows/deployment/upgrade/troubleshoot-upgrade-errors) +- [Windows error reporting - Windows IT Pro](/windows/deployment/upgrade/windows-error-reporting) +- [Upgrade error codes - Windows IT Pro](/windows/deployment/upgrade/upgrade-error-codes) +- [Log files - Windows IT Pro](/windows/deployment/upgrade/log-files) +- [Resolution procedures - Windows IT Pro](/windows/deployment/upgrade/resolution-procedures) ## Troubleshoot Windows Recovery (WinRE) -- [Windows RE troubleshooting features](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-re-troubleshooting-features) +- [Windows RE troubleshooting features](/windows-hardware/manufacture/desktop/windows-re-troubleshooting-features) ## Troubleshoot Wireless Connection -- [Advanced Troubleshooting Wireless Network Connectivity](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) +- [Advanced Troubleshooting Wireless Network Connectivity](./advanced-troubleshooting-wireless-network-connectivity.md) ## Other Resources -- [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting) +- [Troubleshooting Windows Server components](/windows-server/troubleshoot/windows-server-troubleshooting) \ No newline at end of file diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md index b5977c0973..a287d48be1 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/windows-libraries.md @@ -35,7 +35,7 @@ Administrators can configure and control Windows libraries in the following ways - Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. - Specify locations to include in a library. - Remove a default location from a library. -- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](https://technet.microsoft.com/library/dd744693.aspx#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources. +- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](/previous-versions/windows/it-pro/windows-7/dd744693(v=ws.10)#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources. ## More about Libraries @@ -57,7 +57,7 @@ Libraries are built upon the legacy known folders (such as My Documents, My Pict ### Hiding Default Libraries -Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_HideDefaultLibraries) for instructions. +Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. ### Default Save Locations for Libraries @@ -75,13 +75,13 @@ Certain library features depend on the contents of the libraries being indexed. To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally. -For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_EnableIndexLocations). +For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations). -If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx). +If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)). ### Folder Redirection -While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](https://technet.microsoft.com/library/hh848267.aspx). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. +While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. ### Supported storage locations @@ -111,20 +111,20 @@ The following library attributes can be modified within Windows Explorer, the Li The library icon can be modified by the administrator or user by directly editing the Library Description schema file. -See the [Library Description Schema](https://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files. +See the [Library Description Schema](/windows/win32/shell/library-schema-entry) topic on MSDN for information on creating Library Description files. ## See also ### Concepts -- [Windows Search Features](https://technet.microsoft.com/library/dd744686.aspx) -- [Windows Indexing Features](https://technet.microsoft.com/library/dd744700.aspx) -- [Federated Search Features](https://technet.microsoft.com/library/dd744682.aspx) -- [Administrative How-to Guides](https://technet.microsoft.com/library/ee461108.aspx) -- [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx) -- [Additional Resources for Windows Search, Browse, and Organization](https://technet.microsoft.com/library/dd744695.aspx) +- [Windows Search Features](/previous-versions/windows/it-pro/windows-7/dd744686(v=ws.10)) +- [Windows Indexing Features](/previous-versions/windows/it-pro/windows-7/dd744700(v=ws.10)) +- [Federated Search Features](/previous-versions/windows/it-pro/windows-7/dd744682(v=ws.10)) +- [Administrative How-to Guides](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)) +- [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)) +- [Additional Resources for Windows Search, Browse, and Organization](/previous-versions/windows/it-pro/windows-7/dd744695(v=ws.10)) ### Other resources -- [Folder Redirection, Offline Files, and Roaming User Profiles](https://technet.microsoft.com/library/hh848267.aspx) -- [Library Description Schema](https://msdn.microsoft.com/library/dd798389.aspx) +- [Folder Redirection, Offline Files, and Roaming User Profiles](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)) +- [Library Description Schema](/windows/win32/shell/library-schema-entry) \ No newline at end of file diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index 63dd4a3abe..29a781be98 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -15,7 +15,7 @@ ms.topic: troubleshooting # What version of Windows am I running? -To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. +To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. ## System Properties Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu @@ -48,4 +48,4 @@ At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that the LTSC model is primarily for specialized devices. -In the Semi-Annual Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. +In the Semi-Annual Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. \ No newline at end of file