deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-5494946-B2

Browse Source
This commit is contained in:
Siddarth Mandalika 2021-10-27 15:55:50 +05:30
commit 7dac6df8f4
55 changed files with 1748 additions and 1117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,6 +10,7 @@ Tools/NuGet/
*.ini
_themes*/
common/
.vscode/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config

9
windows/application-management/apps-in-windows-10.md
View File

@ -71,6 +71,15 @@ There are different types of apps that can run on your Windows client devices. T
Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices.
## Android™ apps
Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
For more information, see:
- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
- [Windows Subsystem for Android developer information](/windows/android/wsa)
## Add or deploy apps to devices
When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.

4
windows/application-management/toc.yml
View File

@ -23,7 +23,7 @@ items:
href: manage-windows-mixed-reality.md
- name: Application Virtualization (App-V)
items:
- name: App-V for Windows 10 overview
- name: App-V for Windows overview
href: app-v/appv-for-windows.md
- name: Getting Started
items:
@ -266,5 +266,5 @@ items:
href: per-user-services-in-windows.md
- name: Disabling System Services in Windows Server
href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server
- name: How to keep apps removed from Windows 10 from returning during an update
- name: How to keep apps removed from Windows from returning during an update
href: remove-provisioned-apps-during-update.md

14
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -19,10 +19,18 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
> [!NOTE]
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
The following shows the AccountManagement configuration service provider in tree format.
The following diagram shows the AccountManagement configuration service provider in tree format.
![accountmanagement csp.](images/provisioning-csp-accountmanagement.png)
```console
./Vendor/MSFT
AccountManagement
----UserProfileManagement
--------EnableProfileManager
--------DeletionPolicy
--------StorageCapacityStartDeletion
--------StorageCapacityStopDeletion
--------ProfileInactivityThreshold
```
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.

31
windows/client-management/mdm/appv-deploy-and-config.md
View File

@ -23,7 +23,36 @@ manager: dansimp
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png)
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
```console
./Vendor/MSFT
EnterpriseAppVManagement
----AppVPackageManagement
--------EnterpriseID
------------PackageFamilyName
---------------PackageFullName
------------------Name
------------------Version
------------------Publisher
------------------InstallLocation
------------------InstallDate
------------------Users
------------------AppVPackageID
------------------AppVVersionId
------------------AppVPackageUri
----AppVPublishing
--------LastSync
------------LastError
------------LastErrorDescription
------------SyncStatusDescription
------------SyncProgress
--------Sync
------------PublishXML
----AppVDynamicPolicy
--------ConfigurationId
------------Policy
```
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>

8
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -226,7 +226,7 @@ However, key management is different for on-premises MDM. You must obtain the cl
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
The pages rendered by the MDM as part of the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
@ -236,7 +236,11 @@ There are 3 distinct scenarios:
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
- For Windows 10, use **oobe-desktop.css**
- For Windows 11, use **oobe-light.css**
### Using themes

20
windows/client-management/mdm/bootstrap-csp.md
View File

@ -16,18 +16,18 @@ ms.date: 06/26/2017
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
>[!Note]
>BOOTSTRAP CSP is only supported in Windows 10 Mobile.
>
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
The following shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png)
```console
BOOTSTRAP
----CONTEXT-ALLOW
----PROVURL
```
<a href="" id="context-allow"></a>**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.

16
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -28,9 +28,13 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png)
```console
BrowserFavorite
favorite name
----URL
```
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
@ -78,19 +82,19 @@ The following table shows the Microsoft custom elements that this configuration
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top-level query: Yes</p></td>

8
windows/client-management/mdm/cellularsettings-csp.md
View File

@ -19,9 +19,13 @@ The CellularSettings configuration service provider is used to configure cellula
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png)
```console
./Vendor/MSFT
CellularSettings
----DataRoam
```
<a href="" id="dataroam"></a>**DataRoam**
<p> Optional. Integer. Specifies the default roaming value. Valid values are:</p>

48
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png)
```console
CM_CellularEntries
----entryname
--------AlwaysOn
--------AuthType
--------ConnectionType
--------Desc.langid
--------Enabled
--------IpHeaderCompression
--------Password
--------SwCompression
--------UserName
--------UseRequiresMappingPolicy
--------Version
--------DevSpecificCellular
-----------GPRSInfoAccessPointName
--------Roaming
--------OEMConnectionID
--------ApnId
--------IPType
--------ExemptFromDisablePolicy
--------ExemptFromRoaming
--------TetheringNAI
--------IdleDisconnectTimeout
--------SimIccId
--------PurposeGroups
```
<a href="" id="entryname"></a>***entryname***
<p>Defines the name of the connection.</p>
@ -51,27 +77,27 @@ The following diagram shows the CM\_CellularEntries configuration service provid
</colgroup>
<tbody>
<tr class="odd">
<td><p>gprs</p></td>
<td><p>Gprs</p></td>
<td><p>Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).</p></td>
</tr>
<tr class="even">
<td><p>cdma</p></td>
<td><p>Cdma</p></td>
<td><p>Used for CDMA type connections (1XRTT + EVDO).</p></td>
</tr>
<tr class="odd">
<td><p>lte</p></td>
<td><p>Lte</p></td>
<td><p>Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.</p></td>
</tr>
<tr class="even">
<td><p>legacy</p></td>
<td><p>Legacy</p></td>
<td><p>Used for GPRS + GSM + EDGE + UMTS connections.</p></td>
</tr>
<tr class="odd">
<td><p>lte_iwlan</p></td>
<td><p>Lte_iwlan</p></td>
<td><p>Used for GPRS type connections that may be offloaded over WiFi</p></td>
</tr>
<tr class="even">
<td><p>iwlan</p></td>
<td><p>Iwlan</p></td>
<td><p>Used for connections that are implemented over WiFi offload only</p></td>
</tr>
</tbody>
@ -285,15 +311,15 @@ The following table shows the Microsoft custom elements that this configuration
</thead>
<tbody>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>

133
windows/client-management/mdm/config-lock.md Normal file
View File

@ -0,0 +1,133 @@
---
title: Secured-Core Configuration Lock
description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration.
manager: dansimp
keywords: mdm,management,administrator,config lock
ms.author: v-lsaldanha
ms.topic: article
ms.prod: w11
ms.technology: windows
author: lovina-saldanha
ms.date: 10/07/2021
---
# Secured-Core PC Configuration Lock
**Applies to**
- Windows 11
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
To summarize, Config Lock:
- Enables IT to “lock” Secured-Core PC features when managed through MDM
- Detects drift remediates within seconds
- DOES NOT prevent malicious attacks
## Configuration Flow
After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
## System Requirements
Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
## Enabling Config Lock using Microsoft Intune
Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
- **Template name**: Custom
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
1. Name your profile.
1. When you reach the Configuration Settings step, select “Add” and add the following information:
- **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- **Data type**: Integer
- **Value**: 1 </br>
To turn off Config Lock. Change value to 0.
:::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
1. You'll not need to set any applicability rules for test purposes.
1. Review the Configuration and select “Create” if everything is correct.
1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
:::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
:::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
## Disabling
Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
## FAQ
**Can an IT admins disable Config Lock ?** </br>
Yes. IT admins can use MDM to turn off Config Lock.</br>
### List of locked policies
|**CSPs** |
|-----|
|[BitLocker ](bitlocker-csp.md) |
|[PassportForWork](passportforwork-csp.md) |
|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
|[ApplicationControl](applicationcontrol-csp.md)
|**MDM policies** |
|-----|
|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) |
|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) |
|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) |
|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) |
|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) |
|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) |
|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)|
|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) |
|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)|
|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) |
|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) |

1196
windows/client-management/mdm/configuration-service-provider-reference.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/devdetail-csp.md
View File

@ -179,7 +179,7 @@ Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).

74
windows/client-management/mdm/device-update-management.md
View File

@ -138,9 +138,46 @@ Updates are configured using a combination of the [Update CSP](update-csp.md), a
The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following diagram shows the Update policies in a tree format.
The following shows the Update policies in a tree format.
![update policies.](images/update-policies.png)
```console
./Vendor/MSFT
Policy
----Config
--------Update
-----------ActiveHoursEnd
-----------ActiveHoursMaxRange
-----------ActiveHoursStart
-----------AllowAutoUpdate
-----------AllowMUUpdateService
-----------AllowNonMicrosoftSignedUpdate
-----------AllowUpdateService
-----------AutoRestartNotificationSchedule
-----------AutoRestartRequiredNotificationDismissal
-----------BranchReadinessLevel
-----------DeferFeatureUpdatesPeriodInDays
-----------DeferQualityUpdatesPeriodInDays
-----------DeferUpdatePeriod
-----------DeferUpgradePeriod
-----------EngagedRestartDeadline
-----------EngagedRestartSnoozeSchedule
-----------EngagedRestartTransitionSchedule
-----------ExcludeWUDriversInQualityUpdate
-----------IgnoreMOAppDownloadLimit
-----------IgnoreMOUpdateDownloadLimit
-----------PauseDeferrals
-----------PauseFeatureUpdates
-----------PauseQualityUpdates
-----------RequireDeferUpgrade
-----------RequireUpdateApproval
-----------ScheduleImminentRestartWarning
-----------ScheduledInstallDay
-----------ScheduledInstallTime
-----------ScheduleRestartWarning
-----------SetAutoRestartNotificationDisable
-----------UpdateServiceUrl
-----------UpdateServiceUrlAlternate
```
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
@ -674,9 +711,38 @@ Example
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following shows the Update CSP in tree format.
![provisioning csp update.](images/provisioning-csp-update.png)
```console
./Vendor/MSFT
Update
----ApprovedUpdates
--------Approved Update Guid
------------ApprovedTime
----FailedUpdates
--------Failed Update Guid
------------HResult
------------Status
------------RevisionNumber
----InstalledUpdates
--------Installed Update Guid
------------RevisionNumber
----InstallableUpdates
--------Installable Update Guid
------------Type
------------RevisionNumber
----PendingRebootUpdates
--------Pending Reboot Update Guid
------------InstalledTime
------------RevisionNumber
----LastSuccessfulScanTime
----DeferUpgrade
----Rollback
--------QualityUpdate
--------FeatureUpdate
--------QualityUpdateStatus
--------FeatureUpdateStatus
```
<a href="" id="update"></a>**Update**
The root node.

34
windows/client-management/mdm/deviceinstanceservice-csp.md
View File

@ -24,9 +24,27 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile.
The following diagram shows the DeviceInstanceService configuration service provider in tree format.
The following shows the DeviceInstanceService configuration service provider in tree format.
![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png)
```console
./Vendor/MSFT
DeviceInstanceService
------------Roaming
------------PhoneNumber
------------IMEI
------------IMSI
------------Identity
---------------Identity1
------------------Roaming
------------------PhoneNumber
------------------IMEI
------------------IMSI
---------------Identity2
------------------PhoneNumber
------------------IMEI
------------------IMSI
------------------Roaming
```
<a href="" id="roaming"></a>**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
@ -36,34 +54,34 @@ Supported operation is **Get**.
Returns **True** if the device is roaming; otherwise **False**.
<a href="" id="phonenumber"></a>**PhoneNumber**
A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
A string that represents the phone number of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imei"></a>**IMEI**
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imsi"></a>**IMSI**
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="identity"></a>**Identity**
The parent node to group per SIM specific information in case of dual SIM mode.
The parent node to group per SIM-specific information in dual SIM mode.
<a href="" id="identity1"></a>**Identity1**
The parent node to group SIM1 specific information in case of dual SIM mode.
The parent node to group SIM1 specific information in dual SIM mode.
<a href="" id="identity2"></a>**Identity2**
The parent node to group SIM2 specific information in case of dual SIM mode.
The parent node to group SIM2 specific information in dual SIM mode.
## Examples

28
windows/client-management/mdm/devicelock-csp.md
View File

@ -30,9 +30,33 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
The following image shows the DeviceLock configuration service provider in tree format.
The following shows the DeviceLock configuration service provider in tree format.
![devicelock csp.](images/provisioning-csp-devicelock.png)
```console
./Vendor/MSFT
DeviceLock
--------Provider
----------ProviderID
-------------DevicePasswordEnabled
-------------AllowSimpleDevicePassword
-------------MinDevicePasswordLength
-------------AlphanumericDevicePasswordRequired
-------------MaxDevicePasswordFailedAttempts
-------------DevicePasswordExpiration
-------------DevicePasswordHistory
-------------MaxInactivityTimeDeviceLock
-------------MinDevicePasswordComplexCharacters
----------DeviceValue
-------------DevicePasswordEnabled
-------------AllowSimpleDevicePassword
-------------MinDevicePasswordLength
-------------AlphanumericDevicePasswordRequired
-------------MaxDevicePasswordFailedAttempts
-------------DevicePasswordExpiration
-------------DevicePasswordHistory
-------------MaxInactivityTimeDeviceLock
-------------MinDevicePasswordComplexCharacters
```
<a href="" id="provider"></a>**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.

33
windows/client-management/mdm/dmclient-csp.md
View File

@ -22,7 +22,7 @@ The following shows the DMClient CSP in tree format.
./Vendor/MSFT
DMClient
----Provider
--------
--------ProviderID
------------EntDeviceName
------------ExchangeID
------------EntDMID
@ -45,6 +45,10 @@ DMClient
------------HWDevID
------------ManagementServerAddressList
------------CommercialID
------------ConfigLock
----------------Lock
----------------UnlockDuration
----------------SecureCore
------------Push
----------------PFN
----------------ChannelURI
@ -598,6 +602,33 @@ Optional. Boolean value that allows the IT admin to require the device to start
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-configlock"></a>**Provider/*ProviderID*/ConfigLock**
Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
Default = Locked
> [!Note]
>If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
<a href="" id="provider-providerid-configlock-lock"></a>**Provider/*ProviderID*/ConfigLock/Lock**
The supported values for this node are 0-unlock, 1-lock.
Supported operations are Add, Delete, Get.
<a href="" id="provider-providerid-configlock-unlockduration"></a>**Provider/*ProviderID*/ConfigLock/UnlockDuration**
The supported values for this node are 1 to 480 (in min).
Supported operations are Add, Delete, Get.
<a href="" id="provider-providerid-configlock-securecore"></a>**Provider/*ProviderID*/ConfigLock/SecureCore**
The supported values for this node are false or true.
Supported operation is Get only.
<a href="" id="provider-providerid-push"></a>**Provider/*ProviderID*/Push**
Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.

104
windows/client-management/mdm/enterprise-app-management.md
View File

@ -39,9 +39,109 @@ Windows 10 lets you inventory all apps deployed to a user and all apps for all
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
The following shows the EnterpriseModernAppManagement CSP in a tree format.
![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png)
```console
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
EnterpriseAppManagement
----AppManagement
--------UpdateScan
--------LastScanError
--------AppInventoryResults
--------AppInventoryQuery
--------RemovePackage
--------AppStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemovable
----------ReleaseManagement
------------ReleaseManagementKey
--------------ChannelId
--------------ReleaseId
--------------EffectiveRelease
-----------------ChannelId
-----------------ReleaseId
--------nonStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
--------System
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
----AppInstallation
--------PackageFamilyName
----------StoreInstall
----------HostedInstall
----------LastError
----------LastErrorDesc
----------Status
----------ProgressStatus
----AppLicenses
--------StoreLicenses
----------LicenseID
------------LicenseCategory
------------LicenseUsage
------------RequesterID
------------AddLicense
------------GetLicenseFromStore
```
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).

30
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -21,9 +21,35 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
The following shows the EnterpriseAppManagement configuration service provider in tree format.
![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png)
```console
./Vendor/MSFT
EnterpriseAppManagement
----EnterpriseID
--------EnrollmentToken
--------StoreProductID
--------StoreUri
--------CertificateSearchCriteria
--------Status
--------CRLCheck
--------EnterpriseApps
------------Inventory
----------------ProductID
--------------------Version
--------------------Title
--------------------Publisher
--------------------InstallDate
------------Download
----------------ProductID
--------------------Version
--------------------Name
--------------------URL
--------------------Status
--------------------LastError
--------------------LastErrorDesc
--------------------DownloadInstall
```
<a href="" id="enterpriseid"></a>***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.

11
windows/client-management/mdm/filesystem-csp.md
View File

@ -22,9 +22,16 @@ The FileSystem configuration service provider is used to query, add, modify, and
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png)
```console
./Vendor/MSFT
FileSystem
----file name
----file directory
--------file name
--------file directory
```
<a href="" id="filesystem"></a>**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.

21
windows/client-management/mdm/hotspot-csp.md
View File

@ -25,9 +25,26 @@ The HotSpot configuration service provider is used to configure and enable Inter
The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png)
```console
./Vendor/MSFT
HotSpot
-------Enabled
-------DedicatedConnections
-------TetheringNAIConnection
-------MaxUsers
-------MaxBluetoothUsers
-------MOHelpNumber
-------MOInfoLink
-------MOAppLink
-------MOHelpMessage
-------EntitlementRequired
-------EntitlementDll
-------EntitlementInterval
-------PeerlessTimeout
-------PublicConnectionTimeout
```
<a href="" id="enabled"></a>**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.

BIN
windows/client-management/mdm/images/configlock-mem-createprofile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/client-management/mdm/images/configlock-mem-dev.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/client-management/mdm/images/configlock-mem-devstatus.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/client-management/mdm/images/configlock-mem-editrow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/mdm/images/configlock-mem-firmwareprotect.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/client-management/mdm/images/faq-max-devices.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.0 KiB

After

Width:  |  Height:  |  Size: 5.4 KiB

BIN
windows/client-management/mdm/images/flow-configlock.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

13
windows/client-management/mdm/messaging-csp.md
View File

@ -15,9 +15,18 @@ manager: dansimp
The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
The following diagram shows the Messaging configuration service provider in tree format.
The following shows the Messaging configuration service provider in tree format.
![messaging csp.](images/provisioning-csp-messaging.png)
```console
./User/Vendor/MSFT
Messaging
----AuditingLevel
----Auditing
--------Messages
----------Count
----------RevisionId
----------Data
```
<a href="" id="--user-msft-applocker"></a>**./User/Vendor/MSFT/Messaging**

53
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -66,13 +66,13 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
## Disable MDM enrollments
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
Here is the corresponding registry key:
Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Value: DisableRegistration
@ -80,19 +80,8 @@ Value: DisableRegistration
The following scenarios do not allow MDM enrollments:
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users cannot enroll in MDM. Only admin users can enroll.
- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
## Enrollment migration
**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
To manually trigger enrollment migration, you can run MDMMaintenenceTask.
**Mobile devices:** After the MDM client upgrade from Windows Phone 8.1 to Windows 10 Mobile, enrollment migration is performed during the first boot after the upgrade.
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users cannot enroll in MDM. Only admin users can enroll.
## Enrollment error messages
@ -143,49 +132,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
<td><p>s:</p></td>
<td><p>MessageFormat</p></td>
<td><p>MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</p></td>
<td><p>Message format is bad</p></td>
<td><p>Invalid message from the Mobile Device Management (MDM) server.</p></td>
<td><p>80180001</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>Authentication</p></td>
<td><p>MENROLL_E_DEVICE_AUTHENTICATION_ERROR</p></td>
<td><p>User not recognized</p></td>
<td><p>The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.</p></td>
<td><p>80180002</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>Authorization</p></td>
<td><p>MENROLL_E_DEVICE_AUTHORIZATION_ERROR</p></td>
<td><p>User not allowed to enroll</p></td>
<td><p>The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.</p></td>
<td><p>80180003</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>CertificateRequest</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</p></td>
<td><p>Failed to get certificate</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR</p></td>
<td><p>The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.</p></td>
<td><p>80180004</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>EnrollmentServer</p></td>
<td><p>MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</p></td>
<td></td>
<td>The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.</td>
<td><p>80180005</p></td>
</tr>
<tr class="even">
<td><p>a:</p></td>
<td><p>InternalServiceFault</p></td>
<td><p>MENROLL_E_DEVICE_INTERNALSERVICE_ERROR</p></td>
<td><p>The server hit an unexpected issue</p></td>
<td><p> There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.</p></td>
<td><p>80180006</p></td>
</tr>
<tr class="odd">
<td><p>a:</p></td>
<td><p>InvalidSecurity</p></td>
<td><p>MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</p></td>
<td><p>Cannot parse the security header</p></td>
<td><p>The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.</p></td>
<td><p>80180007</p></td>
</tr>
</tbody>
@ -242,43 +231,43 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
<tr class="odd">
<td><p>DeviceCapReached</p></td>
<td><p>MENROLL_E_DEVICECAPREACHED</p></td>
<td><p>User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.</p></td>
<td><p>The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.</p></td>
<td><p>80180013</p></td>
</tr>
<tr class="even">
<td><p>DeviceNotSupported</p></td>
<td><p>MENROLL_E_DEVICENOTSUPPORTED</p></td>
<td><p>Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.</p></td>
<td><p>The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.</p></td>
<td><p>80180014</p></td>
</tr>
<tr class="odd">
<td><p>NotSupported</p></td>
<td><p>MENROLL_E_NOTSUPPORTED</p></td>
<td><p>Mobile device management generally not supported (would save an admin call)</p></td>
<td><p>MENROLL_E_NOT_SUPPORTED</p></td>
<td><p>Mobile Device Management (MDM) is generally not supported for this device.</p></td>
<td><p>80180015</p></td>
</tr>
<tr class="even">
<td><p>NotEligibleToRenew</p></td>
<td><p>MENROLL_E_NOTELIGIBLETORENEW</p></td>
<td><p>Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.</p></td>
<td><p>The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.</p></td>
<td><p>80180016</p></td>
</tr>
<tr class="odd">
<td><p>InMaintenance</p></td>
<td><p>MENROLL_E_INMAINTENANCE</p></td>
<td><p>Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.</p></td>
<td><p>The Mobile Device Management (MDM) server states your account is in maintenance, try again later.</p></td>
<td><p>80180017</p></td>
</tr>
<tr class="even">
<td><p>UserLicense</p></td>
<td><p>MENROLL_E_USERLICENSE</p></td>
<td><p>License of user is in bad state and blocking the enrollment. The user needs to call the admin.</p></td>
<td><p>MENROLL_E_USER_LICENSE</p></td>
<td><p>There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.</p></td>
<td><p>80180018</p></td>
</tr>
<tr class="odd">
<td><p>InvalidEnrollmentData</p></td>
<td><p>MENROLL_E_ENROLLMENTDATAINVALID</p></td>
<td><p>The server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>80180019</p></td>
</tr>
</tbody>

46
windows/client-management/mdm/napdef-csp.md
View File

@ -25,13 +25,41 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png)
```console
NAPDEF
----NAPAUTHINFO
------AUTHNAME
------AUTHSECRET
------AUTHTYPE
----BEARER
----INTERNET
----LOCAL-ADDR
----LOCAL-ADDRTYPE
----NAME
----NAP-ADDRESS
----NAP-ADDRTYPE
----NAPID
```
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png)
```console
NAPDEF
--NAPID
----NAPAUTHINFO
------AUTHNAME
------AUTHSECRET
------AUTHTYPE
----BEARER
----INTERNET
----LOCAL-ADDR
----LOCAL-ADDRTYPE
----NAME
----NAP-ADDRESS
----NAP-ADDRTYPE
```
<a href="" id="napauthinfo"></a>**NAPAUTHINFO**
Defines a group of authentication settings.
@ -106,26 +134,26 @@ The following table shows the Microsoft custom elements that this configuration
</colgroup>
<thead>
<tr class="header">
<th>ELements</th>
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p>
<p>Note that some GPRS parameters will not necessarily contain the exact same value as was set.</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>

366
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

File diff suppressed because one or more lines are too long

61
windows/client-management/mdm/passportforwork-csp.md
View File

@ -21,15 +21,68 @@ The PassportForWork configuration service provider is used to provision Windows
 
### User configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
The following shows the PassportForWork configuration service provider in tree format.
![passportforwork csp.](images/provisioning-csp-passportforwork.png)
```console
./User/Vendor/MSFT
PassportForWork
-------TenantId
----------Policies
-------------UsePassportForWork
-------------RequireSecurityDevice
-------------EnablePinRecovery
-------------PINComplexity
----------------MinimumPINLength
----------------MaximumPINLength
----------------UppercaseLetters
----------------LowercaseLetters
----------------SpecialCharecters
----------------Digits
----------------History
----------------Expiration
```
### Device configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
The following shows the PassportForWork configuration service provider in tree format.
![passportforwork diagram.](images/provisioning-csp-passportforwork2.png)
```console
./Device/Vendor/MSFT
PassportForWork
-------TenantId
----------Policies
-------------UsePassportForWork
-------------RequireSecurityDevice
-------------ExcludeSecurityDevices
----------------TPM12
-------------EnablePinRecovery
-------------UserCertificateForOnPremAuth
-------------PINComplexity
----------------MinimumPINLength
----------------MaximumPINLength
----------------UppercaseLetters
----------------LowercaseLetters
----------------SpecialCharacters
----------------Digits
----------------History
----------------Expiration
-------------Remote
----------------UseRemotePassport
-------------UseHelloCertificatesAsSmartCardCertificates
-------UseBiometrics
-------Biometrics
----------UseBiometrics
----------FacialFeatureUse
-------DeviceUnlock
----------GroupA
----------GroupB
----------Plugins
-------DynamicLock
----------DynamicLock
----------Plugins
-------SecurityKey
----------UseSecurityKeyForSignin
```
<a href="" id="passportforwork"></a>**PassportForWork**
Root node for PassportForWork configuration service provider.

20
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -42,9 +42,25 @@ The Policy configuration service provider has the following sub-categories:
> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![policy csp diagram.](images/provisioning-csp-policy.png)
```console
./Vendor/MSFT
Policy
-------Config
----------AreaName
-------------PolicyName
-------Result
----------AreaName
-------------PolicyName
-------ConfigOperations
----------ADMXInstall
-------------AppName
----------------Policy
------------------UniqueID
----------------Preference
------------------UniqueID
```
<a href="" id="--vendor-msft-policy"></a>**./Vendor/MSFT/Policy**

3
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1551,7 +1551,8 @@ ADMX Info:
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>

4
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -517,7 +517,7 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
@ -596,7 +596,7 @@ Value type is integer. Supported values:
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.

8
windows/client-management/mdm/policy-csp-settings.md
View File

@ -927,18 +927,18 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons.
Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For additional information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
showonly:about;bluetooth
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (that is, treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
- There are two variants: one that shows only the given pages and one which hides the given pages.
- There are two variants: one that shows only the given pages and one that hides the given pages.
- The first variant starts with the string "showonly:" and the second with the string "hide:".
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
@ -964,7 +964,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--Validation-->
To validate on Desktop, do the following:
To validate on Desktop, use the following steps:
1. Open System Settings and verify that the About page is visible and accessible.
2. Configure the policy with the following string: "hide:about".

53
windows/client-management/mdm/pxlogical-csp.md
View File

@ -19,15 +19,56 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png)
```console
PXLOGICAL
----DOMAIN
----NAME
----PORT
-------PORTNBR
-------SERVICE
----PUSHENABLED
----PROXY-ID
----TRUST
----PXPHYSICAL
-------DOMAIN
-------PHYSICAL-PROXY-ID
-------PORT
---------PORTNBR
---------SERVICE
-------PUSHENABLED
-------PXADDR
-------PXADDRTYPE
-------TO-NAPID
```
The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png)
The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
```console
PXLOGICAL
--PROXY-ID
----DOMAIN
----NAME
----PORT
-------PORTNBR
-------SERVICE
----PUSHENABLED
----TRUST
----PXPHYSICAL
-------PHYSICAL-PROXY-ID
----------DOMAIN
----------PORT
-------------PORTNBR
-------------SERVICE
----------PUSHENABLED
----------PXADDR
----------PXADDRTYPE
----------TO-NAPID
```
<a href="" id="pxphysical"></a>**PXPHYSICAL**
Defines a group of logical proxy settings.
@ -37,7 +78,7 @@ The element's mwid attribute is a Microsoft provisioning XML attribute, and is o
<a href="" id="domain"></a>**DOMAIN**
Specifies the domain associated with the proxy (for example, "\*.com").
A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon delimited string of all domains associated with the proxy.
A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy.
<a href="" id="name"></a>**NAME**
Specifies the name of the logical proxy.

14
windows/client-management/mdm/securitypolicy-csp.md
View File

@ -23,9 +23,13 @@ The SecurityPolicy configuration service provider is used to configure security
For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
The following shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png)
```console
./Vendor/MSFT
SecurityPolicy
----PolicyID
```
<a href="" id="policyid"></a>***PolicyID***
Defines the security policy identifier as a decimal value.
@ -48,7 +52,7 @@ The following security policies are supported.
<tbody>
<tr class="odd">
<td><p>4104</p>
<p>Hex:1008</p></td>
<p>Hex: 1008</p></td>
<td><p>TPS Policy</p></td>
<td><p>This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.</p>
<p>Default value: 1</p>
@ -58,7 +62,7 @@ The following security policies are supported.
</tr>
<tr class="even">
<td><p>4105</p>
<p>Hex:1009</p></td>
<p>Hex: 1009</p></td>
<td><p>Message Authentication Retry Policy</p></td>
<td><p>This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.</p>
<p>Default value: 3</p>
@ -66,7 +70,7 @@ The following security policies are supported.
</tr>
<tr class="odd">
<td><p>4108</p>
<p>Hex:100c</p></td>
<p>Hex: 100c</p></td>
<td><p>Service Loading Policy</p></td>
<td><p>This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.</p>
<p>Default value: 256 (SECROLE_KNOWN_PPG)</p>

2
windows/client-management/mdm/toc.yml
View File

@ -48,6 +48,8 @@ items:
href: device-update-management.md
- name: Bulk enrollment
href: bulk-enrollment-using-windows-provisioning-tool.md
- name: Secured-Core PC Configuration Lock
href: config-lock.md
- name: Management tool for the Microsoft Store for Business
href: management-tool-for-windows-store-for-business.md
items:

82
windows/client-management/mdm/vpn-csp.md
View File

@ -23,7 +23,7 @@ The VPN configuration service provider allows the MDM server to configure the VP
Important considerations:
- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN.
- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is critical for forced tunnel VPN.
- VPN configuration commands must be wrapped with an Atomic command as shown in the example below.
@ -31,9 +31,61 @@ Important considerations:
- For the VPN CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the VPN configuration service provider in tree format.
The following shows the VPN configuration service provider in tree format.
![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png)
```console
./Vendor/MSFT
VPN
-----ProfileName
---------Server
---------TunnelType
---------ThirdParty
-------------Name
-------------AppID
-------------CustomStoreURL
-------------CustomConfiguration
---------RoleGroup
---------Authentication
-------------Method
-------------Certificate
---------------Issuer
---------------EKU
---------------CacheLifeTimeProtectedCert
-------------MultiAuth
---------------StartURL
---------------EndURL
-------------EAP
---------Proxy
-------------Automatic
-------------Manual
---------------Server
---------------Port
-------------BypassProxyforLocal
---------SecuredResources
-------------AppPublisherNameList
---------------AppPublisherName
-------------AppAllowedList
---------------AppAllowedList
-------------NetworkAllowedList
---------------NetworkAllowedList
-------------NameSapceAllowedList
---------------NameSapceAllowedList
-------------ExcudedAppList
---------------ExcudedAppList
-------------ExcludedNetworkList
---------------ExcludedNetworkList
-------------ExcludedNameSpaceList
---------------ExcludedNameSpaceList
-------------DNSSuffixSearchList
---------------DNSSuffixSearchList
---------Policies
-------------RememberCredentials
-------------SplitTunnel
-------------BypassforLocal
-------------TrustedNetworkDetection
-------------ConnectionType
---------DNSSuffix
```
<a href="" id="profilename"></a>***ProfileName***
Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
@ -48,12 +100,12 @@ Supported operations are Get, Add, and Replace.
Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com.
<a href="" id="tunneltype"></a>**TunnelType**
Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Optional, but required when deploying a third-party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Value type is chr. Supported operations are Get and Add.
<a href="" id="thirdparty"></a>**ThirdParty**
Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Optional, but required if deploying third-party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Supported operations are Get and Add.
@ -73,17 +125,17 @@ Valid values:
- Checkpoint Mobile VPN
<a href="" id="thirdparty-appid"></a>**ThirdParty/AppID**
Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Optional, but required when deploying a third-party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="thirdparty-customstoreurl"></a>**ThirdParty/CustomStoreURL**
Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app.
Optional, but required if an enterprise is deploying a third-party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the third-party SSL-VPN plugin app.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="thirdparty-customconfiguration"></a>**ThirdParty/CustomConfiguration**
Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Optional. This is an HTML encoded XML blob for SSL-VPN plugin-specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Value type is char. Supported operations are Get, Add, Replace, and Delete.
@ -98,7 +150,7 @@ Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a col
Supported operations are Get and Add.
<a href="" id="authentication-method"></a>**Authentication/Method**
Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Required for IKEv2 profiles and optional for third-party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Supported operations are Get and Add.
@ -114,7 +166,7 @@ Optional node. A collection of nodes that enables simpler authentication experie
Supported operations are Get and Add.
<a href="" id="authentication-certificate-issuer"></a>**Authentication/Certificate/Issuer**
Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering.
Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used with EKU for more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@ -123,7 +175,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.
 
<a href="" id="authentication-certificate-eku"></a>**Authentication/Certificate/EKU**
Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering.
Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this with ISSUER for a more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@ -175,16 +227,16 @@ Default is False.
Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported..
<a href="" id="securedresources-appallowedlist-appallowedlist"></a>**SecuredResources/AppAllowedList/AppAllowedList**
Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps.
Optional. Specifies one or more ProductIDs for the enterprise line-of-business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is autotriggered, VPN is triggered automatically by these apps.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Value type is chr.
Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u.
<a href="" id="securedresources-networkallowedlist-networkallowedlist"></a>**SecuredResources/NetworkAllowedList/NetworkAllowedList**
Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, theyll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks.
Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, theyll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is autotriggered, the VPN is triggered automatically by these protected networks.
Supported operations are Get, Add, Replace, and Delete.
@ -202,7 +254,7 @@ Value type is chr.
An example is \*.corp.contoso.com.
<a href="" id="securedresources-excluddedapplist-excludedapplist"></a>**SecuredResources/ExcluddedAppList/ExcludedAppList**
Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Optional. Specifies one or more ProductIDs for enterprise line-of-business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Supported operations are Get, Add, Replace, and Delete.

14
windows/client-management/mdm/w4-application-csp.md
View File

@ -21,11 +21,17 @@ The default security roles are defined in the root characteristic, and map to ea
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application.
 
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning.
![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png)
```console
APPLICATION
----APPID
----NAME
----TO-PROXY
----TO-NAPID
----ADDR
----MS
```
<a href="" id="appid"></a>**APPID**
Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".

32
windows/client-management/mdm/w7-application-csp.md
View File

@ -19,11 +19,37 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png)
```console
APPLICATION
---APPADDR
------ADDR
------ADDRTYPE
------PORT
---------PORTNBR
---APPAUTH
------AAUTHDATA
------AAUTHLEVEL
------AAUTHNAME
------AAUTHSECRET
------AAUTHTYPE
---AppID
---BACKCOMPATRETRYDISABLED
---CONNRETRYFREQ
---DEFAULTENCODING
---INIT
---INITIALBACKOFTIME
---MAXBACKOFTIME
---NAME
---PROTOVER
---PROVIDER-ID
---ROLE
---TO-NAPID
---USEHWDEVID
---SSLCLIENTCERTSEARCHCRITERIA
```
> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.

17
windows/client-management/mdm/wifi-csp.md
View File

@ -29,9 +29,22 @@ Programming considerations:
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure.
The following image shows the WiFi configuration service provider in tree format.
The following shows the WiFi configuration service provider in tree format.
```console
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
WiFi
---Profile
------SSID
---------WlanXML
---------Proxy
---------ProxyPacUrl
---------ProxyWPAD
---------WiFiCost
```
![wi-fi csp diagram.](images/provisioning-csp-wifi.png)
The following list shows the characteristics and parameters.

20
windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
View File

@ -17,9 +17,25 @@ ms.date: 11/01/2017
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png)
```console
./Device/Vendor/MSFT
WindowsAdvancedThreatProtection
----Onboarding
----HealthState
--------LastConnected
--------SenseIsRunning
--------OnboardingState
--------OrgId
----Configuration
--------SampleSharing
--------TelemetryReportingFrequency
----Offboarding
----DeviceTagging
--------Group
--------Criticality
```
The following list describes the characteristics and parameters.

94
windows/client-management/mdm/wmi-providers-supported-in-windows.md
View File

@ -86,19 +86,19 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones" data-raw-source="[&lt;strong&gt;MDM_BrowserSecurityZones&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones)"><strong>MDM_BrowserSecurityZones</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings" data-raw-source="[&lt;strong&gt;MDM_BrowserSettings&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings)"><strong>MDM_BrowserSettings</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate" data-raw-source="[&lt;strong&gt;MDM_Certificate&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate)"><strong>MDM_Certificate</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment" data-raw-source="[&lt;strong&gt;MDM_CertificateEnrollment&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment)"><strong>MDM_CertificateEnrollment</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-client" data-raw-source="[&lt;strong&gt;MDM_Client&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client)"><strong>MDM_Client</strong></a></td>
@ -106,7 +106,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting" data-raw-source="[&lt;strong&gt;MDM_ConfigSetting&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting)"><strong>MDM_ConfigSetting</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo" data-raw-source="[&lt;strong&gt;MDM_DeviceRegistrationInfo&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo)"><strong>MDM_DeviceRegistrationInfo</strong></a></td>
@ -114,11 +114,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy" data-raw-source="[&lt;strong&gt;MDM_EASPolicy&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy)"><strong>MDM_EASPolicy</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority" data-raw-source="[&lt;strong&gt;MDM_MgMtAuthority&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority)"><strong>MDM_MgMtAuthority</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><strong>MDM_MsiApplication</strong></td>
@ -138,7 +138,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions" data-raw-source="[&lt;strong&gt;MDM_Restrictions&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions)"><strong>MDM_Restrictions</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser" data-raw-source="[&lt;strong&gt;MDM_RestrictionsUser&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser)"><strong>MDM_RestrictionsUser</strong></a></td>
@ -146,7 +146,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus" data-raw-source="[&lt;strong&gt;MDM_SecurityStatus&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus)"><strong>MDM_SecurityStatus</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader" data-raw-source="[&lt;strong&gt;MDM_SideLoader&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader)"><strong>MDM_SideLoader</strong></a></td>
@ -158,11 +158,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates" data-raw-source="[&lt;strong&gt;MDM_Updates&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates)"><strong>MDM_Updates</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger" data-raw-source="[&lt;strong&gt;MDM_VpnApplicationTrigger&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger)"><strong>MDM_VpnApplicationTrigger</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><strong>MDM_VpnConnection</strong></td>
@ -174,27 +174,27 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile" data-raw-source="[&lt;strong&gt;MDM_WirelessProfile&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile)"><strong>MDM_WirelessProfile</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml" data-raw-source="[&lt;strong&gt;MDM_WirelesssProfileXML&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml)"><strong>MDM_WirelesssProfileXML</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel" data-raw-source="[&lt;strong&gt;MDM_WNSChannel&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel)"><strong>MDM_WNSChannel</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration" data-raw-source="[&lt;strong&gt;MDM_WNSConfiguration&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration)"><strong>MDM_WNSConfiguration</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile" data-raw-source="[&lt;strong&gt;MSFT_NetFirewallProfile&lt;/strong&gt;](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile)"><strong>MSFT_NetFirewallProfile</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection" data-raw-source="[&lt;strong&gt;MSFT_VpnConnection&lt;/strong&gt;](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection)"><strong>MSFT_VpnConnection</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct" data-raw-source="[&lt;strong&gt;SoftwareLicensingProduct&lt;/strong&gt;](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct)"><strong>SoftwareLicensingProduct</strong></a></td>
@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | |
| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
|--------------------------------------------------------------------------|------------------------------------------|
[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark.](images/checkmark.png)
[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark.](images/checkmark.png)
[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes
[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes
[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) |
[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png)
[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png)
[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark.](images/checkmark.png)
[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes
[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes
[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes
[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) |
[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png)
[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark.](images/checkmark.png)
[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes
[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes
[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) |
[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png)
[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes
[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) |
[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) |
[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) |
[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) |
[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark.](images/checkmark.png)
[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes
[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) |
[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark.](images/checkmark.png)
[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes
[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png)
[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes
[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) |
[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) |
[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png)
[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes
[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) |
[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark.](images/checkmark.png)
[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes
[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) |
[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) |
[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) |
@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) |
[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) |
[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark.](images/checkmark.png)
[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png)
[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes
[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes
[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) |
[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) |
[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) |
[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) |
[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark.](images/checkmark.png)
[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark.](images/checkmark.png)
[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes
[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes
[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) |
[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) |
[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark.](images/checkmark.png)
[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes
[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) |
[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark.](images/checkmark.png)
[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes
[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) |
[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark.](images/checkmark.png)
[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes
[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) |
[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark.](images/checkmark.png)
[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes
[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** |

8
windows/configuration/cortana-at-work/cortana-at-work-overview.md
View File

@ -17,7 +17,7 @@ ms.author: greglin
Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
## Where is Cortana available for use in my organization?
@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
| Software | Minimum version |
|---------|---------|
|Client operating system | Desktop: <br> - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Client operating system | - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
@ -51,7 +51,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later, or Windows 11
Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, or Windows 11, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
@ -77,7 +77,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user&#39;s PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user&#39;s PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.

102
windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
View File

@ -7,46 +7,78 @@ ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
>[!NOTE]
>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics.
For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
- **Allow Cortana**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`
- **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)
- **Description**: Specifies if users can use Cortana.
|**Group policy** |**MDM policy** |**Description** |
|---------|---------|---------|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana. <br>
> [!IMPORTANT]
> Cortana wont work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. |
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked. <br>
> [!NOTE]
> Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently support Above Lock. |
|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”). <br>
> [!NOTE]
> This setting only applies to Windows 10 versions 2004 and later, or Windows 11. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortanas access to the microphone. To do so, specify Cortanas Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe <br>
Users will still be able to type queries to Cortana. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization. <br>
**In Windows 10, version 1511** <br> Cortana wont work if this setting is turned off (disabled). <br> **In Windows 10, version 1607 and later** <br> Non-speech aspects of Cortana will still work if this setting is turned off (disabled). <br> **In Windows 10, version 2004 and later** <br> Cortana will work, but voice input will be disabled. |
|None |System/AllowLocation |Specifies whether to allow app access to the Location service. <br>
**In Windows 10, version 1511** <br> Cortana wont work if this setting is turned off (disabled). <br>
**In Windows 10, version 1607 and later** <br>
Cortana still works if this setting is turned off (disabled). <br>
**In Windows 10, version 2004 and later** <br>
Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently use the Location service. |
|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. <br>
Disable this setting if you only want to allow users to sign in with their Azure AD account. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. <br>
**In Windows 10, version 2004 and later** <br> Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, do not currently use the Location service. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search. <br>
**In Windows 10 Pro edition** <br> This setting cant be managed.<br>
**In Windows 10 Enterprise edition** <br> Cortana won't work if this setting is turned off (disabled).<br>
**In Windows 10, version 2004 and later** <br> This setting no longer affects Cortana. <br> |
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required. <br>
> [!NOTE]
> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
Cortana wont work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off.
- **AllowCortanaAboveLock**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock`
- **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock)
- **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked.
This setting:
- Doesn't apply to Windows 10, versions 2004 and later
- Doesn't apply to Windows 11
- **LetAppsActivateWithVoice**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice`
- **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice)
- **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”.
This setting applies to:
- Windows 10 versions 2004 and later
- Windows 11
To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization).
- **LetAppsAccessMicrophone**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone`
- **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps)
- **Description**: Disables Cortanas access to the microphone. To use this setting, enter Cortanas Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana.
- **Allow users to enable online speech recognition services**
- **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services`
- **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization)
- **Description**: Specifies whether users can use voice commands with Cortana in your organization.
- **Windows 10, version 1511**: Cortana wont work if this setting is turned off (disabled).
- **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled.
- **AllowLocation**
- **Group policy**: None
- **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation)
- **Description**: Specifies whether to allow app access to the Location service.
- **Windows 10, version 1511**: Cortana wont work if this setting is turned off (disabled).
- **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service.
- **AllowMicrosoftAccountConnection**
- **Group policy**: None
- **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
- **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
- **Allow search and Cortana to use location**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
- **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation)
- **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service.
- **Don't search the web or display web results**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`
- **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults)
- **Description**: Specifies if search can do queries on the web, and if the web results are shown in search.
- **Windows 10 Pro edition**: This setting cant be managed.
- **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: This setting no longer impacts Cortana.

BIN
windows/configuration/cortana-at-work/images/screenshot1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 MiB

BIN
windows/configuration/cortana-at-work/images/screenshot2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

5
windows/configuration/lockdown-features-windows-10.md
View File

@ -13,14 +13,13 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Lockdown features from Windows Embedded 8.1 Industry
**Applies to**
- Windows 10
- Windows 10
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
@ -90,7 +89,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
<td align="left">MDM and Group Policy</td>
<td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
<p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Removable storage</strong>.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="/previous-versions/windows/embedded/dn449303(v=winembedded.82)" data-raw-source="[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82))">Assigned Access</a>: launch a UWP app on sign-in and lock access to system</p></td>

2
windows/security/security-foundations.md
View File

@ -24,7 +24,7 @@ Use the links in the following table to learn more about the security foundation
| Concept | Description |
|:---|:---|
| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. <br/><br/>Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. <br/><br/>Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products. <br/><br/>Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). |
| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.<br/><br/>Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).|
| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.<br/><br/>Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). |

4
windows/security/threat-protection/auditing/event-4768.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 09/07/2021
ms.date: 10/20/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -29,7 +29,7 @@ This event generates only on domain controllers.
If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
This event doesn't generate for **Result Codes**: 0x10 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.

4
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 09/09/2021
ms.date: 10/20/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -47,4 +47,4 @@ Your environment must have the following hardware to run Microsoft Defender Appl
|--------|-----------|
| Operating system | Windows 10 Enterprise edition, version 1809 or higher <br/> Windows 10 Professional edition, version 1809 or higher <br/> Windows 10 Professional for Workstations edition, version 1809 or higher <br/> Windows 10 Professional Education edition, version 1809 or higher <br/> Windows 10 Education edition, version 1809 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. <br/> Windows 11 |
| Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |

13
windows/whats-new/windows-11-whats-new.md
View File

@ -1,6 +1,6 @@
---
title: Windows 11, what's new and overview for administrators
description: Learn more about what's new in Windows 11. Read about see the features IT professionals and administrators should know about Windows 11, including security, using apps, the new desktop, and deploying and servicing PCs.
description: Learn more about what's new in Windows 11. Read about see the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
manager: dougeby
ms.audience: itpro
@ -136,7 +136,16 @@ For more information on the security features you can configure, manage, and enf
Users can manage some desktop features using **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Multiple desktops in Windows](https://support.microsoft.com/windows/multiple-desktops-in-windows-11-36f52e38-5b4a-557b-2ff9-e1a60c976434).
## Use your same apps, improved
## Use your same apps, and new apps, improved
- Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can download and install **Android™ apps** from the Microsoft Store. This feature is called the **Windows Subsystem for Android**, and allows users to use Android apps on their Windows devices, similar to other apps installed from the Microsoft Store.
Users open the Microsoft Store, install the **Amazon Appstore** app, and sign in with their Amazon account. When they sign in, they can search, download, and install Android apps.
For more information, see:
- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
- [Windows Subsystem for Android developer information](/windows/android/wsa)
- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.