Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry.
+A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
**Enabled**
Specifies if the connection is enabled.
@@ -110,7 +120,7 @@ Optional. Specifies if the connection requires a corresponding mappings policy.
A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
-For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
+For example, if the multimedia messaging service (MMS) APN does not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
**Version**
Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
@@ -131,7 +141,7 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which
- 5 - Roaming only.
**OEMConnectionID**
-Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
+Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
**ApnId**
Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices.
@@ -145,7 +155,7 @@ Optional. Type: String. Specifies the network protocol of the connection. Availa
**ExemptFromDisablePolicy**
Added back in Windows 10, version 1511.Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt).
-To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF.
+To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection, and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF.
>[!Note]
> Sending MMS while roaming is still not allowed.
@@ -174,7 +184,7 @@ Optional. Type: Int. Specifies how long an on-demand connection can be unused be
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
**SimIccId**
-For single SIM phones, this parm isOptional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
+For single SIM phones, this parm is Optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
**PurposeGroups**
Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
@@ -271,17 +281,7 @@ The following table shows the Microsoft custom elements that this configuration
|Characteristic-query|Yes|
|Parm-query|Yes|
-
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index d37ac364ec..3cf035b06c 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -14,13 +14,21 @@ ms.date: 06/26/2017
# CMPolicy CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
@@ -134,7 +142,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
-
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@@ -180,7 +187,9 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo
```
-Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
+Adding a host-based mapping policy:
+
+In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
The root node for the Windows Defender Advanced Threat Protection configuration service provider. +The root node for the Windows Defender Advanced Threat Protection configuration service provider. -
Supported operation is Get. +Supported operation is Get. **Onboarding** -
Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. +Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. -
The data type is a string. +The data type is a string. -
Supported operations are Get and Replace. +Supported operations are Get and Replace. **HealthState** -
Node that represents the Windows Defender Advanced Threat Protection health state. +Node that represents the Windows Defender Advanced Threat Protection health state. **HealthState/LastConnected** -
Contains the timestamp of the last successful connection. +Contains the timestamp of the last successful connection. -
Supported operation is Get. +Supported operation is Get. **HealthState/SenseIsRunning** -
Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. +Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. -
The default value is false. +The default value is false. -
Supported operation is Get. +Supported operation is Get. **HealthState/OnboardingState** -
Represents the onboarding state. +Represents the onboarding state. -
Supported operation is Get. +Supported operation is Get. -
The following list shows the supported values: +The following list shows the supported values: -- 0 (default) – Not onboarded. -- 1 – Onboarded +- 0 (default) – Not onboarded. +- 1 – Onboarded **HealthState/OrgId** -
String that represents the OrgID. +String that represents the OrgID. -
Supported operation is Get. +Supported operation is Get. **Configuration** -
Represents Windows Defender Advanced Threat Protection configuration. +Represents Windows Defender Advanced Threat Protection configuration. **Configuration/SampleSharing** -
Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. +Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. -
The following list shows the supported values: +The following list shows the supported values: - 0 – None - 1 (default)– All -
Supported operations are Get and Replace. +Supported operations are Get and Replace. **Configuration/TelemetryReportingFrequency** -
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. +Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. -
The following list shows the supported values: +The following list shows the supported values: -- 1 (default) – Normal -- 2 - Expedite +- 1 (default) – Normal +- 2 - Expedite -
Supported operations are Get and Replace. +Supported operations are Get and Replace. **Offboarding** -
Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. +Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. -
The data type is a string. +The data type is a string. -
Supported operations are Get and Replace. +Supported operations are Get and Replace. **DeviceTagging** -
Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. +Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. -
Supported operations is Get. +Supported operations is Get. **DeviceTagging/Group** -
Added in Windows 10, version 1709. Device group identifiers. +Added in Windows 10, version 1709. Device group identifiers. -
The data type is a string. +The data type is a string. -
Supported operations are Get and Replace. +Supported operations are Get and Replace. **DeviceTagging/Criticality** -
Added in Windows 10, version 1709. Asset criticality value. Supported values: +Added in Windows 10, version 1709. Asset criticality value. Supported values: - 0 - Normal - 1 - Critical -
The data type is an integer. +The data type is an integer. -
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
## Examples
-
```xml
The root node for the Reboot configuration service provider. The supported operation is Get. This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. The supported operations are Execute and Get. The supported operation is Get. This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
-Example to configure: 2018-10-25T18:00:00 The supported operations are Get, Add, Replace, and Delete. The supported data type is "String". This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
-Example to configure: 2018-10-25T18:00:00 The supported operations are Get, Add, Replace, and Delete. The supported data type is "String".
HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
-Here is an example AppLocker publisher rule:
+Here's an example AppLocker publisher rule:
```xml
This value will only be present if there is a XAP package associated with the app in the Store.
If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
+|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.
This value will only be present if there's a XAP package associated with the app in the Store.
If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
## Settings apps that rely on splash apps
-These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
+These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
The product name is first part of the PackageFullName followed by the version number.
@@ -1285,7 +1285,7 @@ The following example for Windows 10 Holographic for Business denies all apps an
## Recommended deny list for Windows Information Protection
-The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications.
+The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator doesn't accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications.
In this example, Contoso is the node name. We recommend using a GUID for this node.
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index ba6c37f41f..4870706fd5 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -30,7 +30,7 @@ The CertificateStore configuration service provider is used to add secure socket
> The CertificateStore configuration service provider does not support installing client certificates.
> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
-For the CertificateStore CSP, you cannot use the Replace command, unless the node already exists.
+For the CertificateStore CSP, you can't use the Replace command, unless the node already exists.
The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
@@ -131,7 +131,7 @@ Supported operation is Get.
> CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
**My/User**
-Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
+Defines the certificate store that contains public keys for client certificates. It is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
Supported operation is Get.
@@ -139,7 +139,7 @@ Supported operation is Get.
> My/User is case sensitive.
**My/System**
-Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
+Defines the certificate store that contains public key for client certificate. It is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
Supported operation is Get.
@@ -371,7 +371,7 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't
Supported operations are Add, Get, Delete, and Replace.
**My/WSTEP/Renew/RenewalPeriod**
-Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
+Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
The default value is 42 and the valid values are 1 – 1000. Value type is an integer.
From 99715d53ceee0d276e92641b02fefa6fc3b36870 Mon Sep 17 00:00:00 2001
From: Shesh <56231259+sheshachary@users.noreply.github.com>
Date: Wed, 30 Mar 2022 19:43:00 +0530
Subject: [PATCH 08/94] sheshachary-5859198
Updated articles with grammar, headings, bullets, and lists.
---
windows/client-management/mdm/tenantlockdown-csp.md | 9 +++++----
windows/client-management/mdm/wirednetwork-csp.md | 6 ++++--
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 52db501db8..cd86953d0f 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -31,13 +31,14 @@ TenantLockdown
The root node.
**RequireNetworkInOOBE**
-Specifies whether to require a network connection during the out-of-box experience (OOBE) at first logon.
+Specifies whether a network connection is required during the out-of-box experience (OOBE) at first logon.
When RequireNetworkInOOBE is true, when the device goes through OOBE at first logon or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option.
-Value type is bool. Supported operations are Get and Replace.
+- Value type is bool.
+- Supported operations are Get and Replace.
-- true - Require network in OOBE
-- false - No network connection requirement in OOBE
+ - True - Require network in OOBE.
+ - False - No network connection requirement in OOBE.
Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index fc6a7c7176..25ed7d7e56 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -44,12 +44,14 @@ Root node.
**LanXML**
Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx.
-Supported operations are Add, Get, Replace, and Delete. Value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
+- Value type is string.
**EnableBlockPeriod**
Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
+- Value type is integer.
The following example shows how to add a wired network profile:
```xml
From 9ad5a17efaa9e7940e4e65a5877e7ba35ec97b01 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Thu, 31 Mar 2022 10:03:35 +0530
Subject: [PATCH 09/94] CSP impovement : part 2
The updates were made as per Task: 5864419. Thanks!
---
.../mdm/accountmanagement-ddf.md | 7 ++-
.../mdm/accounts-ddf-file.md | 11 ++--
.../mdm/activesync-ddf-file.md | 14 +----
.../mdm/alljoynmanagement-ddf.md | 14 +----
.../mdm/applicationcontrol-csp-ddf.md | 29 +++++-----
.../mdm/applocker-ddf-file.md | 14 +----
.../mdm/assignedaccess-ddf.md | 18 ++-----
.../mdm/bitlocker-ddf-file.md | 4 ++
.../mdm/certificatestore-ddf-file.md | 26 ++++-----
windows/client-management/mdm/cleanpc-ddf.md | 16 ++----
.../mdm/clientcertificateinstall-csp.md | 24 ++++-----
.../mdm/clientcertificateinstall-ddf-file.md | 53 ++++++++-----------
.../client-management/mdm/wifi-ddf-file.md | 4 +-
.../mdm/win32appinventory-ddf-file.md | 14 +----
.../mdm/win32compatibilityappraiser-ddf.md | 34 ++++++------
.../windowsadvancedthreatprotection-ddf.md | 34 ++++--------
.../mdm/windowsautopilot-ddf-file.md | 8 ++-
...indowsdefenderapplicationguard-ddf-file.md | 10 ++--
.../mdm/windowslicensing-ddf-file.md | 12 +++--
19 files changed, 139 insertions(+), 207 deletions(-)
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index c4c26237bc..51380b7ed8 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
@@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803.
Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway.|
|SECROLE_ANY_PUSH_SOURCE|4096|Push Router.
Messages received by the push router will be assigned to this role.|
-
-
## OMA Client Provisioning examples
-
Setting a security policy:
```xml
@@ -147,7 +153,6 @@ Querying a security policy:
## OMA DM examples
-
Setting a security policy:
```xml
@@ -192,7 +197,6 @@ Querying a security policy:
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this Configuration Service Provider supports for OMA Client Provisioning.
|Elements|Available|
@@ -200,9 +204,6 @@ The following table shows the Microsoft custom elements that this Configuration
|parm-query|Yes|
|noparm|Yes. If this is used, then the policy is set to 0 by default (corresponding to the most restrictive of policy values).|
-
-
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index 0caf884acf..b4362ef4e2 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -14,6 +14,15 @@ ms.date: 01/16/2019
# SharedPC CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The SharedPC configuration service provider is used to configure settings for Shared PC usage.
@@ -220,7 +229,6 @@ The default in the SharedPC provisioning package is 1024.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index a0a6f61faf..81facaf312 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# SharedPC DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **SharedPC** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -436,7 +435,6 @@ The XML below is the DDF for Windows 10, version 1703.
## Related topics
-
[SharedPC configuration service provider](sharedpc-csp.md)
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index e1acdad375..ffb4e8ecb7 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -13,6 +13,16 @@ manager: dansimp
# TenantLockdown CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809.
@@ -42,3 +52,7 @@ When RequireNetworkInOOBE is true, when the device goes through OOBE at first lo
- False - No network connection requirement in OOBE.
Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index af4f245a6e..39e3ddcd74 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -75,3 +75,7 @@ The XML below is for Windows 10, version 1809.
```
+
+## Related topics
+
+[Tenantlockdown csp](tenantlockdown-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index b5bf0b4ed1..2f53b40641 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -13,6 +13,16 @@ manager: dansimp
# WiredNetwork CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -72,3 +82,7 @@ The following example shows how to add a wired network profile:
```
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index bc61e8f7d0..f527c65745 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -167,3 +167,7 @@ The XML below is the current version for this CSP.
```
+
+## Related topics
+
+[WiredNetwork CSP](wirednetwork-csp.md)
From 002b09d9c7e84765c10275f146299c227478d6aa Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Tue, 5 Apr 2022 10:10:34 +0530
Subject: [PATCH 18/94] CSP Windows 11 updates -part 4
Updated as per task : 5864419. Thanks!
---
.../mdm/enrollmentstatustracking-csp.md | 64 ++-
.../mdm/enterpriseapn-csp.md | 130 +++---
.../mdm/enterpriseappmanagement-csp.md | 42 +-
.../mdm/enterprisedataprotection-csp.md | 96 ++--
.../mdm/enterprisedesktopappmanagement-csp.md | 66 ++-
.../mdm/enterprisemodernappmanagement-csp.md | 233 +++++-----
windows/client-management/mdm/euiccs-csp.md | 73 ++-
windows/client-management/mdm/firewall-csp.md | 414 ++++++++++--------
.../mdm/healthattestation-csp.md | 260 +++++------
.../client-management/mdm/messaging-csp.md | 43 +-
10 files changed, 768 insertions(+), 653 deletions(-)
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md
index 3b4e865ccb..63b1aafdd5 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@@ -11,13 +11,22 @@ ms.date: 05/21/2019
# EnrollmentStatusTracking CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
-ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information.
+ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. For more information, see [DMClient CSP](dmclient-csp.md).
The EnrollmentStatusTracking CSP was added in Windows 10, version 1903.
-
The following shows the EnrollmentStatusTracking CSP in tree format.
```
./User/Vendor/MSFT
@@ -59,6 +68,7 @@ EnrollmentStatusTracking
------------------------RebootRequired
--------HasProvisioningCompleted
```
+
**./Vendor/MSFT**
For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path.
@@ -93,10 +103,11 @@ Communicates the policy provider installation state back to ESP.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
-- 1 — NotInstalled
-- 2 — NotRequired
-- 3 — Completed
-- 4 — Error
+
+- 1—NotInstalled
+- 2—NotRequired
+- 3—Completed
+- 4—Error
**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/LastError**
Required. This node is supported only in device context.
@@ -127,8 +138,9 @@ This node specifies if the policy provider is registered for app provisioning.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. Expected values are as follows:
-- false — Indicates that the policy provider is not registered for app provisioning. This is the default.
-- true — Indicates that the policy provider is registered for app provisioning.
+
+- false—Indicates that the policy provider isn't registered for app provisioning. This is the default.
+- true—Indicates that the policy provider is registered for app provisioning.
**EnrollmentStatusTracking/Setup**
Required. This node is supported in both user context and device context.
@@ -150,7 +162,7 @@ Scope is permanent. Supported operation is Get.
**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName***
Optional. This node is supported in both user context and device context.
-Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true.
+Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it shouldn't show the tracking status message until the TrackingPoliciesCreated node has been set to true.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -161,8 +173,9 @@ Indicates if the provider has created the required policies for the ESP to use f
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. The expected values are as follows:
-- true — Indicates that the provider has created the required policies.
-- false — Indicates that the provider has not created the required policies. This is the default.
+
+- true—Indicates that the provider has created the required policies.
+- false—Indicates that the provider hasn't created the required policies. This is the default.
**EnrollmentStatusTracking/Setup/Apps/Tracking**
Required. This node is supported in both user context and device context.
@@ -178,7 +191,7 @@ Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_**
Optional. This node is supported in both user context and device context.
-Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP does not use the app name directly.
+Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP doesn't use the app name directly.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -189,21 +202,23 @@ Represents the installation state for the app. The policy providers (not the MDM
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
-- 1 — NotInstalled
-- 2 — InProgress
-- 3 — Completed
-- 4 — Error
+
+- 1—NotInstalled
+- 2—InProgress
+- 3—Completed
+- 4—Error
**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired**
Optional. This node is supported in both user context and device context.
-Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers do not set this node, the ESP will not reboot the device for the app installation.
+Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers don't set this node, the ESP won't reboot the device for the app installation.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
-- 1 — NotRequired
-- 2 — SoftReboot
-- 3 — HardReboot
+
+- 1—NotRequired
+- 2—SoftReboot
+- 3—HardReboot
**EnrollmentStatusTracking/Setup/HasProvisioningCompleted**
Required. This node is supported in both user context and device context.
@@ -212,5 +227,10 @@ ESP sets this node when it completes. Providers can query this node to determine
Scope is permanent. Supported operation is Get.
Value type is boolean. Expected values are as follows:
-- true — Indicates that ESP has completed. This is the default.
-- false — Indicates that ESP is displayed, and provisioning is still going.
\ No newline at end of file
+
+- true—Indicates that ESP has completed. This is the default.
+- false—Indicates that ESP is displayed, and provisioning is still going.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md
index 2b50af966e..b279b0bc1e 100644
--- a/windows/client-management/mdm/enterpriseapn-csp.md
+++ b/windows/client-management/mdm/enterpriseapn-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAPN CSP
-description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
+description: Learn how the EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2
ms.reviewer:
manager: dansimp
@@ -14,10 +14,20 @@ ms.date: 09/22/2017
# EnterpriseAPN CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet.
> [!Note]
-> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
+> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10/Windows 11 Home, Pro, Enterprise, and Education editions.
The following shows the EnterpriseAPN configuration service provider in tree format.
```
@@ -39,111 +49,112 @@ EnterpriseAPN
--------HideView
```
**EnterpriseAPN**
-
The root node for the EnterpriseAPN configuration service provider.
+The root node for the EnterpriseAPN configuration service provider. **EnterpriseAPN/***ConnectionName* -Name of the connection as seen by Windows Connection Manager.
+Name of the connection as seen by Windows Connection Manager. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/APNName** -Enterprise APN name.
+Enterprise APN name. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IPType** -This value can be one of the following:
+This value can be one of the following: -- IPv4 - only IPV4 connection type -- IPv6 - only IPv6 connection type -- IPv4v6 (default)- IPv4 and IPv6 concurrently. -- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat +- IPv4 - only IPV4 connection type. +- IPv6 - only IPv6 connection type. +- IPv4v6 (default)- IPv4 and IPv6 concurrently. +- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IsAttachAPN** -Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
+Boolean value that indicates whether this APN should be requested as part of an LTE Attach. -Supported operations are Add, Get, Delete, and Replace.
+Default value is false. + +Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/ClassId** -GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.
+GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/AuthType** -Authentication type. This value can be one of the following:
+Authentication type. This value can be one of the following: -- None (default) -- Auto -- PAP -- CHAP -- MSCHAPv2 +- None (default) +- Auto +- PAP +- CHAP +- MSCHAPv2 -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/UserName** -User name for use with PAP, CHAP, or MSCHAPv2 authentication.
+User name for use with PAP, CHAP, or MSCHAPv2 authentication. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Password** -Password corresponding to the username.
+Password corresponding to the username. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IccId** -Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
+Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/AlwaysOn** -Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
+Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available. -The default value is true.
+The default value is true. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Enabled** -Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
+Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled. -The default value is true.
+The default value is true. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Roaming** -Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
+Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values are: -Default is 1 (all roaming allowed).
+Default is 1 (all roaming allowed). -Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. +Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/Settings** -Added in Windows 10, version 1607. Node that contains global settings.
+Added in Windows 10, version 1607. Node that contains global settings. **EnterpriseAPN/Settings/AllowUserControl** -Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
+Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN. -The default value is false.
+The default value is false. -Supported operations are Get and Replace.
+Supported operations are Get and Replace. **EnterpriseAPN/Settings/HideView** -Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
+Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true. -The default value is false.
+The default value is false. -Supported operations are Get and Replace.
+Supported operations are Get and Replace. ## Examples @@ -290,15 +301,4 @@ atomicZ ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 4192b8bdcc..6893031aed 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseAppManagement CSP -description: Handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP). +description: Learn how to handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP). ms.assetid: 698b8bf4-652e-474b-97e4-381031357623 ms.reviewer: manager: dansimp @@ -14,12 +14,10 @@ ms.date: 06/26/2017 # EnterpriseAppManagement CSP - The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment. > [!NOTE] > The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core. - The following shows the EnterpriseAppManagement configuration service provider in tree format. @@ -52,7 +50,7 @@ EnterpriseAppManagement ``` ***EnterpriseID*** -Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. +Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications. Supported operations are Add, Delete, and Get. @@ -84,8 +82,6 @@ Supported operations are Get and Add. > [!NOTE] > Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00 - - ***EnterpriseID*/Status** Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic. @@ -168,7 +164,7 @@ Required. The integer value that indicates the status of the current download pr |4: INSTALLING|Handed off for installation.| |5: INSTALLED|Successfully installed| |6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)| -|7:DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.| +|7: DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.| Scope is dynamic. Supported operations are Get, Add, and Replace. @@ -187,14 +183,13 @@ Supported operation is Exec. ## Remarks - ### Install and Update Line of Business (LOB) applications -A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support a variety of file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. +A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications supports various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. ### Uninstall Line of Business (LOB) applications -A workplace can also remotely uninstall Line of Business applications on the device. It is not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that are not installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section +A workplace can also remotely uninstall Line of Business applications on the device. It isn't possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section ### Query installed Store application @@ -240,25 +235,18 @@ Response from the device (it contains list of subnodes if this app is installed All node values under the ProviderID interior node represent the policy values that the management server wants to set. -- An Add or Replace command on those nodes returns success in both of the following cases: - - - The value is actually applied to the device. - - - The value isn’t applied to the device because the device has a more secure value set already. - +- An Add or Replace command on those nodes returns success in both of the following cases: + - The value is applied to the device. + - The value isn’t applied to the device because the device has a more secure value set already. From a security perspective, the device complies with the policy request that is at least as secure as the one requested. - -- A Get command on those nodes returns the value that the server pushes down to the device. - -- If a Replace command fails, the node value is set to be the previous value before Replace command was applied. - -- If an Add command fails, the node is not created. +- A Get command on those nodes returns the value that the server pushes down to the device. +- If a Replace command fails, the node value is set to be the previous value before Replace command was applied. +- If an Add command fails, the node is not created. The value actually applied to the device can be queried via the nodes under the DeviceValue interior node. ## OMA DM examples - Enroll enterprise ID “4000000001” for the first time: ```xml @@ -427,18 +415,15 @@ Response from the device (that contains two installed applications): ## Install and update an enterprise application - Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”. -To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog. +To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application doesn't exist, the application will be silently installed without any user interaction. If the application can't be installed, the user will be notified with an Alert dialog. > [!NOTE] +> > - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation). -> > - The application product ID curly braces need to be escaped where { is %7B and } is %7D. - - ```xmlRoot node for the Firewall configuration service provider.
+Root node for the Firewall configuration service provider. **MdmStore** -Interior node.
-Supported operation is Get.
+Interior node. +Supported operation is Get. **MdmStore/Global** -Interior node.
-Supported operations are Get.
+Interior node. +Supported operations are Get. **MdmStore/Global/PolicyVersionSupported** -Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
-Value type in integer. Supported operation is Get.
+Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build. +Value type in integer. Supported operation is Get. **MdmStore/Global/CurrentProfiles** -Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
-Value type in integer. Supported operation is Get.
+Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it isn't merged and has no merge law. +Value type in integer. Supported operation is Get. **MdmStore/Global/DisableStatefulFtp** -Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
-Default value is false.
-Data type is bool. Supported operations are Add, Get, Replace, and Delete.
+Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win. +Default value is false. + +Data type is bool. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/SaIdleTime** -This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 300.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 300. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/PresharedKeyEncoding** -Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 1.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES enumeration](/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909). The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 1. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/IPsecExempt** -This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 0. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/CRLcheck** -This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued: + +- 0 disables CRL checking. +- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail. +- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. + +Default value is 0. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/PolicyVersion** -This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
-Value type is string. Supported operation is Get.
+This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law. +Value type is string. Supported operation is Get. **MdmStore/Global/BinaryVersionSupported** -This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
-Value type is string. Supported operation is Get.
+This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. +Value type is string. Supported operation is Get. **MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Boolean value. Supported operations are Add, Get, Replace, and Delete.
+This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. +Boolean value. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/EnablePacketQueue** -This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values: -Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/DomainProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get. **MdmStore/PrivateProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get. **MdmStore/PublicProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get. **/EnableFirewall** -Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/DisableStealthMode** -Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. + +Value type is bool. Supported operations are Add, Get and Replace. **/Shielded** -Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
-Default value is false.
-Value type is bool. Supported operations are Get and Replace.
+Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win. +Default value is false. + +Value type is bool. Supported operations are Get and Replace. **/DisableUnicastResponsesToMulticastBroadcast** -Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. + +Value type is bool. Supported operations are Add, Get and Replace. **/DisableInboundNotifications** -Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. + +Value type is bool. Supported operations are Add, Get and Replace. **/AuthAppsAllowUserPrefMerge** -Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/GlobalPortsAllowUserPrefMerge** -Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/AllowLocalPolicyMerge** -Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/AllowLocalIpsecPolicyMerge** -Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/DefaultOutboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.
-Default value is 0 (allow).
-Value type is integer. Supported operations are Add, Get and Replace.
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block. + +- 0x00000000 - allow +- 0x00000001 - block + +Default value is 0 (allow). + +Value type is integer. Supported operations are Add, Get and Replace. Sample syncxml to provision the firewall settings to evaluate @@ -261,163 +283,169 @@ Sample syncxml to provision the firewall settings to evaluateThis value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
-Default value is 1 (block).
-Value type is integer. Supported operations are Add, Get and Replace.
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used. + +- 0x00000000 - allow +- 0x00000001 - block + +Default value is 1 (block). +Value type is integer. Supported operations are Add, Get and Replace. **/DisableStealthModeIpsecSecuredPacketExemption** -Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **FirewallRules** -A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. **FirewallRules/_FirewallRuleName_** -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
-Supported operations are Add, Get, Replace, and Delete.
+Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). +Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App** -Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
-If not specified, the default is All.
-Supported operation is Get.
+Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes: + +- PackageFamilyName +- FilePath +- FQBN +- ServiceName + +If not specified, the default is All. +Supported operation is Get. **FirewallRules/_FirewallRuleName_/App/PackageFamilyName** -This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/FilePath** -This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/Fqbn** -Fully Qualified Binary Name
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Fully Qualified Binary Name +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/ServiceName** -This is a service name used in cases when a service, not an application, is sending or receiving traffic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This is a service name used in cases when a service, not an application, is sending or receiving traffic. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Protocol** -0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-If not specified, the default is All.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+0-255 number representing the ip protocol (TCP = 6, UDP = 17) +If not specified, the default is All. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/LocalPortRanges** -Comma separated list of ranges. For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges. For example, 100-120,200,300-320. +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/RemotePortRanges** -Comma separated list of ranges, For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges, For example, 100-120,200,300-320. +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/*FirewallRuleName*/LocalAddressRanges** -Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include: + +- "*" indicates any local address. If present, this must be the only token included. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address - end address" with no spaces included. +- An IPv6 address range in the format of "start address - end address" with no spaces included. + +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/*FirewallRuleName*/RemoteAddressRanges** -List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
+List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: + +- "*" indicates any remote address. If present, this must be the only token included. +- "Defaultgateway" +- "DHCP" +- "DNS" +- "WINS" +- "Intranet" +- "RmtIntranet" +- "Internet" +- "Ply2Renders" +- "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address - end address" with no spaces included. +- An IPv6 address range in the format of "start address - end address" with no spaces included. + +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. +The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later. **FirewallRules/_FirewallRuleName_/Description** -Specifies the description of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the description of the rule. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Enabled** -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -
If not specified - a new rule is enabled by default.
-Boolean value. Supported operations are Get and Replace.
+Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is enabled by default. +Boolean value. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Profiles** -Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
-If not specified, the default is All.
-Value type is integer. Supported operations are Get and Replace.
+Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. +If not specified, the default is All. +Value type is integer. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Action** -Specifies the action for the rule.
-Supported operation is Get.
+Specifies the action for the rule. +Supported operation is Get. **FirewallRules/_FirewallRuleName_/Action/Type** -Specifies the action the rule enforces. Supported values:
-If not specified, the default is allow.
-Value type is integer. Supported operations are Get and Replace.
+Specifies the action the rule enforces. Supported values: + +- 0 - Block +- 1 - Allow + +If not specified, the default is allow. +Value type is integer. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Direction** -The rule is enabled based on the traffic direction as following. Supported values:
-Value type is string. Supported operations are Get and Replace.
+The rule is enabled based on the traffic direction as following. Supported values: + +- IN - the rule applies to inbound traffic. +- OUT - the rule applies to outbound traffic. +- If not specified, the default is Out. + +Value type is string. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/InterfaceTypes** -Comma separated list of interface types. Valid values:
-If not specified, the default is All.
-Value type is string. Supported operations are Get and Replace.
+Comma separated list of interface types. Valid values: + +- RemoteAccess +- Wireless +- Lan + +If not specified, the default is All. +Value type is string. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/EdgeTraversal** -Indicates whether edge traversal is enabled or disabled for this rule.
-The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
-New rules have the EdgeTraversal property disabled by default.
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+Indicates whether edge traversal is enabled or disabled for this rule. +The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. +New rules have the EdgeTraversal property disabled by default. +Value type is bool. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Status** -Provides information about the specific version of the rule in deployment for monitoring purposes.
-Value type is string. Supported operation is Get.
+Provides information about the specific version of the rule in deployment for monitoring purposes. +Value type is string. Supported operation is Get. **FirewallRules/_FirewallRuleName_/Name** -Name of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Name of the rule. +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 2513599a28..12e4ef5132 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -14,18 +14,28 @@ ms.date: # Device HealthAttestation CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following is a list of functions performed by the Device HealthAttestation CSP: -- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device -- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) -- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device -- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) +- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device +- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) +- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device +- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) ## Windows 11 Device health attestation -Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. +Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces extra child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. @@ -48,7 +58,7 @@ The attestation report provides a health assessment of the boot-time properties - **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint. -- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. +- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it's digitally signed. JWTs can be signed using a secret or a public/private key pair. ### Attestation Flow with Microsoft Azure Attestation Service @@ -63,6 +73,7 @@ Attestation flow can be broadly in three main steps: For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol). ### Configuration Service Provider Nodes + Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service. ```console @@ -125,10 +136,10 @@ Templated SyncML Call: Data fields: - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. -- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. -- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. +- serviceEndpoint: This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. +- nonce: This field contains an arbitrary number that can be used once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks. - aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. -- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes. +- cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, that can be used for diagnostics purposes. Sample Data: @@ -182,7 +193,7 @@ Example: 0x80072efd, WININET_E_CANNOT_CONNECT Node type: GET -This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. +This node will retrieve the attestation report per the call made by the TriggerAttestation, if there's any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. Templated SyncML Call: @@ -217,7 +228,7 @@ OR Sync ML 404 error if not cached report available. Node type: GET -This node will retrieve the service-generated correlation IDs for the given MDM provider. If there is more than one correlation ID, they are separated by “;” in the string. +This node will retrieve the service-generated correlation IDs for the given MDM provider. If there's more than one correlation ID, they're separated by “;” in the string. Templated SyncML Call: @@ -249,8 +260,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo ``` > [!NOTE] -> > MAA CSP nodes are available on arm64 but is not currently supported. - +> MAA CSP nodes are available on arm64 but is not currently supported. ### MAA CSP Integration Steps @@ -490,7 +500,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. - - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. + - DHA-SignedBlob: it's a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts: - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service @@ -510,7 +520,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes - Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification - Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action -- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed. +- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties can't be spoofed. The following list of operations is performed by DHA-CSP: @@ -536,7 +546,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes |--- |--- |--- | |Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:Root node for the Messaging configuration service provider.
+Root node for the Messaging configuration service provider. **AuditingLevel** -Turns on the "Text" auditing feature.
-The following list shows the supported values:
-Supported operations are Get and Replace.
+Turns on the "Text" auditing feature. +The following list shows the supported values: + +- 0 (Default) - Off +- 1 - On + +Supported operations are Get and Replace. **Auditing** -Node for auditing.
-Supported operation is Get.
+Node for auditing. +Supported operation is Get. **Messages** -Node for messages.
-Supported operation is Get.
+Node for messages. +Supported operation is Get. **Count** -The number of messages to return in the Data setting. The default is 100.
-Supported operations are Get and Replace.
+The number of messages to return in the Data setting. The default is 100. +Supported operations are Get and Replace. **RevisionId** -Retrieves messages whose revision ID is greater than RevisionId.
-Supported operations are Get and Replace.
+Retrieves messages whose revision ID is greater than RevisionId. +Supported operations are Get and Replace. **Data** -The JSON string of text messages on the device.
-Supported operations are Get and Replace.
- +The JSON string of text messages on the device. +Supported operations are Get and Replace. **SyncML example** @@ -111,3 +110,7 @@ MessagingRoot node for the EnterpriseAppVManagement configuration service provider.
+Root node for the EnterpriseAppVManagement configuration service provider. **AppVPackageManagement** -Used to query App-V package information (post-publish).
+Used to query App-V package information (post-publish). **AppVPackageManagement/EnterpriseID** -Used to query package information. Value is always "HostedInstall".
+Used to query package information. Value is always "HostedInstall". **AppVPackageManagement/EnterpriseID/PackageFamilyName** -Package ID of the published App-V package.
+Package ID of the published App-V package. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*** -Version ID of the published App-V package.
+Version ID of the published App-V package. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name** -Name specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Name specified in the published AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version** -Version specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Version specified in the published AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher** -Publisher as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Publisher as specified in the published asset information of the AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation** -Local package path specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Local package path specified in the published asset information of the AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate** -Date the app was installed, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Date the app was installed, as specified in the published asset information of the AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users** -Registered users for app, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Registered users for app, as specified in the published asset information of the AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId** -Package ID of the published App-V package.
-Value type is string. Supported operation is Get.
+ Package ID of the published App-V package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId** -Version ID of the published App-V package.
-Value type is string. Supported operation is Get.
+Version ID of the published App-V package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri** -Package URI of the published App-V package.
-Value type is string. Supported operation is Get.
+Package URI of the published App-V package. + +Value type is string. + +Supported operation is Get. **AppVPublishing** -Used to monitor publishing operations on App-V.
+Used to monitor publishing operations on App-V. **AppVPublishing/LastSync** -Used to monitor publishing status of last sync operation.
+Used to monitor publishing status of last sync operation. **AppVPublishing/LastSync/LastError** -Error code and error description of last sync operation.
-Value type is string. Supported operation is Get.
+Error code and error description of last sync operation. + +Value type is string. + +Supported operation is Get. **AppVPublishing/LastSync/LastErrorDescription** -Last sync error status. One of the following values may be returned:
+Last sync error status. One of the following values may be returned: - SYNC\_ERR_NONE (0) - No errors during publish. - SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish. @@ -116,10 +156,12 @@ EnterpriseAppVManagement - SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish. - SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish. -Value type is string. Supported operation is Get.
+Value type is string. + +Supported operation is Get. **AppVPublishing/LastSync/SyncStatusDescription** -Latest sync in-progress stage. One of the following values may be returned:
+Latest sync in-progress stage. One of the following values may be returned: - SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle. - SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress. @@ -127,9 +169,12 @@ EnterpriseAppVManagement - SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress. - SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress. -Value type is string. Supported operation is Get.
+Value type is string. -AppVPublishing/LastSync/SyncProgressLatest sync state. One of the following values may be returned:
+Supported operation is Get. + +**AppVPublishing/LastSync/SyncProgress** +Latest sync state. One of the following values may be returned: - SYNC\_STATUS_IDLE (0) - App-V Sync is idle. - SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing. @@ -137,22 +182,30 @@ EnterpriseAppVManagement - SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete. - SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot. -Value type is string. Supported operation is Get.
+Value type is string. + +Supported operation is Get. **AppVPublishing/Sync** -Used to perform App-V synchronization.
+Used to perform App-V synchronization. **AppVPublishing/Sync/PublishXML** -Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.
-Supported operations are Get, Delete, and Execute.
- +Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol,, see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8). +Supported operations are Get, Delete, and Execute. **AppVDynamicPolicy** -Used to set App-V Policy Configuration documents for publishing packages.
+Used to set App-V Policy Configuration documents for publishing packages. **AppVDynamicPolicy/*ConfigurationId*** -ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
+ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document). **AppVDynamicPolicy/*ConfigurationId*/Policy** -XML for App-V Policy Configuration documents for publishing packages.
-Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file +XML for App-V Policy Configuration documents for publishing packages. + +Value type is xml. + +Supported operations are Add, Get, Delete, and Replace. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file From a0dd5a10150255386f54bef6426384a5cdbaf700 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 5 Apr 2022 11:28:27 +0530 Subject: [PATCH 21/94] Updated --- windows/client-management/mdm/cleanpc-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index c6c0b2d293..da1893f548 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|Yes|Yes| +|Pro|No|No| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| From d8990de6225d57cf02da73a02eb860e66bd93236 Mon Sep 17 00:00:00 2001 From: Shesh <56231259+sheshachary@users.noreply.github.com> Date: Tue, 5 Apr 2022 12:48:21 +0530 Subject: [PATCH 22/94] Updated Go's review comments --- windows/client-management/mdm/reboot-csp.md | 2 +- windows/client-management/mdm/remotefind-csp.md | 2 +- windows/client-management/mdm/remotering-csp.md | 2 +- windows/client-management/mdm/secureassessment-csp.md | 2 +- windows/client-management/mdm/sharedpc-csp.md | 2 +- windows/client-management/mdm/tenantlockdown-csp.md | 2 +- windows/client-management/mdm/wirednetwork-csp.md | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 21fc8c735e..7403425b15 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|Yes|Yes| +|Home|No|No| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index 48c57e933e..d1715b8822 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|Yes|Yes| +|Home|No|No| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 7c55f11195..8441794a46 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|Yes|Yes| +|Home|No|No| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 42a02b59b5..8ddc3b29b3 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|Yes|Yes| +|Home|No|No| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index b4362ef4e2..c17aa05789 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|Yes|Yes| +|Home|No|No| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index ffb4e8ecb7..a7d9e82f5e 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -17,7 +17,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|Yes|Yes| +|Home|No|No| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 2f53b40641..16d1dc796c 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -17,7 +17,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|Yes|Yes| +|Home|No|No| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| From 8404bea5b5a3aa331533065cde0f1af2cb0b7dc3 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Wed, 27 Apr 2022 08:55:03 +0530 Subject: [PATCH 23/94] Updated as per feedback --- .../mdm/enterpriseapn-csp.md | 3 -- .../mdm/enterprisedataprotection-csp.md | 1 - .../mdm/enterprisemodernappmanagement-csp.md | 32 +++++++++---------- 3 files changed, 16 insertions(+), 20 deletions(-) diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index b279b0bc1e..dc55d93252 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -26,9 +26,6 @@ The table below shows the applicability of Windows: The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet. -> [!Note] -> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10/Windows 11 Home, Pro, Enterprise, and Education editions. - The following shows the EnterpriseAPN configuration service provider in tree format. ``` ./Vendor/MSFT diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 9511b9cea7..bf814151be 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -28,7 +28,6 @@ The EnterpriseDataProtection configuration service provider (CSP) is used to con > [!Note] > To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). -> This CSP was added in Windows 10, version 1607. While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 99a765d265..5a66e60461 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -119,20 +119,20 @@ Added in Windows 10, version 1511. Required. Specifies the query for app invento Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: - - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. - - PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but doesn't validate RequiresReinstall. - - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. + - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. + - PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but doesn't validate RequiresReinstall. + - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. - Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: - - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business. - - nonStore - This classification is for apps that weren't acquired from the Microsoft Store. - - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. + - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business. + - nonStore - This classification is for apps that weren't acquired from the Microsoft Store. + - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. - PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are: - - Main - returns the main installed package. - - Bundle - returns installed bundle packages. - - Framework - returns installed framework packages. - - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle. - - XAP - returns XAP package types. This filter is only supported on Windows Mobile. - - All - returns all package types. + - Main - returns the main installed package. + - Bundle - returns installed bundle packages. + - Framework - returns installed framework packages. + - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle. + - XAP - returns XAP package types. This filter is only supported on Windows Mobile. + - All - returns all package types. If no value is specified, the combination of Main, Bundle, and Framework are returned. - PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. If you don't specify this value, then all packages are returned. - Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field. If you don't specify this value, then all publishers are returned. @@ -159,10 +159,10 @@ Added in Windows 10, version 1703. Used to remove packages. Not supported for ./ Parameters: - Package - - Name: Specifies the PackageFullName of the particular package to remove. - - RemoveForAllUsers: - - 0 (default) – Package will be unprovisioned so that new users don't receive the package. The package will remain installed for current users. This isn't currently supported. - - 1 – Package will be removed for all users only if it's a provisioned package. + - Name: Specifies the PackageFullName of the particular package to remove. + - RemoveForAllUsers: + - 0 (default) – Package will be unprovisioned so that new users don't receive the package. The package will remain installed for current users. This isn't currently supported. + - 1 – Package will be removed for all users only if it's a provisioned package. - User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed. Supported operation is Execute. From cc19e6f6f8e9ae9e02425adaf27ea48f6159b072 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Wed, 27 Apr 2022 10:43:40 +0530 Subject: [PATCH 24/94] Updated as per feedback --- ...onfiguration-service-provider-reference.md | 12 - .../mdm/enterpriseappmanagement-csp.md | 518 ------------------ .../client-management/mdm/messaging-csp.md | 116 ---- .../client-management/mdm/messaging-ddf.md | 182 ------ windows/client-management/mdm/toc.yml | 7 - 5 files changed, 835 deletions(-) delete mode 100644 windows/client-management/mdm/enterpriseappmanagement-csp.md delete mode 100644 windows/client-management/mdm/messaging-csp.md delete mode 100644 windows/client-management/mdm/messaging-ddf.md diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 56bcf98029..3280ad50df 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -544,18 +544,6 @@ Additional lists: - -[Messaging CSP](messaging-csp.md) - - - -|Home|Pro|Business|Enterprise|Education| -|--- |--- |--- |--- |--- | -|No|No|No|No|No| - - - - [MultiSIM CSP](multisim-csp.md) diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md deleted file mode 100644 index 6893031aed..0000000000 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ /dev/null @@ -1,518 +0,0 @@ ---- -title: EnterpriseAppManagement CSP -description: Learn how to handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP). -ms.assetid: 698b8bf4-652e-474b-97e4-381031357623 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: dansimp -ms.date: 06/26/2017 ---- - -# EnterpriseAppManagement CSP - -The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment. - -> [!NOTE] -> The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core. - -The following shows the EnterpriseAppManagement configuration service provider in tree format. - -```console -./Vendor/MSFT -EnterpriseAppManagement -----EnterpriseID ---------EnrollmentToken ---------StoreProductID ---------StoreUri ---------CertificateSearchCriteria ---------Status ---------CRLCheck ---------EnterpriseApps -------------Inventory -----------------ProductID ---------------------Version ---------------------Title ---------------------Publisher ---------------------InstallDate -------------Download -----------------ProductID ---------------------Version ---------------------Name ---------------------URL ---------------------Status ---------------------LastError ---------------------LastErrorDesc ---------------------DownloadInstall -``` - -***EnterpriseID*** -Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications. - -Supported operations are Add, Delete, and Get. - -***EnterpriseID*/EnrollmentToken** -Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -***EnterpriseID*/StoreProductID** -Required. The node to host the ProductId node. Scope is dynamic. - -Supported operation is Get. - -**/StoreProductID/ProductId** -The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic. - -Supported operations are Get and Add. - -***EnterpriseID*/StoreUri** -Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic. - -Supported operations are Get and Add. - -***EnterpriseID*/CertificateSearchCriteria** -Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](/windows/win32/api/wincrypt/nf-wincrypt-certstrtonamea) function. This search parameter is case sensitive. Scope is dynamic. - -Supported operations are Get and Add. - -> [!NOTE] -> Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00 - -***EnterpriseID*/Status** -Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic. - -Supported operation is Get. - -***EnterpriseID*/CRLCheck** -Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -***EnterpriseID*/EnterpriseApps** -Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider). - -Supported operation is Get. - -**/EnterpriseApps/Inventory** -Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider). - -Supported operation is Get. - -**/Inventory/***ProductID* -Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic. - -Supported operation is Get. - -**/Inventory/*ProductID*/Version** -Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic. - -Supported operation is Get. - -**/Inventory/*ProductID*/Title** -Required. The character string that contains the name of the installed enterprise application. Scope is dynamic. - -Supported operation is Get. - -**/Inventory/*ProductID*/Publisher** -Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic. - -Supported operation is Get. - -**/Inventory/*ProductID*/InstallDate** -Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic. - -Supported operation is Get. - -**/EnterpriseApps/Download** -Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic. - -Supported operation is Get. - -**/Download/***ProductID* -Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -**/Download/*ProductID*/Version** -Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -**/Download/*ProductID*/Name** -Required. The character string that contains the name of the installed application. Scope is dynamic. - -Supported operation is Get. - -**/Download/*ProductID*/URL** -Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -**/Download/*ProductID*/Status** -Required. The integer value that indicates the status of the current download process. The following table shows the possible values. - -|Value|Description| -|--- |--- | -|0: CONFIRM|Waiting for confirmation from user.| -|1: QUEUED|Waiting for download to start.| -|2: DOWNLOADING|In the process of downloading.| -|3: DOWNLOADED|Waiting for installation to start.| -|4: INSTALLING|Handed off for installation.| -|5: INSTALLED|Successfully installed| -|6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)| -|7: DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.| - -Scope is dynamic. Supported operations are Get, Add, and Replace. - -**/Download/*ProductID*/LastError** -Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic. - -Supported operation is Get. - -**/Download/*ProductID*/LastErrorDesc** -Required. The character string that contains the human readable description of the last error code. - -**/Download/*ProductID*/DownloadInstall** -Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic. - -Supported operation is Exec. - -## Remarks - -### Install and Update Line of Business (LOB) applications - -A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications supports various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. - -### Uninstall Line of Business (LOB) applications - -A workplace can also remotely uninstall Line of Business applications on the device. It isn't possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section - -### Query installed Store application - -You can determine if a Store application is installed on a system. First, you need the Store application GUID. You can get the Store application GUID by going to the URL for the Store application. - -The Microsoft Store application has a GUID of d5dc1ebb-a7f1-df11-9264-00237de2db9e. - -Use the following SyncML format to query to see if the application is installed on a managed device: - -```xml -The root node for the Surface Hub configuration service provider. +The root node for the Surface Hub configuration service provider. **DeviceAccount** -
Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. +Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. -
To use a device account from Azure Active Directory +To use a device account from Azure Active Directory 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. @@ -89,7 +91,7 @@ SurfaceHub > If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress. -
Here's a SyncML example.
+Here's a SyncML example.
```xml
To use a device account from Active Directory +To use a device account from Active Directory: 1. Set the DomainName. 2. Set the UserName. @@ -147,64 +149,85 @@ SurfaceHub 4. Execute the ValidateAndCommit node. **DeviceAccount/DomainName** -
Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. -
The data type is string. Supported operation is Get and Replace. +Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/UserName** -
Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. -
The data type is string. Supported operation is Get and Replace. +Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/UserPrincipalName** -
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. -
The data type is string. Supported operation is Get and Replace. +User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/SipAddress** -
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. -
The data type is string. Supported operation is Get and Replace. +Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/Password** -
Password for the device account. -
The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. +Password for the device account. + +- The data type is string. +- Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. **DeviceAccount/ValidateAndCommit** -
This method validates the data provided and then commits the changes. -
The data type is string. Supported operation is Execute. +This method validates the data provided and then commits the changes. + +- The data type is string. +- Supported operation is Execute. **DeviceAccount/Email** -
Email address of the device account. -
The data type is string. +Email address of the device account. The data type is string. -**DeviceAccount/PasswordRotationEnabled** -
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). +**DeviceAccount/ +PasswordRotationEnabled** -
Valid values: +Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). + +Valid values: - 0 - password rotation enabled - 1 - disabled -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **DeviceAccount/ExchangeServer** -
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. -
The data type is string. Supported operation is Get and Replace. +Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/ExchangeModernAuthEnabled** -
Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. -
The data type is boolean. Supported operation is Get and Replace. +Added in KB4598291 for Windows 10, version 20H2. Specifies, whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. + +- The data type is boolean. +- Supported operation is Get and Replace. **DeviceAccount/CalendarSyncEnabled** -
Specifies whether calendar sync and other Exchange server services is enabled. -
The data type is boolean. Supported operation is Get and Replace.
+Specifies, whether calendar sync and other Exchange server services is enabled.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**DeviceAccount/ErrorContext**
@@ -213,95 +236,124 @@ If there's an error calling ValidateAndCommit, there's another context for that
| ErrorContext value | Stage where error occurred | Description and suggestions |
| --- | --- | --- |
| 1 | Unknown | |
-| 2 | Populating account | Unable to retrieve account details using the username and password you provided.
-For Azure AD accounts, ensure that UserPrincipalName and Password are valid.
-For AD accounts, ensure that DomainName, UserName, and Password are valid.
-Ensure that the specified account has an Exchange server mailbox. |
+| 2 | Populating account | Unable to retrieve account details using the username and password you provided.
For Azure AD accounts, ensure that UserPrincipalName and Password are valid.
For AD accounts, ensure that DomainName, UserName, and Password are valid.
Ensure that the specified account has an Exchange server mailbox. |
| 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
-| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure that the ExchangeServer field is valid. |
+| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
| 5 | Saving account information | Unable to save account details to the system. |
| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. |
-The data type is integer. Supported operation is Get.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get.
**MaintenanceHoursSimple/Hours**
-
-
Node for maintenance schedule. +Node for maintenance schedule. **MaintenanceHoursSimple/Hours/StartTime** -
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. -
The data type is integer. Supported operation is Get and Replace. +Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. + +- The data type is integer. +- Supported operation is Get and Replace. **MaintenanceHoursSimple/Hours/Duration** -
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. -
The data type is integer. Supported operation is Get and Replace. +Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. + +- The data type is integer. +- Supported operation is Get and Replace. **InBoxApps** -
Node for the in-box app settings. + +Node for the in-box app settings. **InBoxApps/SkypeForBusiness** -
Added in Windows 10, version 1703. Node for the Skype for Business settings. + +Added in Windows 10, version 1703. Node for the Skype for Business settings. **InBoxApps/SkypeForBusiness/DomainName** -
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online. -
The data type is string. Supported operation is Get and Replace. +Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online. + +- The data type is string. +- Supported operation is Get and Replace. **InBoxApps/Welcome** -
Node for the welcome screen. +Node for the welcome screen. **InBoxApps/Welcome/AutoWakeScreen** -
Automatically turn on the screen using motion sensors. -
The data type is boolean. Supported operation is Get and Replace. +Automatically turn on the screen using motion sensors. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -
Download location for image to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub, otherwise it may not be able to load the image. -
The data type is string. Supported operation is Get and Replace. +Download location for image, to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub. Otherwise, it may not be able to load the image. + +- The data type is string. +- Supported operation is Get and Replace. **InBoxApps/Welcome/MeetingInfoOption** -
Meeting information displayed on the welcome screen. -
Valid values: +Meeting information displayed on the welcome screen. + +Valid values: - 0 - Organizer and time only - 1 - Organizer, time, and subject. Subject is hidden in private meetings. -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **InBoxApps/Whiteboard** -
Node for the Whiteboard app settings. + +Node for the Whiteboard app settings. **InBoxApps/Whiteboard/SharingDisabled** -
Invitations to collaborate from the Whiteboard app aren't allowed. -
The data type is boolean. Supported operation is Get and Replace. +Invitations to collaborate from the Whiteboard app aren't allowed. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/Whiteboard/SigninDisabled** -
Sign-ins from the Whiteboard app aren't allowed. -
The data type is boolean. Supported operation is Get and Replace. +Sign-in from the Whiteboard app aren't allowed. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/Whiteboard/TelemeteryDisabled** -
Telemetry collection from the Whiteboard app isn't allowed. -
The data type is boolean. Supported operation is Get and Replace. +Telemetry collection from the Whiteboard app isn't allowed. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/WirelessProjection** -
Node for the wireless projector app settings. + +Node for the wireless projector app settings. **InBoxApps/WirelessProjection/PINRequired** -
Users must enter a PIN to wirelessly project to the device. -
The data type is boolean. Supported operation is Get and Replace. +Users must enter a PIN to wireless project to the device. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/WirelessProjection/Enabled** -
Enables wireless projection to the device. -
The data type is boolean. Supported operation is Get and Replace. +Enables wireless projection to the device. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/WirelessProjection/Channel** -
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. + +Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. |Compatibility|Values| |--- |--- | @@ -309,43 +361,54 @@ The data type is integer. Supported operation is Get. |Works with all 5ghz band Miracast senders in all regions|36, 40, 44, 48| |Works with all 5ghz band Miracast senders in all regions except Japan|149, 153, 157, 161, 165| +The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for). -
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). - -
The data type is integer. Supported operation is Get and Replace. +- The data type is integer. +- Supported operation is Get and Replace. **InBoxApps/Connect** -
Added in Windows 10, version 1703. Node for the Connect app. + +Added in Windows 10, version 1703. Node for the Connect app. **InBoxApps/Connect/AutoLaunch** -
Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated. -
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. +Added in Windows 10, version 1703. Specifies, whether to automatically launch the Connect app whenever a projection is initiated. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties** -
Node for the device properties. + +Node for the device properties. **Properties/FriendlyName** -
Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device. -
The data type is string. Supported operation is Get and Replace. +Friendly name of the device. Specifies the name that users see when they want wireless project to the device. + +- The data type is string. +- Supported operation is Get and Replace. **Properties/DefaultVolume** -
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. -
The data type is integer. Supported operation is Get and Replace. +Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. + +- The data type is integer. +- Supported operation is Get and Replace. **Properties/DefaultAutomaticFraming** -
Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True. -
The data type is boolean. Supported operation is Get and Replace. +Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties/ScreenTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. -
The following table shows the permitted values. +Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. + +The following table shows the permitted values. |Value|Description| |--- |--- | @@ -361,12 +424,15 @@ The data type is integer. Supported operation is Get. |120|2 hours| |240|4 hours| -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **Properties/SessionTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. -
The following table shows the permitted values. +Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. + +The following table shows the permitted values. |Value|Description| |--- |--- | @@ -382,12 +448,15 @@ The data type is integer. Supported operation is Get. |120|2 hours| |240|4 hours| -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **Properties/SleepTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. -
The following table shows the permitted values. +Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. + +The following table shows the permitted values. |Value|Description| |--- |--- | @@ -403,61 +472,79 @@ The data type is integer. Supported operation is Get. |120|2 hours| |240|4 hours| -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **Properties/SleepMode** -
Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. -
Valid values: +Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. + +Valid values: - 0 - Connected Standby (default) - 1 - Hibernate -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **Properties/AllowSessionResume** -
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. -
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. +Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties/AllowAutoProxyAuth** -
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication. -
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. +Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties/ProxyServers** -
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://). -
The data type is string. Supported operation is Get and Replace. +Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://). + +- The data type is string. +- Supported operation is Get and Replace. **Properties/DisableSigninSuggestions** -
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. -
If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate. +Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties/DoNotShowMyMeetingsAndFiles** -
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. -
If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown. +Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown. + +- The data type is boolean. +- Supported operation is Get and Replace. **MOMAgent** -
Node for the Microsoft Operations Management Suite. + +Node for the Microsoft Operations Management Suite. **MOMAgent/WorkspaceID** -
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent. -
The data type is string. Supported operation is Get and Replace. +GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent. -**MOMAgent/WorkspaceKey** -
Primary key for authenticating with the workspace. +- The data type is string. +- Supported operation is Get and Replace. -
The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
+**MOMAgent/WorkspaceKey**
+Primary key for authenticating with the workspace.
+- The data type is string.
+- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
\ No newline at end of file
From 9a18d36e03e4d5a773c464e76e3500aaab0ba455 Mon Sep 17 00:00:00 2001
From: Shesh <56231259+sheshachary@users.noreply.github.com>
Date: Wed, 11 May 2022 12:46:06 +0530
Subject: [PATCH 61/94] updated the article
---
windows/client-management/mdm/surfacehub-csp.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index fb6b59b7f6..ad3163d5f1 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -544,6 +544,7 @@ GUID identifying the Microsoft Operations Management Suite workspace ID to colle
- Supported operation is Get and Replace.
**MOMAgent/WorkspaceKey**
+
Primary key for authenticating with the workspace.
- The data type is string.
From ccc992e867302d4701bf07cc65bd7b36fc5d55e0 Mon Sep 17 00:00:00 2001
From: Shesh <56231259+sheshachary@users.noreply.github.com>
Date: Wed, 11 May 2022 12:50:00 +0530
Subject: [PATCH 62/94] updated the formatting
---
windows/client-management/mdm/surfacehub-csp.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index ad3163d5f1..301db5eab6 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -233,7 +233,7 @@ Specifies, whether calendar sync and other Exchange server services is enabled.
If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values:
-| ErrorContext value | Stage where error occurred | Description and suggestions |
+| **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
| --- | --- | --- |
| 1 | Unknown | |
| 2 | Populating account | Unable to retrieve account details using the username and password you provided. **Important**
For Azure AD accounts, ensure that UserPrincipalName and Password are valid.
For AD accounts, ensure that DomainName, UserName, and Password are valid.
Ensure that the specified account has an Exchange server mailbox. |
@@ -355,7 +355,7 @@ Enables wireless projection to the device.
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
-|Compatibility|Values|
+|**Compatibility**|**Values**|
|--- |--- |
|Works with all Miracast senders in all regions|1, 3, 4, 5, 6, 7, 8, 9, 10, 11|
|Works with all 5ghz band Miracast senders in all regions|36, 40, 44, 48|
@@ -410,7 +410,7 @@ Added in Windows 10, version 1703. Specifies the number of minutes until the Hub
The following table shows the permitted values.
-|Value|Description|
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute|
@@ -434,7 +434,7 @@ Added in Windows 10, version 1703. Specifies the number of minutes until the ses
The following table shows the permitted values.
-|Value|Description|
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute (default)|
@@ -458,7 +458,7 @@ Added in Windows 10, version 1703. Specifies the number of minutes until the Hub
The following table shows the permitted values.
-|Value|Description|
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute|
From 928e3ca32ed44505836af33efa9449b5cda0ae28 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Wed, 11 May 2022 14:13:05 -0700
Subject: [PATCH 63/94] PR 6555 updates
Removed Enforce Store Applications rule-option, removed _0 from all IDs, replaced all instances of "ID_FILEATTRIB_F_2_1" with "ID_DENY_INSTALLUTIL"
---
.../microsoft-recommended-block-rules.md | 2605 ++++++++---------
1 file changed, 1301 insertions(+), 1304 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 8da7c9e40f..95d816d70d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -140,676 +140,673 @@ Select the correct version of each .dll for the Windows release you plan to supp
From bf0939d2f08294bdcea5555fbce886efab4adac8 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Wed, 11 May 2022 17:04:57 -0700
Subject: [PATCH 65/94] Update delete-an-applocker-rule.md
---
.../applocker/delete-an-applocker-rule.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index 3f61052ad2..0add3ed41f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -80,6 +80,8 @@ C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml
This will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access.
+The following PowerShell commands must also be run to stop the AppLocker services and the effects of the former AppLocker policy.
+
```powershell
appidtel.exe stop [-mionly]
sc.exe config appid start=demand
From e0b87429b84b9ce3a7c0bbc041de3acb56af81a3 Mon Sep 17 00:00:00 2001
From: Benny Shilpa
> [!Important]
-> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types)).
+> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
**DeviceLock/AllowIdleReturnWithoutPassword**
From 0f05dab2d2d4536370d405ecdd44f2642ab84771 Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Thu, 12 May 2022 14:33:16 -0700
Subject: [PATCH 78/94] Update windows-11-se-overview.md
Arranged in Alphabetical order
---
education/windows/windows-11-se-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 5c9a2120d9..7ce8bd2724 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -43,7 +43,6 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|AirSecure |8.0.0 |Win32 |AIR|
|Brave Browser |1.34.80|Win32 |Brave|
|Bulb Digital Portfolio |0.0.7.0|Store|Bulb|
-|Secure Browser |14.0.0 |Win32 |Cambium Development|
|Cisco Umbrella |3.0.110.0 |Win32 |Cisco|
|CKAuthenticator |3.6 |Win32 |Content Keeper|
|Class Policy |114.0.0 |Win32 |Class Policy|
@@ -80,6 +79,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|Remote Help |3.8.0.12 |Win32 |Microsoft|
|Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus|
|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
+|Secure Browser |14.0.0 |Win32 |Cambium Development|
|Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
|SensoCloud test |2021.11.15.0 |Win32|Senso.Cloud|
|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
From 30e136872038205e7c8c8d52b11222ab93a8b75e Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
- The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API.
-- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
-- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data.
+- **URL location**, for example: `https://www.emieposturl.com/api/records` or `https://localhost:13000`. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.
+
+ > [!Important]
+ > The `https://www.emieposturl.com/api/records` example will only work if you've downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) article. If you don't have the sample, you won't have the web API.
+
+- **Local network location**, for example: `https://emieposturl/`. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
+
+- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won't collect any logging data.
For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md).
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml
index 27e231694f..17fad3f1dd 100644
--- a/browsers/internet-explorer/internet-explorer.yml
+++ b/browsers/internet-explorer/internet-explorer.yml
@@ -34,8 +34,6 @@ landingContent:
url: /lifecycle/faq/internet-explorer-microsoft-edge
- linkListType: download
links:
- - text: Download IE11 with Windows 10
- url: https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise
- text: Enterprise Mode Site List Manager (schema, v.2)
url: https://www.microsoft.com/download/details.aspx?id=49974
- text: Cumulative security updates for Internet Explorer 11
diff --git a/windows/deployment/images/download_vhd.png b/windows/deployment/images/download_vhd.png
deleted file mode 100644
index 248a512040210ce7bd95cd5f4a6ca69233f76d4a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 10737
zcmch7cQ{;M+wKq(okS1Of?&u*kKQFnbVD$DL~p~W(MzI)s7dtbW*A)ziBWZ(vc@^%(02pwdg%4b^KMA51%%6e@i6OijO
z;w0EC!*l%ehIXO*8h8e3k?@$ew^~D=s+qhRG->-}EsHIOgV8Zw1>x54<5u#Xnu52)
z2W6pH7w0j);a5oI>(scG7pz5>u|JUms`?HZ#=whkJ0KdLRGIKqkIlh;AICZV^UgE<
z_5|OTulc-rn_F)M_{PP~$j^z(b9~6!!Rk9kl@Tbyl{~1YfU{l{l2rbt<|9-vh;>lm
zjYXvQOELChIq-H>RFF9`Y$%nPImGiCM9w$k#6+oJfT0;PP5x}+^Y(V@$9Uc9Mak>k
z0X9pOKN3G9tP)elCQgY~eCtjs3{9w{?+wrt6}ftN1sNaoheM=z`AdHVm~^S(B42ro
zO8Xl+#`Y$f99?n58lZx^L-9dqO?0NOSFR48;y&;I=>0yVEU@eqY*yo;0c!ALw2(Tw
zQ$`)VeaGJ#eV!n4ak)WK2wk}S?=BGhi%P^IpU|Y<6`t0<_UY!+1X#CS?XEDEF`>Js
zUcgkCiEX$LTKm*Z{(t8WusXVJf4l7R==ar$>)eUN!w47V8wuUuz8(`W!}_SH(!NcS
zsp1tgG-$;!e>3ZgT`gseLB>Yd`99`sZ|)+FaUF9phUs2>Z0rq-19ZL+WJ<7%rLKSq
zjE0>J=WApHcs3VmLsMIB-rkM>+p7_{k7?LQF6@2xK6A&->ZhBjZu0oEjmb+YzO&w|
zQ%~8e_?rW1ldfU=Ww}aB3Dho8f|HA3Cp;3Xo>!O2a#y9J(XsMj@XM#dQiar|(6Cd}
zupx2Nl^N$xw#9)fiQRTQ)0)^4QdC-g_K
-- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
-The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance.
+The proof of concept (PoC) deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that aren't familiar with these tools, and you want to set up a PoC environment. Don't use the instructions in this guide in a production setting. They aren't meant to replace the instructions found in production deployment guidance.
-Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software.
+Approximately 3 hours are required to configure the PoC environment. You'll need a Hyper-V capable computer running Windows 8.1 or later with at least 16 GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below.
-Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment.
+Windows PowerShell commands are provided to set up the PoC environment quickly. You don't need to be an expert in Windows PowerShell to complete the steps in the guide, however you'll need to customize some commands to your environment.
> [!TIP]
> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands.
->
-> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell.
+>
+> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with `cmd /c`. You can also escape special characters in the command using the back-tick character (\`). In most cases, the simplest action is to type `cmd` and enter a command prompt, type the necessary commands, then type `exit` to return to Windows PowerShell.
-Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting.
+Hyper-V is installed, configured and used extensively in this guide. If you aren't familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting.
## In this guide
-This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings.
+This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, modify your virtual switch settings to match the settings used in this guide. Alternatively, you can modify the steps in this guide to use your existing Hyper-V settings.
-After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
+After completing the instructions in this guide, you'll have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+The procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-
-|Topic|Description|Time|
+|Procedure|Description|Time|
|--- |--- |--- |
|[Hardware and software requirements](#hardware-and-software-requirements)|Prerequisites to complete this guide.|Informational|
|[Lab setup](#lab-setup)|A description and diagram of the PoC environment.|Informational|
-|[Configure the PoC environment](#configure-the-poc-environment)|Parent topic for procedures.|Informational|
+|[Configure the PoC environment](#configure-the-poc-environment)|Parent section for procedures.|Informational|
|[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)|Verify that installation of Hyper-V is supported, and install the Hyper-V server role.|10 minutes|
|[Download VHD and ISO files](#download-vhd-and-iso-files)|Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.|30 minutes|
|[Convert PC to VM](#convert-pc-to-vm)|Convert a physical computer on your network to a VM hosted in Hyper-V.|30 minutes|
@@ -75,31 +68,23 @@ Topics and procedures in this guide are summarized in the following table. An es
One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
-- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
-- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2.
+- **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
+- **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2.
Hardware requirements are displayed below:
-
-
-||Computer 1 (required)|Computer 2 (recommended)|
+| |Computer 1 (required)|Computer 2 (recommended)|
|--- |--- |--- |
|**Role**|Hyper-V host|Client computer|
-|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.|
-|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016*|Windows 7 or a later|
+|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 8.1 client on your network that will be converted to a VM to demonstrate the upgrade process.|
+|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016|Windows 8.1 or a later|
|**Edition**|Enterprise, Professional, or Education|Any|
-|**Architecture**|64-bit|Any
*Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.*|
-|**RAM**|8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any|
-|**Disk**|200 GB available hard disk space, any format.|Any size, MBR formatted.|
+|**Architecture**|64-bit|Any
Retaining applications and settings requires that architecture (32-bit or 64-bit) is the same before and after the upgrade.|
+|**RAM**|8-GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16-GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any|
+|**Disk**|200-GB available hard disk space, any format.|Any size, MBR formatted.|
|**CPU**|SLAT-Capable CPU|Any|
|**Network**|Internet connection|Any|
-\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.
-
-The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
-
-
-
## Lab setup
The lab architecture is summarized in the following diagram:
@@ -107,13 +92,13 @@ The lab architecture is summarized in the following diagram:
- Computer 1 is configured to host four VMs on a private, PoC network.
- - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
- - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
+ - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
+ - Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
> [!NOTE]
> If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
-The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts.
+The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if necessary. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that isn't directly connected to the network. This action mitigates the risk of clients on the network receiving DHCP leases from the PoC network. In other words, a "rogue" DHCP server. It also limits NETBIOS service broadcasts.
## Configure the PoC environment
@@ -122,16 +107,16 @@ The lab architecture is summarized in the following diagram:
### Procedures in this section
-[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
-[Download VHD and ISO files](#download-vhd-and-iso-files)
-[Convert PC to VM](#convert-pc-to-vm)
-[Resize VHD](#resize-vhd)
-[Configure Hyper-V](#configure-hyper-v)
-[Configure VMs](#configure-vms)
+- [Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
+- [Download VHD and ISO files](#download-vhd-and-iso-files)
+- [Convert PC to VM](#convert-pc-to-vm)
+- [Resize VHD](#resize-vhd)
+- [Configure Hyper-V](#configure-hyper-v)
+- [Configure VMs](#configure-vms)
### Verify support and install Hyper-V
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
@@ -147,7 +132,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
In this example, the computer supports SLAT and Hyper-V.
- If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+ If one or more requirements are evaluated as **No**, then the computer doesn't support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
@@ -169,19 +154,19 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
> [!NOTE]
> A 64-bit operating system is required to run Hyper-V.
-2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
+2. The Hyper-V feature isn't installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
```
- This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
+ This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an extra command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
```powershell
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
```
- When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
+ When you're prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
@@ -189,37 +174,41 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
- If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
+ If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
### Download VHD and ISO files
-When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account.
+When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab.
-1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
+1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for **Windows Server** to the **C:\VHD** directory.
+
+ > [!NOTE]
+ > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
+ >
+ > The currently available downloads are Windows Server 2019 or Windows Server 2022. The rest of this article refers to "Windows Server 2012 R2" and similar variations.
> [!IMPORTANT]
> This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
- After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
-
- :::image type="content" alt-text="VHD" source="images/download_vhd.png":::
-
-2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
+2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. Do this action to make the filename simple to recognize and type.
3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
-4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
+4. Download the **Windows 10 Enterprise** ISO file to the **C:\VHD** directory on your Hyper-V host.
- During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired.
+ > [!NOTE]
+ > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
+
+ You can select the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version.
> [!NOTE]
- > The evaluation version of Windows 10 does not support in-place upgrade**.
+ > The evaluation version of Windows 10 doesn't support in-place upgrade**.
-5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
+5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. This step is so that the filename is simple to type and recognize.
- After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
+ After completing these steps, you'll have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
- The following displays the procedures described in this section, both before and after downloading files:
+ The following example displays the procedures described in this section, both before and after downloading files:
```console
C:>mkdir VHD
@@ -237,17 +226,17 @@ When you have completed installation of Hyper-V on the host computer, begin conf
### Convert PC to VM
> [!IMPORTANT]
-> Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
+> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
+If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.
+1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.
2. Under **Virtual machine**, choose **IE11 on Win7**.
-3. Under **Select platform** choose **HyperV (Windows)**.
-4. Click **Download .zip**. The download is 3.31 GB.
+3. Under **Select platform**, choose **HyperV (Windows)**.
+4. Select **Download .zip**. The download is 3.31 GB.
5. Extract the zip file. Three directories are created.
6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (do not rename the file to w7.vhdx).
+7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
If you have a PC available to convert to VM (computer 2):
@@ -255,7 +244,7 @@ If you have a PC available to convert to VM (computer 2):
1. Sign in on computer 2 using an account with Administrator privileges.
> [!IMPORTANT]
- > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
+ > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network.
2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
@@ -278,7 +267,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
```
-If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
+If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
```powershell
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
@@ -345,12 +334,11 @@ The following tables display the Hyper-V VM generation to choose based on the OS
> [!NOTE]
>
->- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
->
->- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
->
->- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
-
+> - If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
+>
+> - If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the `mountvol` command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
+>
+> - If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
#### Prepare a generation 1 VM
@@ -361,16 +349,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS
2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example.
+3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example.
> [!IMPORTANT]
- > You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+ > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
-4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
+4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example:
- Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better, however, when the VHD is saved on a disk different than those being converted, such as a flash drive.
+ Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better, however, when the VHD is saved on a disk different than the disks being converted, such as a flash drive.
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
@@ -398,16 +386,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS
This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
+4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected.
> [!IMPORTANT]
> You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
-5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
+5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and select **Create**. See the following example:
- Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+ Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those disks being converted, such as a flash drive.
6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
@@ -426,16 +414,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS
You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
+3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
> [!NOTE]
- > The system volume is not copied in this scenario, it will be added later.
+ > The system volume isn't copied in this scenario, it will be added later.
-4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
+4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and select **Create**. See the following example:
- Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+ Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those disks being converted, such as a flash drive.
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
@@ -447,14 +435,12 @@ The following tables display the Hyper-V VM generation to choose based on the OS
w7.VHD
```
- In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
+ In its current state, the w7.VHD file isn't bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
-### Resize VHD
-
-Enhanced session mode
+### Enhanced session mode
> [!IMPORTANT]
-> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
@@ -462,11 +448,11 @@ To ensure that enhanced session mode is enabled on the Hyper-V host, type the fo
Set-VMhost -EnableEnhancedSessionMode $TRUE
```
-If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
+If enhanced session mode wasn't previously enabled, close any existing virtual machine connections and reopen them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
-
+### Resize VHD
-The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
+The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 100 GB to support installing imaging tools and storing OS images.
1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
@@ -487,15 +473,15 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
- If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
+ If the Hyper-V host already has an external virtual switch bound to a physical NIC, don't attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
**A**: Remove the existing external virtual switch, then add the poc-external switch
**B**: Rename the existing external switch to "poc-external"
- **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
- If you choose B) or C), then do not run the second command below.
+ If you choose B) or C), then don't run the second command below.
```powershell
New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
@@ -505,7 +491,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
> [!NOTE]
> The second command above will temporarily interrupt network connectivity on the Hyper-V host.
- Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+ Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this action by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet (`$_.Status -eq "Up" -and !$_.Virtual`). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation won't work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the internet is named "Ethernet 2" then type the following command to create an external virtual switch: `New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"`
2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
@@ -513,9 +499,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
(Get-VMHostNumaNode).MemoryAvailable
```
- This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
+ This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer isn't also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available, try closing applications to free up more memory.
-3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
+3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
```powershell
(Get-VMHostNumaNode).MemoryAvailable/4
@@ -566,7 +552,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
> [!NOTE]
> The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
- First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
+ First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Don't forget to include a pipe (`|`) at the end of the first five commands:
```powershell
New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
@@ -592,10 +578,10 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
The VM will automatically boot into Windows Setup. In the PC1 window:
- 1. Click **Next**.
- 2. Click **Repair your computer**.
- 3. Click **Troubleshoot**.
- 4. Click **Command Prompt**.
+ 1. Select **Next**.
+ 2. Select **Repair your computer**.
+ 3. Select **Troubleshoot**.
+ 4. Select **Command Prompt**.
5. Type the following command to save an image of the OS drive:
```console
@@ -626,8 +612,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
exit
```
- 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
- 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
+ 8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD.
+ 9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**.
10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
```powershell
@@ -644,9 +630,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
vmconnect localhost DC1
```
-2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
-3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
-4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
+2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**.
+3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
+4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
```powershell
@@ -699,9 +685,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
```
- The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
+ The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we haven't configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this configuration by using the command: `Get-DhcpServerv4Lease -ScopeId 192.168.0.0`
-11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
+11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
```powershell
Get-DnsServerForwarder
@@ -717,7 +703,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
ReorderedIPAddress : 192.168.0.2
```
- If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
+ If this output isn't displayed, you can use the following command to add SRV1 as a forwarder:
```powershell
Add-DnsServerForwarder -IPAddress 192.168.0.2
@@ -725,9 +711,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
**Configure service and user accounts**
- Windows 10 deployment with MDT and Microsoft Endpoint Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+ Windows 10 deployment with Configuration Manager and MDT requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
- To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+ To keep this test lab relatively simple, we won't create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
On DC1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -746,9 +732,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
12. Minimize the DC1 VM window but **do not stop** the VM.
- Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
+ Next, the client VM will be started and joined to the contoso.com domain. This action is done before adding a gateway to the PoC network so that there's no danger of duplicate DNS registrations for the physical client and its cloned VM in the domain.
-13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
+13. If the PC1 VM isn't started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
```powershell
Start-VM PC1
@@ -757,19 +743,19 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
14. Sign in to PC1 using an account that has local administrator rights.
- PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
+ PC1 will be disconnected from its current domain, so you can't use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
-15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
+15. After you sign in, Windows detects that it's running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you'll be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
- If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
+ If the client was configured with a static address, you must change this address to a dynamic one so that it can obtain a DHCP lease.
-16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
+16. When the new network adapter driver has completed installation, you'll receive an alert to set a network location for the contoso.com network. Select **Work network** and then select **Close**. When you receive an alert that a restart is required, select **Restart Later**.
17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
- To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
+ To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection:
```console
ipconfig
@@ -803,9 +789,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
```
> [!NOTE]
- > If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
+ > If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it's possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
-18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
+18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then select **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
```powershell
(Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
@@ -816,13 +802,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Restart-Computer
```
- If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
+ If you don't see the script pane, select **View** and verify **Show Script Pane Top** is enabled. Select **File** and then select **New**.
See the following example:
:::image type="content" alt-text="ISE 1." source="images/ISE.png" lightbox="images/ISE.png":::
-19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
+19. Select **File**, select **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
@@ -832,9 +818,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
```
> [!NOTE]
- > In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
+ > In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
- If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
+ If the copy-vmfile command doesn't work and you can't properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode isn't available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the `.ps1` extension and not as a text (`.txt`) file.
21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
@@ -842,14 +828,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
```
- The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
+ The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the network so as to ensure the computer object in the domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
> [!IMPORTANT]
> The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
-23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
+23. Minimize the PC1 window but don't turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This action verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
@@ -858,7 +844,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
vmconnect localhost SRV1
```
-25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
+25. Accept the default settings, read license terms and accept them, provide a strong administrator password, and select **Finish**. When you're prompted about finding PCs, devices, and content on the network, select **Yes**.
26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
@@ -892,12 +878,12 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Install-WindowsFeature -Name Routing -IncludeManagementTools
```
-30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
+30. Before configuring the routing service that was installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
```powershell
- Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+ Get-NetAdapter | ? status -eq 'up' | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
IPAddress InterfaceAlias
--------- --------------
@@ -905,11 +891,10 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
192.168.0.2 Ethernet
```
- In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
-
- >[!TIP]
- >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
+ In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your network. If so, you can try removing and readding the second network interface from the SRV1 VM through its Hyper-V settings.
+ > [!TIP]
+ > Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
@@ -921,19 +906,19 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
```
-32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This step can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
```powershell
Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
```
-33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
+33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
```powershell
ping www.microsoft.com
```
- If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
+ If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
> [!NOTE]
> This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
@@ -942,7 +927,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
```
-34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
+34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK):
```powershell
PS C:\> ping www.microsoft.com
@@ -959,15 +944,15 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Minimum = 1ms, Maximum = 3ms, Average = 2ms
```
-35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
-36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
+35. Verify that all three VMs can reach each other, and the internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
+36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
Restart-Computer
```
-This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
+This process completes configuration of the starting PoC environment. More services and tools are installed in subsequent guides.
## Appendix A: Verify the configuration
@@ -987,19 +972,19 @@ Use the following procedures to verify that the PoC environment is configured pr
```
**Get-Service** displays a status of "Running" for all three services.
-
+
**DCDiag** displays "passed test" for all tests.
-
- **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
-
+
+ **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Other address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
+
**Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
-
+
**Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
**Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.
-
- **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
-
+
+ **Get-DhcpServerv4Statistics** displays one scope with two addresses in use. These addresses belong to PC1 and the Hyper-V host.
+
**ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -1014,13 +999,13 @@ Use the following procedures to verify that the PoC environment is configured pr
**Get-Service** displays a status of "Running" for both services.
- **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+ **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you're required to use so that SRV1 can resolve internet names.
**Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
- **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
+ **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP address of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your network.
- **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
+ **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -1038,11 +1023,10 @@ Use the following procedures to verify that the PoC environment is configured pr
**nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
- **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
+ **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "could not find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
**tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
-
## Appendix B: Terminology used in this guide
|Term|Definition|
@@ -1058,9 +1042,6 @@ Use the following procedures to verify that the PoC environment is configured pr
|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
-## Related Topics
-
+## Next steps
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-
-
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 03e2aee015..f0e2079b1c 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,63 +1,60 @@
---
title: Demonstrate Autopilot deployment
manager: dougeby
-description: In this article, find step-by-step instructions on how to set up a Virtual Machine with a Windows Autopilot deployment.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
+description: Step-by-step instructions on how to set up a virtual machine with a Windows Autopilot deployment.
ms.prod: w10
-ms.mktglfcycl: deploy
+ms.technology: windows
ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
author: aczechowski
ms.author: aaroncz
ms.collection:
- M365-modern-desktop
- highpri
-ms.topic: article
-ms.custom:
- - autopilot
- - seo-marvel-apr2020
+ms.topic: tutorial
+ms.date: 05/12/2022
---
-
# Demonstrate Autopilot deployment
-**Applies to**
+*Applies to*
- Windows 10
-To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
+To get started with Windows Autopilot, you should try it out with a virtual machine (VM). You can also use a physical device that will be wiped and then have a fresh install of Windows 10.
-In this topic, you'll learn how to set up a Windows Autopilot deployment for a VM using Hyper-V.
+In this article, you'll learn how to set up a Windows Autopilot deployment for a VM using Hyper-V.
> [!NOTE]
-> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Intune.
+> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Microsoft Intune.
>
-> Hyper-V and a VM are not required for this lab. You can use a physical device instead. However, the instructions assume that you're using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
+> Hyper-V and a VM aren't required for this lab. You can use a physical device instead. However, the instructions assume that you're using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to _device_ in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
-
-
+> [!VIDEO https://www.youtube.com/embed/KYVptkpsOqs]
+> [!TIP]
> For a list of terms used in this guide, see the [Glossary](#glossary) section.
## Prerequisites
-These are the things you'll need to complete this lab:
+You'll need the following components to complete this lab:
-| | Description |
+| Component | Description |
|:---|:---|
-|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, General Availability Channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.|
-|**Internet access**|If you're behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the internet.|
+|**Windows 10 installation media**|Windows 10 Professional or Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an evaluation version of Windows 10 Enterprise.|
+|**Internet access**|If you're behind a firewall, see the detailed [networking requirements](/mem/autopilot/software-requirements#networking-requirements). Otherwise, just make sure that you have a connection to the internet.|
|**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
-|**An account with Azure Active Directory (AD) Premium license**|This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
+|**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
+
+> [!NOTE]
+> The Microsoft Evaluation Center is temporarily unavailable. To access Windows client evaluation media, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
## Procedures
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices.
-If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
+If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or later.
- [Verify support for Hyper-V](#verify-support-for-hyper-v)
- [Enable Hyper-V](#enable-hyper-v)
@@ -107,7 +104,7 @@ To enable Hyper-V, open an elevated Windows PowerShell prompt and run the follow
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
```
-This command works on all operating systems that support Hyper-V. However, on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed. So, if you're using Windows Server, you can just type the following command instead of using the **Enable-WindowsOptionalFeature** command:
+This command works on all operating systems that support Hyper-V. However, on Windows Server operating systems you must type another command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed. So, if you're using Windows Server, you can just type the following command instead of using the **Enable-WindowsOptionalFeature** command:
```powershell
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
@@ -139,17 +136,18 @@ To use Windows PowerShell, you need to know two things:
2. The name of the network interface that connects to the internet.
- In the example, you'll use a Windows PowerShell command to determine this automatically.
+ In the example, you'll use a Windows PowerShell command to determine this information automatically.
After you determine the ISO file location and the name of the appropriate network interface, you can install Windows 10.
### Set ISO file location
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise. Choose a 64-bit version.
-When asked to select a platform, choose **64 bit**.
+> [!NOTE]
+> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
-After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+After you download an ISO file, the name will be long. For example, `19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso`
1. So that it's easier to type and remember, rename the file to **win10-eval.iso**.
@@ -165,9 +163,9 @@ The **Get-NetAdaper** cmdlet is used to automatically find the network adapter t
(Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
```
-The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
+The output of this command should be the name of the network interface you use to connect to the internet. Verify that this interface name is correct. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
-For example, if the command above displays **Ethernet** but you wish to use **Ethernet2**, then the first command below would be **New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
+For example, if the command above displays **Ethernet** but you wish to use **Ethernet2**, then the first command below would be `New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2`
### Use Windows PowerShell to create the demo VM
@@ -176,7 +174,7 @@ All VM data will be created under the current path in your PowerShell prompt. Co
> [!IMPORTANT]
> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.
>
->- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
+>- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to `AutopilotExternal`.
>- If you have never created an external VM switch before, then just run the commands below.
>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
@@ -187,9 +185,9 @@ Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
```
-After you enter these commands, connect to the VM that you just created. Double-click the VM in Hyper-V Manager to connect to it. Then wait for a prompt to press a key and boot from the DVD.
+After you enter these commands, connect to this VM. Double-click the VM in Hyper-V Manager to connect to it. Then wait for a prompt to press a key and boot from the DVD.
-See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the **vmconnect.exe** command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
+See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the **vmconnect.exe** command is used, which is only available on Windows Server. If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
PS C:\autopilot> dir c:\iso
@@ -250,7 +248,7 @@ Make sure that the VM booted from the installation ISO, select **Next**, select
-After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This offers the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This option offers the fastest way to the desktop. For example:
@@ -259,7 +257,7 @@ Once the installation is complete, sign in and verify that you're at the Windows
> [!div class="mx-imgBorder"]
> 
-To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM), and then run the following:
+To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM), and then run the following command:
```powershell
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
@@ -327,7 +325,7 @@ Follow these steps to run the PowerShell script:
PS C:\HWID>
```
-
+
1. Verify that there's an **AutopilotHWID.csv** file in the **c:\HWID** directory that's about 8 KB in size. This file contains the complete 4K HH.
> [!NOTE]
@@ -335,19 +333,20 @@ Follow these steps to run the PowerShell script:
- You'll need to upload this data into Intune to register your device for Autopilot. So, the next step is to transfer this file to the computer you'll use to access the Azure portal. If you're using a physical device instead of a VM, you can copy the file to a USB drive. If you’re using a VM, you can right-click the **AutopilotHWID.csv** file and copy it. Then right-click and paste the file to your desktop (outside the VM).
+ You'll need to upload this data into Intune to register your device for Autopilot. So, the next step is to transfer this file to the computer you'll use to access the Azure portal. If you're using a physical device instead of a VM, you can copy the file to a USB drive. If you're using a VM, you can right-click the **AutopilotHWID.csv** file and copy it. Then right-click and paste the file to your desktop (outside the VM).
- If you have trouble copying and pasting the file, just view the contents in Notepad on the VM, and then copy the text into Notepad outside the VM. Don't use another text editor to do this.
+ If you have trouble copying and pasting the file, just view the contents in Notepad on the VM, and then copy the text into Notepad outside the VM. Don't use another text editor.
> [!NOTE]
> When copying and pasting to or from VMs, avoid selecting other things with your mouse cursor in between the copy and paste process. Doing so can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
-With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
+With the hardware ID captured in a file, prepare your VM for Windows Autopilot deployment by resetting it back to OOBE.
-On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
-Select **Remove everything**, then, on **How would you like to reinstall Windows**, select **Local reinstall**. Finally, select **Reset**.
+1. On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
+1. Select **Remove everything**. On **How would you like to reinstall Windows**, select **Local reinstall**.
+1. Finally, select **Reset**.
@@ -357,13 +356,13 @@ Resetting the VM or device can take a while. Proceed to the next step (verify su
## Verify subscription level
-For this lab, you need an Azure AD Premium subscription. To tell if you have a Premium subscription, go to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+For this lab, you need an Azure AD Premium subscription. To tell if you have a Premium subscription, go to [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) in the Azure portal. See the following example:
**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-If the configuration blade shown above doesn't appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in Azure AD Premium.
+If this configuration doesn't appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in Azure AD Premium.
To convert your Intune trial account to a free Premium trial account, go to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
@@ -414,7 +413,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
You should receive confirmation that the file is formatted correctly before you upload it, as shown above.
-3. Select **Import** and wait until the import process completes. This can take up to 15 minutes.
+3. Select **Import** and wait until the import process completes. This action can take up to 15 minutes.
4. Select **Refresh** to verify your VM or device is added. See the following example.
@@ -465,7 +464,7 @@ The Autopilot deployment profile wizard asks for a device group, so you must cre
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
-2. In the **Group** blade:
+2. In the **Group** pane:
1. For **Group type**, choose **Security**.
2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
3. Azure AD roles can be assigned to the group: **No**
@@ -490,7 +489,7 @@ Select **Create profile** and then select **Windows PC**.
> [!div class="mx-imgBorder"]
> 
-On the **Create profile** blade, use the following values:
+On the **Create profile** pane, use the following values:
| Setting | Value |
|---|---|
@@ -580,7 +579,7 @@ To confirm the profile was successfully assigned to the intended device, check t
## See Windows Autopilot in action
-If you shut down your VM after the last reset, it's time to start it back up again so it can progress through the Autopilot OOBE experience. However, don't attempt to start your device again until the **PROFILE STATUS** for your device in Intune is changed from **Not assigned** to **Assigning**, and finally to **Assigned**:
+If you shut down your VM after the last reset, start it again. Then it can progress through the Autopilot OOBE experience. However, don't attempt to start your device again until the **PROFILE STATUS** for your device in Intune is changed from **Not assigned** to **Assigning**, and finally to **Assigned**:
> [!div class="mx-imgBorder"]
> 
@@ -596,7 +595,7 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
-Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**. Then, **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+After the device loads the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go to the Intune portal, and select **Devices > All devices**. Then **Refresh** the data to verify that your device has changed to an enabled state, and the name of the device is updated.
> [!div class="mx-imgBorder"]
> 
@@ -619,9 +618,9 @@ You need to delete (or retire, or factory reset) the device from Intune before d
> [!div class="mx-imgBorder"]
> 
-This action removes the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this doesn't yet deregister the device from Autopilot. So, the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+This action removes the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this action doesn't yet deregister the device from Autopilot. So, the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
> A device only appears in the **All devices** list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
@@ -684,7 +683,7 @@ EPT * Supports Intel extended page tables (SLAT)
#### Prepare the app for Intune
-Before you can pull an application into Intune to make it part of your AP profile, you need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before you can pull an application into Intune to make it part of your AP profile, you need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
@@ -699,11 +698,11 @@ Run the IntuneWinAppUtil tool, supplying answers to the three questions, for exa
> [!div class="mx-imgBorder"]
> 
-After the tool finishes running, you should have an .intunewin file in the Output folder. You can upload the file into Intune by using the following steps.
+After the tool finishes running, you should have an `.intunewin` file in the Output folder. You can upload the file into Intune by using the following steps.
#### Create app in Intune
-Log in to the Azure portal, and then select **Intune**.
+Sign in to the Azure portal, and then select **Intune**.
Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
@@ -713,16 +712,16 @@ Under **App Type**, select **Windows app (Win32)**:
-On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then select **OK**:
+On the **App package file** pane, browse to the `npp.7.6.3.installer.x64.intunewin` file in your output folder, open it, then select **OK**:
> [!div class="mx-imgBorder"]
> 
-On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
+On the **App Information Configure** pane, provide a friendly name, description, and publisher, such as:
-On the **Program Configuration** blade, supply the install and uninstall commands:
+On the **Program Configuration** pane, supply the install and uninstall commands:
```console
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
@@ -734,11 +733,11 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
-Simply using an install command like "notepad++.exe /S" doesn't actually install Notepad++; it only launches the app. To install the program, you need to use the .msi file instead. Notepad++ doesn't have a .msi version of their program, but there's a .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like `notepad++.exe /S` doesn't actually install Notepad++. It only launches the app. To install the program, you need to use the `.msi` file instead. Notepad++ doesn't have an MSI version of their program, but there's an MSI version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
-Select **OK** to save your input and activate the **Requirements** blade.
+Select **OK** to save your input and activate the **Requirements** pane.
-On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
+On the **Requirements Configuration** pane, specify the **OS architecture** and the **Minimum OS version**:
> [!div class="mx-imgBorder"]
> 
@@ -752,7 +751,7 @@ Select **Add** to define the rule properties. For **Rule type**, select **MSI**,
-Select **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+Select **OK** twice to save, as you back out to the main **Add app** pane again for the final configuration.
**Return codes**: For the purposes of this lab, leave the return codes at their default values:
@@ -761,7 +760,7 @@ Select **OK** twice to save, as you back out to the main **Add app** blade again
Select **OK** to exit.
-You can skip configuring the final **Scope (Tags)** blade.
+You can skip configuring the final **Scope (Tags)** pane.
Select the **Add** button to finalize and save your app package.
@@ -780,7 +779,7 @@ Find your app in your app list:
> [!NOTE]
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
-In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then select **Assignments** from the menu:
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties pane. Then select **Assignments** from the menu:
> [!div class="mx-imgBorder"]
> 
@@ -818,7 +817,7 @@ For more information on adding apps to Intune, see [Intune Standalone - Win32 ap
#### Create app in Microsoft Endpoint Manager
-Log in to the Azure portal and select **Intune**.
+Sign in to the Azure portal and select **Intune**.
Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
@@ -855,7 +854,7 @@ Select **OK** and, then select **Add**.
> [!NOTE]
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
-In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then select **Assignments** from the menu:
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties pane. Then select **Assignments** from the menu:
> [!div class="mx-imgBorder"]
> 
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index c1316fbac4..b8dc2f684f 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -1,6 +1,6 @@
---
title: Secure the Windows boot process
-description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications
+description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
keywords: trusted boot, windows boot process
ms.prod: m365-security
ms.mktglfcycl: Explore
@@ -14,124 +14,123 @@ ms.collection:
- M365-security-compliance
- highpri
ms.topic: conceptual
-ms.date: 11/24/2021
+ms.date: 05/12/2022
ms.author: dansimp
---
# Secure the Windows boot process
-**Applies to:**
-- Windows 11
-- Windows 10
-- Windows 8.1
+*Applies to:*
+- Windows 11
+- Windows 10
+- Windows 8.1
-The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
-Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
+Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
-Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden.
+Those components are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware, and bootkits specifically, are capable of starting before Windows, completely bypassing OS security, and remaining hidden.
-When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
-
-First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you.
+When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can't remain hidden; Trusted Boot can prove the system's integrity to your infrastructure in a way that malware can't disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
+First, let's examine what rootkits are and how they work. Then, we'll show you how Windows can protect you.
## The threat: rootkits
-*Rootkits* are a sophisticated and dangerous type of malware that run in kernel mode, using the same privileges as the operating system. Because rootkits have the same rights as the operating system and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
+*Rootkits* are a sophisticated and dangerous type of malware. They run in kernel mode, using the same privileges as the OS. Because rootkits have the same rights as the OS and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
Different types of rootkits load during different phases of the startup process:
-- **Firmware rootkits.** These kits overwrite the firmware of the PC’s basic input/output system or other hardware so the rootkit can start before Windows.
-- **Bootkits.** These kits replace the operating system’s bootloader (the small piece of software that starts the operating system) so that the PC loads the bootkit before the operating system.
-- **Kernel rootkits.** These kits replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads.
-- **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
+- **Firmware rootkits.** These kits overwrite the firmware of the PC's basic input/output system or other hardware so the rootkit can start before Windows.
+- **Bootkits.** These kits replace the OS's bootloader (the small piece of software that starts the OS) so that the PC loads the bootkit before the OS.
+- **Kernel rootkits.** These kits replace a portion of the OS kernel so the rootkit can start automatically when the OS loads.
+- **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
## The countermeasures
+
Windows supports four features to help prevent rootkits and bootkits from loading during the startup process:
-- **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders.
-- **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it.
-- **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
-- **Measured Boot.** The PC’s firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC’s health.
-Figure 1 shows the Windows startup process.
+- **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted OS bootloaders.
+- **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it.
+- **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+- **Measured Boot.** The PC's firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC's health.
+Figure 1 shows the Windows startup process.
-.png)
+.png)
-**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
-Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
+Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot.
## Secure Boot
-When a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PC’s hard drive. There’s no way for the PC to tell whether it’s a trusted operating system or a rootkit.
-When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
+When a PC starts, it first finds the OS bootloader. PCs without Secure Boot run whatever bootloader is on the PC's hard drive. There's no way for the PC to tell whether it's a trusted OS or a rootkit.
-- **The bootloader was signed using a trusted certificate.** In the case of PCs certified for Windows, the Microsoft® certificate is trusted.
-- **The user has manually approved the bootloader’s digital signature.** This allows the user to load non-Microsoft operating systems.
+When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader's digital signature to verify that it hasn't been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
+
+- **The bootloader was signed using a trusted certificate.** For PCs certified for Windows, the Microsoft certificate is trusted.
+- **The user has manually approved the bootloader's digital signature.** This action allows the user to load non-Microsoft operating systems.
All x86-based Certified For Windows PCs must meet several requirements related to Secure Boot:
-- They must have Secure Boot enabled by default.
-- They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
-- They must allow the user to configure Secure Boot to trust other bootloaders.
-- They must allow the user to completely disable Secure Boot.
+- They must have Secure Boot enabled by default.
+- They must trust Microsoft's certificate (and thus any bootloader Microsoft has signed).
+- They must allow the user to configure Secure Boot to trust other bootloaders.
+- They must allow the user to completely disable Secure Boot.
-These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
+These requirements help protect you from rootkits while allowing you to run any OS you want. You have three options for running non-Microsoft operating systems:
-- **Use an operating system with a certified bootloader.** Because all Certified For Windows PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to
@@ -1075,7 +1030,6 @@ You can download the DDF files for various CSPs from the links below:
## CSPs supported in HoloLens devices
-
The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index f201706c23..186190cbec 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -146,7 +146,7 @@ The XML below is the current version for this CSP.
## Related topics
-[Reboot csp](reboot-csp.md)
+[Reboot CSP](reboot-csp.md)
diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md
index 033205c768..3886bb405d 100644
--- a/windows/client-management/mdm/remotefind-ddf-file.md
+++ b/windows/client-management/mdm/remotefind-ddf-file.md
@@ -299,7 +299,7 @@ The XML below is the current version for this CSP.
## Related topics
-[Remotefind csp](remotefind-csp.md)
+[RemoteFind CSP](remotefind-csp.md)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index a781251aeb..0771489578 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -80,7 +80,7 @@ Added in Windows 10, version 1809. Status value indicating current state of an A
Supported values:
- 0: Never run (not started). The default state.
-- 1: Complete
+- 1: Complete.
- 10: Reset has been scheduled.
- 20: Reset is scheduled and waiting for a reboot.
- 30: Failed during CSP Execute ("Exec" in SyncML).
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index b2cd34894d..f7982ce49b 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -223,4 +223,4 @@ The XML below is the DDF for Windows 10, version 1809.
## Related topics
-[Remotewipe csp](remotewipe-csp.md)
\ No newline at end of file
+[RemoteWipe CSP](remotewipe-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md
index b62ceedb05..74600efb89 100644
--- a/windows/client-management/mdm/reporting-ddf-file.md
+++ b/windows/client-management/mdm/reporting-ddf-file.md
@@ -288,11 +288,5 @@ The XML below is the current version for the desktop CSP.
## Related topics
-[Reporting csp](reporting-csp.md)
-
-
-
-
-
-
-
+[Reporting CSP](reporting-csp.md)
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 83b66d40cd..5d51a77945 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -118,13 +118,3 @@ Returns the certificate template name. The only supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index 93ab639ec1..6d3114481c 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1988,4 +1988,4 @@ The XML below is for Windows 10, version 1803.
## Related topics
-[Rootcacertificates csp](rootcacertificates-csp.md)
\ No newline at end of file
+[RootCATrustedCertificates CSP](rootcacertificates-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md
index b6a6bdd1d6..4aff84bd1d 100644
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@@ -186,4 +186,4 @@ The XML below is the current version for this CSP.
## Related topics
-[Secureassessment csp](secureassessment-csp.md)
+[SecureAssessment CSP](secureassessment-csp.md)
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index 39e3ddcd74..e85778cb28 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -78,4 +78,4 @@ The XML below is for Windows 10, version 1809.
## Related topics
-[Tenantlockdown csp](tenantlockdown-csp.md)
\ No newline at end of file
+[TenantLockdown CSP](tenantlockdown-csp.md)
\ No newline at end of file
From 91b24d3873a2a334a9382fde44d2677f1f314f63 Mon Sep 17 00:00:00 2001
From: lizgt2000 <104389055+lizgt2000@users.noreply.github.com>
Date: Fri, 13 May 2022 13:35:07 -0400
Subject: [PATCH 82/94] fix broken links
---
windows/client-management/mdm/policy-csp-audit.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 6960e68f36..1ac68b444f 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -1714,7 +1714,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720.
+This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to use Data Protection](/dotnet/standard/security/how-to-use-data-protection).
If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
If you don't configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI.
@@ -2862,7 +2862,7 @@ If you don't configure this policy setting, no audit event is generated when an
> [!Note]
> Only the System Access Control List (SACL) for SAM_SERVER can be modified.
-Volume: High on domain controllers. For information about reducing the number of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
+Volume: High on domain controllers. For more information about reducing the number of events generated by auditing the access of global system objects, see [Audit the access of global system objects](/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects).
From ca352e2527575bb4a72a839b1569b31fa91dcf77 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 16 May 2022 08:31:54 +0530
Subject: [PATCH 83/94] PubOps comment fixes
---
windows/client-management/mdm/accounts-csp.md | 2 +-
windows/client-management/mdm/activesync-csp.md | 2 +-
windows/client-management/mdm/alljoynmanagement-csp.md | 2 +-
windows/client-management/mdm/application-csp.md | 4 ++--
windows/client-management/mdm/applicationcontrol-csp.md | 2 +-
windows/client-management/mdm/applocker-csp.md | 2 +-
windows/client-management/mdm/assignedaccess-csp.md | 2 +-
windows/client-management/mdm/certificatestore-csp.md | 2 +-
8 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index e1714be3c1..94eba45c92 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -27,7 +27,7 @@ The Accounts configuration service provider (CSP) is used by the enterprise (1)
The following syntax shows the Accounts configuration service provider in tree format.
-```
+```console
./Device/Vendor/MSFT
Accounts
----Domain
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index b65de09282..3cc8bc3399 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -37,7 +37,7 @@ The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in
The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
-```
+```console
./Vendor/MSFT
ActiveSync
----Accounts
diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md
index e4676371cb..589580af1a 100644
--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@@ -25,7 +25,7 @@ For the firewall settings, note that PublicProfile and PrivateProfile are mutual
The following example shows the AllJoynManagement configuration service provider in tree format
-```
+```console
./Vendor/MSFT
AllJoynManagement
----Configurations
diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md
index b935548199..f09f6f0d3d 100644
--- a/windows/client-management/mdm/application-csp.md
+++ b/windows/client-management/mdm/application-csp.md
@@ -30,9 +30,9 @@ OMA considers each transport to be an application and requires a corresponding A
The following list shows the supported transports:
-- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
+- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md).
-- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
+- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md).
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index cc06d82b40..3beb09b98d 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -29,7 +29,7 @@ Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can
The following example shows the ApplicationControl CSP in tree format.
-```
+```console
./Vendor/MSFT
ApplicationControl
----Policies
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 05f97fc04b..c70d901cd1 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -83,7 +83,7 @@ Defines restrictions for applications.
> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
-
+>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
> [!NOTE]
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 2300fbd281..5f61ca771d 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -40,7 +40,7 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider (
The following example shows the AssignedAccess configuration service provider in tree format
-```
+```console
./Vendor/MSFT
AssignedAccess
----KioskModeApp
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 8afad07519..010ec8b52d 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -34,7 +34,7 @@ For the CertificateStore CSP, you can't use the Replace command unless the node
The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
-```
+```console
./Vendor/MSFT
CertificateStore
----ROOT
From 597c3bdb70bc7e77aebdb93d13d6b96c1c3b2b05 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 16 May 2022 08:39:47 +0530
Subject: [PATCH 84/94] PubOps comment fixes
---
.../mdm/win32compatibilityappraiser-csp.md | 8 ++++----
.../mdm/windowsadvancedthreatprotection-csp.md | 2 +-
.../mdm/windowsdefenderapplicationguard-csp.md | 3 ++-
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index f2a5fc1a7b..b3a8915e7f 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -98,10 +98,10 @@ An integer value representing whether the installed versions of the Compatibilit
The values are:
-- 0 == Neither the code nor data is of a sufficient version
-- 1 == The code version is insufficient but the data version is sufficient
-- 2 == The code version is sufficient but the data version is insufficient
-- 3 == Both the code and data are of a sufficient version
+- 0 == Neither the code nor data is of a sufficient version.
+- 1 == The code version is insufficient but the data version is sufficient.
+- 2 == The code version is sufficient but the data version is insufficient.
+- 3 == Both the code and data are of a sufficient version.
Value type is integer.
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index e72179a48c..c9940fce4d 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -82,7 +82,7 @@ Supported operation is Get.
The following list shows the supported values:
-- 0 (default) – Not onboarded.
+- 0 (default) – Not onboarded
- 1 – Onboarded
**HealthState/OrgId**
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 0ec8ff5709..10551772c3 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -26,7 +26,8 @@ The table below shows the applicability of Windows:
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
-```
+
+```console
./Device/Vendor/MSFT
WindowsDefenderApplicationGuard
----Settings
From 3c242c305d419458f6f3b1eb755b09429fbf772a Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 16 May 2022 08:42:40 +0530
Subject: [PATCH 85/94] PubOps fixes
---
windows/client-management/mdm/clientcertificateinstall-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index b6b1353815..028cae12a8 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -35,7 +35,7 @@ You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLoc
The following example shows the ClientCertificateInstall configuration service provider in tree format.
-```
+```console
./Vendor/MSFT
ClientCertificateInstall
----PFXCertInstall
From fd2626397c1ed0daba73c8ca7cd61aa34d7e7225 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT