deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

CSP: Windows 11 Updates-part3

Browse Source
This commit is contained in:
Alekhya Jupudi 2022-03-25 09:12:59 +05:30
parent a9d07277ed
commit 89d4342e9b
10 changed files with 402 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/client-management/mdm/cleanpc-csp.md
View File

@ -13,6 +13,16 @@ manager: dansimp
# CleanPC CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following shows the CleanPC configuration service provider in tree format.

34
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 08/02/2017
# CM\_CellularEntries CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
@ -76,13 +86,13 @@ Optional. Type: String. Specifies the type of connection used for the APN. The f
|Cdma|Used for CDMA type connections (1XRTT + EVDO).|
|Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.|
|Legacy|Used for GPRS + GSM + EDGE + UMTS connections.|
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi|
|Iwlan|Used for connections that are implemented over WiFi offload only|
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi.|
|Iwlan|Used for connections that are implemented over WiFi offload only.|
<a href="" id="desc-langid"></a>**Desc.langid**
Optional. Specifies the UI display string used by the defined language ID.
A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as <code>Desc.0409</code> with a value of <code>"GPRS Connection"</code> will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no <strong>Desc</strong> parameter is provisioned for a given language, the system will default to the name used to create the entry.
A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
<a href="" id="enabled"></a>**Enabled**
Specifies if the connection is enabled.
@ -110,7 +120,7 @@ Optional. Specifies if the connection requires a corresponding mappings policy.
A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
For example, if the multimedia messaging service (MMS) APN does not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
<a href="" id="version"></a>**Version**
Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
@ -131,7 +141,7 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which
- 5 - Roaming only.
<a href="" id="oemconnectionid"></a>**OEMConnectionID**
Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<a href="" id="apnid"></a>**ApnId**
Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices.
@ -145,7 +155,7 @@ Optional. Type: String. Specifies the network protocol of the connection. Availa
<a href="" id="exemptfromdisablepolicy"></a>**ExemptFromDisablePolicy**
Added back in Windows 10, version 1511.Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt).
To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF.
To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection, and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF.
>[!Note]
> Sending MMS while roaming is still not allowed.
@ -174,7 +184,7 @@ Optional. Type: Int. Specifies how long an on-demand connection can be unused be
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
<a href="" id="simiccid"></a>**SimIccId**
For single SIM phones, this parm isOptional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
For single SIM phones, this parm is Optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
<a href="" id="purposegroups"></a>**PurposeGroups**
Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
@ -271,17 +281,7 @@ The following table shows the Microsoft custom elements that this configuration
|Characteristic-query|Yes|
|Parm-query|Yes|
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

17
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -14,13 +14,21 @@ ms.date: 06/26/2017
# CMPolicy CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
@ -134,7 +142,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@ -180,7 +187,9 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
Adding a host-based mapping policy:
In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
<wap-provisioningdoc>
@ -364,7 +373,6 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
|Element|Available|
|--- |--- |
|parm-query|Yes|
@ -373,7 +381,6 @@ Adding a host-based mapping policy:
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

35
windows/client-management/mdm/wifi-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 06/18/2019
# WiFi CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@ -21,12 +31,12 @@ The WiFi configuration service provider provides the functionality to add or del
Programming considerations:
- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS.
- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device.
- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.
- The \<name>*name\_goes\_here*\</name>\<SSIDConfig> must match \<SSID>\<name> *name\_goes\_here*\</name>\</SSID>.
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure.
- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS.
- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device.
- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.
- The \<name>*name\_goes\_here*\</name>\<SSIDConfig> must match \<SSID>\<name> *name\_goes\_here*\</name>\</SSID>.
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis in Windows 10 or Windows 11 client editions (Home, Pro, Enterprise, and Education) will result in failure.
The following shows the WiFi configuration service provider in tree format.
@ -41,11 +51,10 @@ WiFi
---------WiFiCost
```
The following list shows the characteristics and parameters.
<a href="" id="wifi"></a>**Device or User profile**
For user profile, use ./User/Vendor/MSFT/Wifi path and for device profile, use ./Device/Vendor/MSFT/Wifi path.
For user profile, use .`/User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path.
<a href="" id="profile"></a>**Profile**
Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks.
@ -94,6 +103,7 @@ Supported operations are Get, Add, Delete, and Replace.
-->
<a href="" id="disableinternetconnectivitychecks"></a>**DisableInternetConnectivityChecks**
> [!Note]
> This node has been deprecated since Windows 10, version 1607.
@ -101,8 +111,8 @@ Added in Windows 10, version 1511. Optional. Disable the internet connectivity c
Value type is chr.
- True - internet connectivity check is disabled.
- False - internet connectivity check is enabled.
- True - internet connectivity check is disabled.
- False - internet connectivity check is enabled.
Supported operations are Get, Add, Delete, and Replace.
@ -139,7 +149,6 @@ Supported operations are Add, Get, Replace and Delete. Value type is integer.
## Examples
These XML examples show how to perform various tasks using OMA DM.
### Add a network
@ -241,8 +250,4 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID MyNetw
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

11
windows/client-management/mdm/win32appinventory-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# Win32AppInventory CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device.
@ -69,7 +78,7 @@ The supported operation is Get.
<a href="" id="win32installedprogram-installedprogram-regkey"></a>**Win32InstalledProgram/_InstalledProgram_/RegKey**
A string that specifies product code or registry subkey.
For MSI-based applications this is the product code.
For MSI-based applications, this is the product code.
For applications found in Add/Remove Programs, this is the registry subkey.

154
windows/client-management/mdm/win32compatibilityappraiser-csp.md
View File

@ -11,7 +11,17 @@ ms.reviewer:
manager: dansimp
---
# Win32CompatibilityAppraiser CSP
# Win32CompatibilityAppraiser CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@ -45,52 +55,64 @@ Win32CompatibilityAppraiser
------------MostRestrictiveSetting
--------WerConnectionReport
```
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/Win32CompatibilityAppraiser**
The root node for the Win32CompatibilityAppraiser configuration service provider.
<a href="" id="compatibilityappraiser"></a>**CompatibilityAppraiser**
This represents the state of the Compatibility Appraiser.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis**
This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-commercialid"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId**
The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.
Value type is string. Supported operation is Get.
Value type is string.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosiscommercialidsetandvalid"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid**
A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-alltargetosversionsrequested"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested**
A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-osskuisvalidforappraiser"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser**
A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-appraisercodeanddataversionsaboveminimum"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum**
An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data.
The values are:
- 0 == Neither the code nor data is of a sufficient version
- 1 == The code version is insufficient but the data version is sufficient
- 2 == The code version is sufficient but the data version is insufficient
- 3 == Both the code and data are of a sufficient version
The values are:
- 0 == Neither the code nor data is of a sufficient version
- 1 == The code version is insufficient but the data version is sufficient
- 2 == The code version is sufficient but the data version is insufficient
- 3 == Both the code and data are of a sufficient version
Value type is integer. Supported operation is Get.
Value type is integer.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-rebootpending"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending**
A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserrunresultreport"></a>**CompatibilityAppraiser/AppraiserRunResultReport**
This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations.
@ -106,45 +128,58 @@ This represents various settings that affect whether the Universal Telemetry Cli
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-telemetryoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn**
An integer value representing what level of telemetry will be uploaded.
Value type is integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == Security data will be sent
- 1 == Basic telemetry will be sent
- 2 == Enhanced telemetry will be sent
- 3 == Full telemetry will be sent
Supported operation is Get.
The values are:
- 0 == Security data will be sent.
- 1 == Basic telemetry will be sent.
- 2 == Enhanced telemetry will be sent.
- 3 == Full telemetry will be sent.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-commercialdataoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn**
An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload.
Value type is integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == Setting is disabled
- 1 == Setting is enabled
- 2 == Setting is not applicable to this version of Windows
Supported operation is Get.
The values are:
- 0 == Setting is disabled.
- 1 == Setting is enabled.
- 2 == Setting is not applicable to this version of Windows.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-diagtrackservicerunning"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning**
A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-msaserviceenabled"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled**
A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
Value type is bool. Supported operation is Get.
Value type is bool.
Supported operation is Get.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-internetexplorertelemetryoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn**
An integer value representing what websites Internet Explorer will collect telemetry data for.
An integer value representing what websites Internet Explorer will collect telemetry data for.
Value type is integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == Telemetry collection is disabled
- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones
- 2 == Telemetry collection is enabled for internet websites and restricted website zones
- 3 == Telemetry collection is enabled for all websites
- 0x7FFFFFFF == Telemetry collection is not configured
Supported operation is Get.
The values are:
- 0 == Telemetry collection is disabled.
- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones.
- 2 == Telemetry collection is enabled for internet websites and restricted website zones.
- 3 == Telemetry collection is enabled for all websites.
- 0x7FFFFFFF == Telemetry collection is not configured.
<a href="" id="universaltelemetryclient-utcconnectionreport"></a>**UniversalTelemetryClient/UtcConnectionReport**
This provides an XML representation of the UTC connections during the most recent summary period.
@ -160,26 +195,31 @@ This represents various settings that affect whether the Windows Error Reporting
<a href="" id="windowserrorreporting-werconfigurationdiagnosis-wertelemetryoptin"></a>**WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn**
An integer value indicating the amount of WER data that will be uploaded.
Value type integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == Data will not send due to UTC opt-in
- 1 == Data will not send due to WER opt-in
- 2 == Basic WER data will send but not the complete set of data
- 3 == The complete set of WER data will send
Supported operation is Get.
The values are:
- 0 == Data will not send due to UTC opt-in.
- 1 == Data will not send due to WER opt-in.
- 2 == Basic WER data will send but not the complete set of data.
- 3 == The complete set of WER data will send.
<a href="" id="windowserrorreporting-werconfigurationdiagnosis-mostrestrictivesetting"></a>**WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting**
An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted.
Value type integer. Supported operation is Get.
Value type is integer.
The values are:
- 0 == System telemetry settings are restricting uploads
- 1 == WER basic policies are restricting uploads
- 2 == WER advanced policies are restricting uploads
- 3 == WER consent policies are restricting uploads
- 4 == There are no restrictive settings
Supported operation is Get.
The values are:
- 0 == System telemetry settings are restricting upload.
- 1 == WER basic policies are restricting uploads.
- 2 == WER advanced policies are restricting uploads.
- 3 == WER consent policies are restricting uploads.
- 4 == There are no restrictive settings.
<a href="" id="windowserrorreporting-werconnectionreport"></a>**WindowsErrorReporting/WerConnectionReport**
This provides an XML representation of the most recent WER connections of various types.
@ -190,7 +230,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### Appraiser run result report
```
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" >
<xs:annotation>
@ -362,7 +402,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### UTC connection report
```
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:fusion="urn:schemas-microsoft-com:asm.v1" elementFormDefault="qualified" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<xs:annotation>
@ -440,7 +480,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### Windows Error Reporting connection report
```
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:fusion="urn:schemas-microsoft-com:asm.v1" elementFormDefault="qualified" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<xs:annotation>
@ -638,3 +678,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
<xs:element name="ConnectionReport" type="ConnectionReportType"/>
</xs:schema>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

97
windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 11/01/2017
# WindowsAdvancedThreatProtection CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
@ -40,102 +49,101 @@ WindowsAdvancedThreatProtection
The following list describes the characteristics and parameters.
<a href="" id="--device-vendor-msft-windowsadvancedthreatprotection"></a>**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection**
<p>The root node for the Windows Defender Advanced Threat Protection configuration service provider.
The root node for the Windows Defender Advanced Threat Protection configuration service provider.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="onboarding"></a>**Onboarding**
<p>Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="healthstate"></a>**HealthState**
<p>Node that represents the Windows Defender Advanced Threat Protection health state.
Node that represents the Windows Defender Advanced Threat Protection health state.
<a href="" id="healthstate-lastconnected"></a>**HealthState/LastConnected**
<p>Contains the timestamp of the last successful connection.
Contains the timestamp of the last successful connection.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="healthstate-senseisrunning"></a>**HealthState/SenseIsRunning**
<p>Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
<p>The default value is false.
The default value is false.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="healthstate-onboardingstate"></a>**HealthState/OnboardingState**
<p>Represents the onboarding state.
Represents the onboarding state.
<p>Supported operation is Get.
Supported operation is Get.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Not onboarded.
- 1 Onboarded
- 0 (default) Not onboarded.
- 1 Onboarded
<a href="" id="healthstate-orgid"></a>**HealthState/OrgId**
<p>String that represents the OrgID.
String that represents the OrgID.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="configuration"></a>**Configuration**
<p>Represents Windows Defender Advanced Threat Protection configuration.
Represents Windows Defender Advanced Threat Protection configuration.
<a href="" id="configuration-samplesharing"></a>**Configuration/SampleSharing**
<p>Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 None
- 1 (default) All
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="configuration-telemetryreportingfrequency"></a>**Configuration/TelemetryReportingFrequency**
<p>Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
<p>The following list shows the supported values:
The following list shows the supported values:
- 1 (default) Normal
- 2 - Expedite
- 1 (default) Normal
- 2 - Expedite
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="offboarding"></a>**Offboarding**
<p>Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="devicetagging"></a>**DeviceTagging**
<p>Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
<p>Supported operations is Get.
Supported operations is Get.
<a href="" id="group"></a>**DeviceTagging/Group**
<p>Added in Windows 10, version 1709. Device group identifiers.
Added in Windows 10, version 1709. Device group identifiers.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<a href="" id="criticality"></a>**DeviceTagging/Criticality**
<p>Added in Windows 10, version 1709. Asset criticality value. Supported values:
Added in Windows 10, version 1709. Asset criticality value. Supported values:
- 0 - Normal
- 1 - Critical
<p>The data type is an integer.
The data type is an integer.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
## Examples
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -246,15 +254,4 @@ The following list describes the characteristics and parameters.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

17
windows/client-management/mdm/windowsautopilot-csp.md
View File

@ -14,11 +14,20 @@ ms.date: 02/07/2022
# WindowsAutoPilot CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” Because the CSP description should be more general/high level.
The WindowsAutopilot CSP exposes Windows Autopilot related device information. The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.
**./Vendor/MSFT/WindowsAutopilot**
@ -27,3 +36,7 @@ Root node. Supported operation is Get.
**HardwareMismatchRemediationData**
Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

187
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -13,9 +13,20 @@ manager: dansimp
# WindowsDefenderApplicationGuard CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
```
./Device/Vendor/MSFT
WindowsDefenderApplicationGuard
@ -36,6 +47,7 @@ WindowsDefenderApplicationGuard
----Audit
--------AuditApplicationGuard
```
<a href="" id="windowsdefenderapplicationguard"></a>**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
Root node. Supported operation is Get.
@ -43,30 +55,37 @@ Root node. Supported operation is Get.
Interior node. Supported operation is Get.
<a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**
Turn on Microsoft Defender Application Guard in Enterprise Mode.
Turn on Microsoft Defender Application Guard in Enterprise Mode.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
- 0 - Disable Microsoft Defender Application Guard
- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004)
- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004)
- 0 - Disable Microsoft Defender Application Guard.
- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY.
- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004).
- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004).
<a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 1 - Allow text copying.
- 2 - Allow image copying.
- 3 - Allow text and image copying.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardFileType*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -76,21 +95,25 @@ ADMX Info:
<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**
This policy setting allows you to decide how the clipboard behaves while in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
The following list shows the supported values:
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On clipboard operation from an isolated session to the host.
- 2 - Turns On clipboard operation from the host to an isolated session.
- 3 - Turns On clipboard operation in both the directions.
> [!IMPORTANT]
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -98,13 +121,16 @@ ADMX Info:
<!--/ADMXMapped-->
<a href="" id="printingsettings"></a>**Settings/PrintingSettings**
This policy setting allows you to decide how the print functionality behaves while in Application Guard.
This policy setting allows you to decide how the print functionality behaves while in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Disables all print functionality.
- 1 - Enables only XPS printing.
- 2 - Enables only PDF printing.
@ -123,7 +149,8 @@ The following list shows the supported values:
- 15 - Enables all printing.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Configure Microsoft Defender Application Guard print settings*
- GP name: *AppHVSIPrintingSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -133,11 +160,14 @@ ADMX Info:
<a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
@ -145,7 +175,8 @@ The following list shows the supported values:
> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
- GP name: *BlockNonEnterpriseContent*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -155,16 +186,20 @@ ADMX Info:
<a href="" id="allowpersistence"></a>**Settings/AllowPersistence**
This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard*
- GP name: *AllowPersistence*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -172,15 +207,18 @@ ADMX Info:
<!--/ADMXMapped-->
<a href="" id="allowvirtualgpu"></a>**Settings/AllowVirtualGPU**
Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
The following list shows the supported values:
The following list shows the supported values:
- 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.
@ -188,7 +226,8 @@ The following list shows the supported values:
> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
- GP name: *AllowVirtualGPU*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -196,18 +235,22 @@ ADMX Info:
<!--/ADMXMapped-->
<a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**
Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container.
Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - The user cannot download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
- GP name: *SaveFilesToHost*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -217,9 +260,11 @@ ADMX Info:
<a href="" id="certificatethumbprints"></a>**Settings/CertificateThumbprints**
Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.
@ -229,7 +274,8 @@ b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda92
If you disable or dont configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
- GP name: *CertificateThumbprints*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -242,15 +288,18 @@ ADMX Info:
<a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the devices camera and microphone when these settings are enabled on the users device.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the users device.
If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the users device.
The following list shows the supported values:
The following list shows the supported values:
- 0 (default) - Microsoft Defender Application Guard cannot access the devices camera and microphone. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the devices camera and microphone.
@ -258,7 +307,8 @@ The following list shows the supported values:
> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard*
- GP name: *AllowCameraMicrophoneRedirection*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@ -268,22 +318,26 @@ ADMX Info:
<a href="" id="status"></a>**Status**
Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device.
Value type is integer. Supported operation is Get.
Value type is integer.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
> [!IMPORTANT]
> If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
> [!IMPORTANT]
> If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
<a href="" id="platformstatus"></a>**PlatformStatus**
Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
Value type is integer. Supported operation is Get.
Value type is integer.
Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
@ -297,7 +351,8 @@ Initiates remote installation of Application Guard feature.
Supported operations are Get and Execute.
The following list shows the supported values:
The following list shows the supported values:
- Install - Will initiate feature install.
- Uninstall - Will initiate feature uninstall.
@ -305,20 +360,28 @@ The following list shows the supported values:
Interior node. Supported operation is Get.
<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**
This policy setting allows you to decide whether auditing events can be collected from Application Guard.
This policy setting allows you to decide whether auditing events can be collected from Application Guard.
Value type in integer. Supported operations are Add, Get, Replace, and Delete.
Value type in integer.
This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
This policy setting is supported on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard*
- GP name: *AuditApplicationGuard*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
<!--/ADMXMapped-->
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

86
windows/client-management/mdm/windowslicensing-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 08/15/2018
# WindowsLicensing CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@ -40,6 +50,7 @@ WindowsLicensing
--------SwitchFromSMode (Added in Windows 10, version 1809)
--------Status (Added in Windows 10, version 1809)
```
<a href="" id="--device-vendor-msft-windowslicensing"></a>**./Device/Vendor/MSFT/WindowsLicensing**
This is the root node for the WindowsLicensing configuration service provider.
@ -51,21 +62,17 @@ Enters a product key for an edition upgrade of Windows 10 desktop devices.
> [!NOTE]
> This upgrade process requires a system restart.
The date type is a chr.
The supported operation is Exec.
When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or, after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart.
When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart.
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
> [!IMPORTANT]
> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail.
If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart.
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
@ -75,24 +82,22 @@ This node can also be used to activate or change a product key on a particular e
> [!IMPORTANT]
> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
The following are valid edition upgrade paths when using this node through an MDM:
- Windows 10 Enterprise to Windows 10 Education
- Windows 10 Home to Windows 10 Education
- Windows 10 Pro to Windows 10 Education
- Windows 10 Pro to Windows 10 Enterprise
- Windows 10/Windows 11 Enterprise to Windows 10/ Windows 11 Education
- Windows 10/Windows 11 Home to Windows 10/Windows 11 Education
- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Education
- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Enterprise
Activation or changing a product key can be carried out on the following editions:
- Windows 10 Education
- Windows 10 Enterprise
- Windows 10 Home
- Windows 10 Pro
- Windows 10/Windows 11 Education
- Windows 10/Windows 11 Enterprise
- Windows 10/Windows 11 Home
- Windows 10/Windows 11 Pro
<a href="" id="edition"></a>**Edition**
Returns a value that maps to the Windows 10 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
Returns a value that maps to the Windows 10 or Windows 11 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
The data type is an Int.
@ -101,11 +106,11 @@ The supported operation is Get.
<a href="" id="status"></a>**Status**
Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values:
- 0 = Failed
- 1 = Pending
- 2 = In progress
- 3 = Completed
- 4 = Unknown
- 0 = Failed
- 1 = Pending
- 2 = In progress
- 3 = Completed
- 4 = Unknown
The data type is an Int.
@ -136,23 +141,23 @@ The following are valid edition upgrade paths when using this node through an MD
-->
<a href="" id="licensekeytype"></a>**LicenseKeyType**
Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change.
Returns the parameter type used by Windows 10 or Windows 11 devices for an edition upgrade, activation, or product key change.
- Windows 10 client devices require a product key.
- Windows 10 or Windows 11 client devices require a product key.
The data type is a chr.
The supported operation is Get.
<a href="" id="checkapplicability"></a>**CheckApplicability**
Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 for desktop devices.
Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 or Windows 11 for desktop devices.
The data type is a chr.
The supported operation is Exec.
<a href="" id="changeproductkey"></a>**ChangeProductKey**
Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Does not reboot.
Added in Windows 10, version 1703. Installs a product key for Windows 10 or Windows 11 desktop devices. Does not reboot.
The data type is a chr.
@ -184,32 +189,37 @@ Interior node for managing S mode.
<a href="" id="smode-switchingpolicy"></a>**SMode/SwitchingPolicy**
Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
Supported values:
- 0 - No Restriction: The user is allowed to switch the device out of S mode.
- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
Supported operations are Add, Get, Replace, and Delete.
Supported values:
- 0 - No Restriction: The user is allowed to switch the device out of S mode.
- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
<a href="" id="smode-switchfromsmode"></a>**SMode/SwitchFromSMode**
Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
Supported operation is Execute.
<a href="" id="smode-status"></a>**SMode/Status**
<a href="" id="smode-status"></a>**SMode/Status**
Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example)
Value type is integer. Supported operation is Get.
Value type is integer.
Supported operation is Get.
Values:
- Request fails with error code 404 - no SwitchFromSMode request has been made.
- 0 - The device successfully switched out of S mode
- 1 - The device is processing the request to switch out of S mode
- 3 - The device was already switched out of S mode
- 4 - The device failed to switch out of S mode
- Request fails with error code 404 - no SwitchFromSMode request has been made.
- 0 - The device successfully switched out of S mode.
- 1 - The device is processing the request to switch out of S mode.
- 3 - The device was already switched out of S mode.
- 4 - The device failed to switch out of S mode.
## SyncML examples
**CheckApplicability**
```xml
@ -235,8 +245,6 @@ Values:
> [!NOTE]
> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
**Edition**
```xml