From 211e1eb553c1e1f0ab815612fd6ee081ead7da7a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 10:16:06 -0700 Subject: [PATCH 1/7] Update policy-csp-settings.md --- windows/client-management/mdm/policy-csp-settings.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 4a109d3361..75491097c1 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -177,6 +177,9 @@ The following list shows the supported values: Allows the user to change Data Sense settings. +> [!NOTE] +> This policy is not supported on Windows 10, version 2004 and later. + The following list shows the supported values: From cabc06b7e02f04c2b5084b17f0ef8d70ae064c06 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 10:18:43 -0700 Subject: [PATCH 2/7] Update policy-csp-settings.md --- windows/client-management/mdm/policy-csp-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 75491097c1..7152934f2d 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -178,7 +178,7 @@ The following list shows the supported values: Allows the user to change Data Sense settings. > [!NOTE] -> This policy is not supported on Windows 10, version 2004 and later. +> The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later. From 075cbe27a52e03b16f96d6b0c27e22bb2645ebc6 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 11:34:25 -0700 Subject: [PATCH 3/7] Update quick-fixes.md --- windows/deployment/upgrade/quick-fixes.md | 71 ----------------------- 1 file changed, 71 deletions(-) diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 8aafc8f67d..d9c4e34fd7 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -39,7 +39,6 @@ The Microsoft Virtual Agent provided by [Microsoft Support](https://support.micr
  • Check the system drive for errors and attempt repairs. More information.
  • Run the Windows Update troubleshooter. More information.
  • Attempt to restore and repair system files. More information.
    • -
  • Check for unsigned drivers and update or repair them. More information.
  • Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
  • Temporarily uninstall non-Microsoft antivirus software. More information.
    • @@ -156,76 +155,6 @@ To check and repair system files: > [!NOTE] > It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) and [Use the System File Checker tool](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system). - -### Repair unsigned drivers - -[Drivers](/windows-hardware/drivers/gettingstarted/what-is-a-driver-) are files ending in *.dll or *.sys that are used to communicate with hardware components. Because drivers are so important, they are cryptographically signed to ensure they are genuine. Drivers with a *.sys extension that are not properly signed frequently block the upgrade process. Drivers might not be properly signed if you: -- Disabled driver signature verification (highly not recommended). -- A catalog file used to sign a driver is corrupt or missing. - - Catalog files (files with a *.cat extension) are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver. All drivers should be signed to ensure the upgrade process works. - -To check your system for unsigned drivers: - -1. Click **Start**. -2. Type **command**. -3. Right-click **Command Prompt** and then left-click **Run as administrator**. -4. If you are prompted by UAC, click **Yes**. -5. Type **sigverif** and press ENTER. -6. The File Signature Verification tool will open. Click **Start**. - - ![File Signature Verification.](../images/sigverif.png) - -7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers. -8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired. -9. Locate drivers in the log file that are unsigned, write down the location and file names. Also write down the catalog that is associated to the driver if it is provided. If the name of a catalog file is not provided you might need to analyze another device that has the same driver with sigverif and sigcheck (described below). -10. The next step is to check that the driver reported as unsigned by sigverif.exe has a problem. In some cases, sigverif.exe might not be successful at locating the catalog file used to sign a driver, even though the catalog file exists. To perform a detailed driver check, download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**. - - [Sigcheck](/sysinternals/downloads/sigcheck) is a tool that you can download and use to review digital signature details of a file. To use sigcheck: - -11. In the command window, use the **cd** command to switch to the directory where you extracted sigcheck, for example **cd c:\sigcheck**. -12. Using the list of unsigned drivers and their associated paths that you obtained from the File Signature Verification tool, run sigcheck to obtain details about the driver, including the catalog file used for signing. Type **sigcheck64 -i \** and press ENTER (or sigcheck -i for a 32 bit OS). See the following example: - ``` - C:\Sigcheck>sigcheck64.exe -i c:\windows\system32\drivers\afd.sys - - Sigcheck v2.80 - File version and signature viewer - Copyright (C) 2004-2020 Mark Russinovich - Sysinternals - www.sysinternals.com - - c:\windows\system32\drivers\afd.sys: - Verified: Signed - Signing date: 6:18 PM 11/29/2017 - Signing date: 6:18 PM 11/29/2017 - Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat - Signers: - Microsoft Windows - Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. - Valid Usage: NT5 Crypto, Code Signing - Cert Issuer: Microsoft Windows Verification PCA - Serial Number: 33 00 00 00 4B 76 63 2D 24 A2 39 9A 8B 00 01 00 00 00 4B - Thumbprint: B8037C46D0DB7A8CEE502407469B0EE3234D3365 - Algorithm: sha1RSA - Valid from: 11:46 AM 3/1/2017 - Valid to: 11:46 AM 5/9/2018 - (output truncated) - ``` - In the example above, the afd.sys driver is properly signed by the catalog file Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat. - - -13. Optionally, you can generate a list of drivers using driverquery.exe, which is included with Windows. To save a list of signed and unsigned drivers with driverquery, type **driverquery /si > c:\drivers.txt** and press ENTER. See the following example: - - ```cmd - C:\>Driverquery /si - - DeviceName InfName IsSigned Manufacturer - ============================== ============= ======== ========================= - Microsoft ISATAP Adapter nettun.inf TRUE Microsoft - Generic volume shadow copy volsnap.inf TRUE Microsoft - Generic volume volume.inf TRUE Microsoft - (truncated) - ``` - For more information about using driverquery, see [Two Minute Drill: DriverQuery.exe](https://techcommunity.microsoft.com/t5/ask-the-performance-team/two-minute-drill-driverquery-exe/ba-p/374977) and [driverquery](/windows-server/administration/windows-commands/driverquery). - ### Update Windows You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer. From 6e52b7eeecd44c49dc03fab2bd3c0b842d68e7ab Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 11:41:32 -0700 Subject: [PATCH 4/7] remove link --- windows/deployment/upgrade/resolution-procedures.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 926355e4cc..9752ac670c 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -36,7 +36,7 @@ A frequently observed [result code](upgrade-error-codes.md#result-codes) is 0xC1 The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). -To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. Also check to be sure that your drivers are properly signed. For more information, see [Remove unsigned drivers](quick-fixes.md#repair-unsigned-drivers). +To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. See the following general troubleshooting procedures associated with a result code of 0xC1900101:

    @@ -49,7 +49,7 @@ See the following general troubleshooting procedures associated with a result co | 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
    Contact your hardware vendor to obtain updated device drivers.
    Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. | | 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
    Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
    This can occur due to a problem with a display driver. | | 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
    Review the rollback log and determine the stop code.
    The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases:
     
    Info SP Crash 0x0000007E detected
    Info SP Module name :
    Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
    Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
    Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
    Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
    Info SP Cannot recover the system.
    Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
     
    Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
     
    1. Make sure you have enough disk space.
    2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
    3. Try changing video adapters.
    4. Check with your hardware vendor for any BIOS updates.
    5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
    Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
    This can occur because of incompatible drivers. | -| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
     
    Ensure that you select the option to "Download and install updates (recommended)." Also be sure to [remove unsigned drivers](quick-fixes.md#repair-unsigned-drivers).
     
    Computers that run Citrix VDA
    You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
     
    This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
     
    **Resolution**
     
    To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
     
    You can work around this problem in two ways:
     
    **Workaround 1**
     
    1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
    2. Run the Windows upgrade again.
    3. Reinstall Citrix VDA.
     
    **Workaround 2**
     
    If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
     
    1. In Registry Editor, go to the following subkey:
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
    2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
    3. Go to the following subkey:
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
    4. Delete the **CtxMcsWbc** entry.
    5. Restart the computer, and then try the upgrade again.
     
    **Non-Microsoft information disclaimer**
    The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
    This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. | +| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
    Ensure that you select the option to "Download and install updates (recommended)."
     
    Computers that run Citrix VDA
    You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
     
    This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
     
    **Resolution**
     
    To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
     
    You can work around this problem in two ways:
     
    **Workaround 1**
     
    1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
    2. Run the Windows upgrade again.
    3. Reinstall Citrix VDA.
     
    **Workaround 2**
     
    If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
     
    1. In Registry Editor, go to the following subkey:
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
    2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
    3. Go to the following subkey:
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
    4. Delete the **CtxMcsWbc** entry.
    5. Restart the computer, and then try the upgrade again.
     
    **Non-Microsoft information disclaimer**
    The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
    This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. | ## 0x800xxxxx From e290767023c698f17082d5fdda56953c4d7fd112 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 12:01:19 -0700 Subject: [PATCH 5/7] tweaks --- .../upgrade/resolve-windows-10-upgrade-errors.md | 2 +- .../deployment/upgrade/troubleshoot-upgrade-errors.md | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index b22dd3682c..24ed5c4e2b 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -25,7 +25,7 @@ ms.topic: article This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. -The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. +The article has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. The following four levels are assigned: diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index bdb7e4814a..aa3ccead81 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -20,12 +20,15 @@ ms.topic: article **Applies to** - Windows 10 ->[!NOTE] ->This is a 300 level topic (moderately advanced).
    ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. +> [!NOTE] +> This is a 300 level topic (moderately advanced).
    +> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. +> [!IMPORTANT] +> Use the [SetupDiag](setupdiag.md) tool before you begin manually troubleshooting an upgrade error. SetupDiag automates log file analysis, detecting and reporting details on many different types of known upgrade issues. + Briefly, the upgrade process consists of four phases that are controlled by [Windows Setup](/windows-hardware/manufacture/desktop/windows-setup-technical-reference): **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. From ccda6e6778f7ad2a143995ff58cd58798d418273 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 12:05:07 -0700 Subject: [PATCH 6/7] alt text --- windows/deployment/upgrade/troubleshoot-upgrade-errors.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index aa3ccead81..d8183e1f62 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -76,11 +76,11 @@ When performing an operating system upgrade, Windows Setup uses phases described At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - ![second boot phase.](../images/secondboot.png) + ![second boot phase 1](../images/secondboot.png) - ![second boot phase.](../images/secondboot2.png) + ![second boot phase 2](../images/secondboot2.png) - ![second boot phase.](../images/secondboot3.png) + ![second boot phase 3](../images/secondboot3.png) 5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. From 7c48aa5062c1c8c73e0d1f79034975a7d86de068 Mon Sep 17 00:00:00 2001 From: David Strome Date: Fri, 27 Aug 2021 15:09:49 -0700 Subject: [PATCH 7/7] remove disallowed html attributes --- .../ie11-deploy-guide/img-ie11-docmode-lg.md | 2 +- .../educator-tib-get-started.md | 2 +- education/trial-in-a-box/index.md | 2 +- .../trial-in-a-box/itadmin-tib-get-started.md | 2 +- .../windows/chromebook-migration-guide.md | 2 +- ...e-active-directory-integration-with-mdm.md | 440 +++++++-------- .../mdm/cellularsettings-csp.md | 4 +- .../change-history-for-mdm-documentation.md | 304 +++++------ windows/client-management/mdm/cleanpc-csp.md | 10 +- .../mdm/cm-cellularentries-csp.md | 78 +-- .../mdm/developersetup-csp.md | 34 +- .../mdm/device-update-management.md | 266 +++++----- .../mdm/dmprocessconfigxmlfiltered.md | 52 +- .../mdm/dmsessionactions-csp.md | 34 +- .../mdm/dynamicmanagement-csp.md | 44 +- .../mdm/enterpriseapn-csp.md | 70 +-- .../mdm/enterpriseappvmanagement-csp.md | 80 +-- .../mdm/enterpriseextfilessystem-csp.md | 20 +- windows/client-management/mdm/firewall-csp.md | 260 ++++----- .../mdm/healthattestation-csp.md | 500 +++++++++--------- ...ent-tool-for-windows-store-for-business.md | 8 +- .../client-management/mdm/messaging-csp.md | 28 +- .../mdm/mobile-device-enrollment.md | 126 ++--- .../mdm/networkqospolicy-csp.md | 56 +- .../mdm/oma-dm-protocol-support.md | 138 ++--- .../mdm/personalization-csp.md | 18 +- .../policy-configuration-service-provider.md | 58 +- .../mdm/policy-csp-devicelock.md | 26 +- .../mdm/policy-csp-system.md | 18 +- .../mdm/policy-csp-update.md | 26 +- windows/client-management/mdm/reboot-csp.md | 22 +- .../client-management/mdm/remotelock-csp.md | 2 +- .../client-management/mdm/surfacehub-csp.md | 214 ++++---- .../client-management/mdm/tpmpolicy-csp.md | 4 +- windows/client-management/mdm/update-csp.md | 96 ++-- .../windowsadvancedthreatprotection-csp.md | 68 +-- windows/configuration/kiosk-single-app.md | 16 +- .../provisioning-configure-mobile.md | 8 +- .../provision-pcs-for-initial-deployment.md | 12 +- ...anging-the-frequency-of-scheduled-tasks.md | 2 +- windows/deployment/mbr-to-gpt.md | 2 +- windows/deployment/upgrade/log-files.md | 8 +- .../deployment/upgrade/upgrade-error-codes.md | 84 +-- .../usmt/offline-migration-reference.md | 4 +- .../usmt/understanding-migration-xml-files.md | 6 +- .../usmt/usmt-conflicts-and-precedence.md | 6 +- .../usmt/usmt-custom-xml-examples.md | 14 +- .../usmt/usmt-xml-elements-library.md | 2 +- .../windows-10-deployment-scenarios.md | 58 +- windows/deployment/windows-10-poc-mdt.md | 6 +- windows/deployment/windows-10-poc.md | 122 ++--- .../demonstrate-deployment-on-vm.md | 2 +- .../threat-protection/fips-140-validation.md | 288 +++++----- .../document-your-applocker-rules.md | 2 +- .../plan-for-applocker-policy-management.md | 2 +- ...ements-for-deploying-applocker-policies.md | 2 +- 56 files changed, 1880 insertions(+), 1880 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index 30de0a2c97..a285c99103 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -16,7 +16,7 @@ ms.author: dansimp Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
    -

    +

    Full-sized flowchart detailing how document modes are chosen in IE11

    diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index bbf1be6015..92cf989109 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -20,7 +20,7 @@ manager: dansimp ![Welcome, Educators!](images/Welocme-Educators.png) -This guide shows you how to quickly and easily try a few transformational tools from Microsoft Education in 5 quick steps. +This guide shows you how to quickly and easily try a few transformational tools from Microsoft Education in 5 quick steps. | Tool | Description | | :---: |:--- | diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 5f1c865bce..2ea43581c9 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -30,7 +30,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea | [![Get started for Educators.](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | | :---: | :---: | -| **Educator**
    Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills.
    [Get started](educator-tib-get-started.md) | **IT Admin**
    Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage.
    [Get started](itadmin-tib-get-started.md) | +| **Educator**
    Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills.
    [Get started](educator-tib-get-started.md) | **IT Admin**
    Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage.
    [Get started](itadmin-tib-get-started.md) | diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index d0ba6a05b3..911f893986 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -20,7 +20,7 @@ manager: dansimp ![Welcome, IT Admins!](images/Welcome-IT-Admins.png) -Learn how to quickly deploy and manage devices for your school in 5 quick steps. +Learn how to quickly deploy and manage devices for your school in 5 quick steps. |  |  | | :---: |:--- | diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index d927aef072..2fb2324ddc 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -497,7 +497,7 @@ Table 6 is a decision matrix that lists the device, user, and app management pro Table 6. Device, user, and app management products and technologies - +
    diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 97f22aae88..a65935c948 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -195,24 +195,24 @@ The following table shows the required information to create an entry in the Azu - - + + - - + + - - + + - - + + - - + +

    Application ID

    The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.

    Application ID

    The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.

    Publisher

    A string that identifies the publisher of the app.

    Publisher

    A string that identifies the publisher of the app.

    Application URL

    A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.

    Application URL

    A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.

    Description

    A brief description of your MDM app, which must be under 255 characters.

    Description

    A brief description of your MDM app, which must be under 255 characters.

    Icons

    A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215

    Icons

    A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215
    @@ -261,19 +261,19 @@ An MDM page must adhere to a predefined theme depending on the scenario that is -FRX -OOBE -Dark theme + blue background color -Filename: Ui-dark.css -Filename: oobe-dekstop.css +FRX +OOBE +Dark theme + blue background color +Filename: Ui-dark.css +Filename: oobe-dekstop.css -MOSET -Settings/ +MOSET +Settings/

    Post OOBE

    -Light theme -Filename: Ui-light.css -Filename: settings-desktop.css +Light theme +Filename: Ui-light.css +Filename: settings-desktop.css @@ -302,20 +302,20 @@ The following parameters are passed in the query string: -

    redirect_uri

    -

    After the user accepts or rejects the Terms of Use, the user is redirected to this URL.

    +

    redirect_uri

    +

    After the user accepts or rejects the Terms of Use, the user is redirected to this URL.

    -

    client-request-id

    -

    A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.

    +

    client-request-id

    +

    A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.

    -

    api-version

    -

    Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.

    +

    api-version

    +

    Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.

    -

    mode

    -

    Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.

    +

    mode

    +

    Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.

    @@ -342,20 +342,20 @@ The following claims are expected in the access token passed by Windows to the T -

    Object ID

    -

    Identifier of the user object corresponding to the authenticated user.

    +

    Object ID

    +

    Identifier of the user object corresponding to the authenticated user.

    -

    UPN

    -

    A claim containing the user principal name (UPN) of the authenticated user.

    +

    UPN

    +

    A claim containing the user principal name (UPN) of the authenticated user.

    -

    TID

    -

    A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.

    +

    TID

    +

    A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.

    -

    Resource

    -

    A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.

    +

    Resource

    +

    A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.

    @@ -438,28 +438,28 @@ The following table shows the error codes. -

    api-version

    -

    302

    -

    invalid_request

    -

    unsupported version

    +

    api-version

    +

    302

    +

    invalid_request

    +

    unsupported version

    -

    Tenant or user data are missing or other required prerequisites for device enrollment are not met

    -

    302

    -

    unauthorized_client

    -

    unauthorized user or tenant

    +

    Tenant or user data are missing or other required prerequisites for device enrollment are not met

    +

    302

    +

    unauthorized_client

    +

    unauthorized user or tenant

    -

    Azure AD token validation failed

    -

    302

    -

    unauthorized_client

    -

    unauthorized_client

    +

    Azure AD token validation failed

    +

    302

    +

    unauthorized_client

    +

    unauthorized_client

    -

    internal service error

    -

    302

    -

    server_error

    -

    internal service error

    +

    internal service error

    +

    302

    +

    server_error

    +

    internal service error

    @@ -486,104 +486,104 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov -

    MDM auto-discovery using email address to retrieve MDM discovery URL

    -

    Enrollment

    -

    Not applicable

    +

    MDM auto-discovery using email address to retrieve MDM discovery URL

    +

    Enrollment

    +

    Not applicable

    Discovery URL provisioned in Azure

    -

    +

    -

    Uses MDM discovery URL

    -

    Enrollment

    +

    Uses MDM discovery URL

    +

    Enrollment

    Enrollment renewal

    ROBO

    -

    Enrollment

    +

    Enrollment

    Enrollment renewal

    ROBO

    -

    Enrollment

    +

    Enrollment

    Enrollment renewal

    ROBO

    -

    Is MDM enrollment required?

    -

    Yes

    -

    Yes

    -

    No

    +

    Is MDM enrollment required?

    +

    Yes

    +

    Yes

    +

    No

    User can decline.

    -

    Authentication type

    -

    OnPremise

    +

    Authentication type

    +

    OnPremise

    Federated

    Certificate

    -

    Federated

    -

    Federated

    +

    Federated

    +

    Federated

    -

    EnrollmentPolicyServiceURL

    -

    Optional (all auth)

    -

    Optional (all auth)

    +

    EnrollmentPolicyServiceURL

    +

    Optional (all auth)

    +

    Optional (all auth)

    -

    Optional (all auth)

    +

    Optional (all auth)

    -

    EnrollmentServiceURL

    -

    Required (all auth)

    -

    Used (all auth)

    -

    Used (all auth)

    +

    EnrollmentServiceURL

    +

    Required (all auth)

    +

    Used (all auth)

    +

    Used (all auth)

    -

    EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL

    -

    Highly recommended

    -

    Highly recommended

    -

    Highly recommended

    +

    EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL

    +

    Highly recommended

    +

    Highly recommended

    +

    Highly recommended

    -

    AuthenticationServiceURL used

    -

    Used (Federated auth)

    -

    Skipped

    -

    Skipped

    +

    AuthenticationServiceURL used

    +

    Used (Federated auth)

    +

    Skipped

    +

    Skipped

    -

    BinarySecurityToken

    -

    Custom per MDM

    -

    Azure AD issued token

    -

    Azure AD issued token

    +

    BinarySecurityToken

    +

    Custom per MDM

    +

    Azure AD issued token

    +

    Azure AD issued token

    -

    EnrollmentType

    -

    Full

    -

    Device

    -

    Full

    +

    EnrollmentType

    +

    Full

    +

    Device

    +

    Full

    -

    Enrolled certificate type

    -

    User certificate

    -

    Device certificate

    -

    User certificate

    +

    Enrolled certificate type

    +

    User certificate

    +

    Device certificate

    +

    User certificate

    -

    Enrolled certificate store

    -

    My/User

    -

    My/System

    -

    My/User

    +

    Enrolled certificate store

    +

    My/User

    +

    My/System

    +

    My/User

    -

    CSR subject name

    -

    User Principal Name

    -

    Device ID

    -

    User Principal Name

    +

    CSR subject name

    +

    User Principal Name

    +

    Device ID

    +

    User Principal Name

    -

    EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL

    -

    Not supported

    -

    Supported

    -

    Supported

    +

    EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL

    +

    Not supported

    +

    Supported

    +

    Supported

    -

    CSPs accessible during enrollment

    -

    Windows 10 support:

    +

    CSPs accessible during enrollment

    +

    Windows 10 support:

    • DMClient
    • CertificateStore
      • @@ -598,8 +598,8 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
      • EnterpriseAppManagement (Windows Phone 8.1)
      -

      same as traditional MDM enrollment

      -

      same as traditional MDM enrollment

      +

      same as traditional MDM enrollment

      +

      same as traditional MDM enrollment

      @@ -751,184 +751,184 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di -0x80180001 -"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180001 +"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180002 -"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180002 +"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180003 -"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR -

      This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180003 +"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR +

      This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180004 -"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR -

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180004 +"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR +

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180005 -"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180005 +"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180006 -"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180006 +"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180007 -"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180007 +"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180008 -"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180008 +"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180009 -"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS -

      Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180009 +"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS +

      Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.

      -0x8018000A -"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED -

      This device is already enrolled. You can contact your system administrator with the error code {0}.

      +0x8018000A +"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED +

      This device is already enrolled. You can contact your system administrator with the error code {0}.

      -0x8018000D -"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID -

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      +0x8018000D +"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID +

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      -0x8018000E -"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x8018000E +"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x8018000F -"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x8018000F +"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180010 -"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180010 +"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180012 -"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT -

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180012 +"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT +

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180013 -"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED -

      Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

      +0x80180013 +"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED +

      Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

      -0x80180014 -"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED -

      This feature is not supported. Contact your system administrator with the error code {0}.

      +0x80180014 +"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED +

      This feature is not supported. Contact your system administrator with the error code {0}.

      -0x80180015 -"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED -

      This feature is not supported. Contact your system administrator with the error code {0}.

      +0x80180015 +"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED +

      This feature is not supported. Contact your system administrator with the error code {0}.

      -0x80180016 -"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW -

      The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180016 +"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW +

      The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180017 -"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE -

      The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.

      +0x80180017 +"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE +

      The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.

      -0x80180018 -"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE -

      There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180018 +"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE +

      There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180019 -"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID -

      Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180019 +"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID +

      Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.

      -"rejectedTermsOfUse" -"idErrorRejectedTermsOfUse" -

      Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.

      +"rejectedTermsOfUse" +"idErrorRejectedTermsOfUse" +

      Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.

      -0x801c0001 -"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x801c0001 +"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x801c0002 -"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0002 +"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x801c0003 -"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR -

      This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0003 +"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR +

      This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

      -0x801c0006 -"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x801c0006 +"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x801c000B -"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED -The server being contacted is not trusted. Contact your system administrator with the error code {0}. +0x801c000B +"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED +The server being contacted is not trusted. Contact your system administrator with the error code {0}. -0x801c000C -"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x801c000C +"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x801c000E -"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED -

      Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

      +0x801c000E +"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED +

      Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

      -0x801c000F -"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT -

      A reboot is required to complete device registration.

      +0x801c000F +"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT +

      A reboot is required to complete device registration.

      -0x801c0010 -"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR -

      Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.

      +0x801c0010 +"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR +

      Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.

      -0x801c0011 -"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0011 +"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x801c0012 -"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x801c0012 +"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x801c0013 -"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0013 +"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x801c0014 -"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0014 +"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index ab4cb97c8f..e493bf16e1 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -24,9 +24,9 @@ The following image shows the CellularSettings CSP in tree format as used by Ope ![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png) **DataRoam** -

      Optional. Integer. Specifies the default roaming value. Valid values are:

      +

      Optional. Integer. Specifies the default roaming value. Valid values are:

      -
      +
      diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 5f319c9900..9a5f7e4425 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -192,32 +192,32 @@ This article lists new and updated articles for the Mobile Device Management (MD - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - +
      BitLocker CSP

      Added support for Windows 10 Pro starting in the version 1809.

      +      		BitLocker CSP

      Added support for Windows 10 Pro starting in the version 1809.

      Office CSP

      Added FinalStatus setting in Windows 10, version 1809.

      +      		Office CSP

      Added FinalStatus setting in Windows 10, version 1809.

      RemoteWipe CSP

      Added new settings in Windows 10, version 1809.

      +      		RemoteWipe CSP

      Added new settings in Windows 10, version 1809.

      TenantLockdown CSP

      Added new CSP in Windows 10, version 1809.

      +      		TenantLockdown CSP

      Added new CSP in Windows 10, version 1809.

      WindowsDefenderApplicationGuard CSP

      Added new settings in Windows 10, version 1809.

      +      		WindowsDefenderApplicationGuard CSP

      Added new settings in Windows 10, version 1809.

      Policy DDF file

      Posted an updated version of the Policy DDF for Windows 10, version 1809.

      +      		Policy DDF file

      Posted an updated version of the Policy DDF for Windows 10, version 1809.

      Policy CSP

      Added the following new policies in Windows 10, version 1809:

      +      		Policy CSP

      Added the following new policies in Windows 10, version 1809:

      • Browser/AllowFullScreenMode
      • Browser/AllowPrelaunch
        • @@ -270,47 +270,47 @@ This article lists new and updated articles for the Mobile Device Management (MD
      AssignedAccess CSP

      Added the following note:

      +      		AssignedAccess CSP

      Added the following note:

      • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
      PassportForWork CSP

      Added new settings in Windows 10, version 1809.

      +      		PassportForWork CSP

      Added new settings in Windows 10, version 1809.

      EnterpriseModernAppManagement CSP

      Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

      +      		EnterpriseModernAppManagement CSP

      Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

      Win32CompatibilityAppraiser CSP

      Added new configuration service provider in Windows 10, version 1809.

      +      		Win32CompatibilityAppraiser CSP

      Added new configuration service provider in Windows 10, version 1809.

      WindowsLicensing CSP

      Added S mode settings and SyncML examples in Windows 10, version 1809.

      +      		WindowsLicensing CSP

      Added S mode settings and SyncML examples in Windows 10, version 1809.

      SUPL CSP

      Added 3 new certificate nodes in Windows 10, version 1809.

      +      		SUPL CSP

      Added 3 new certificate nodes in Windows 10, version 1809.

      Defender CSP

      Added a new node Health/ProductStatus in Windows 10, version 1809.

      +      		Defender CSP

      Added a new node Health/ProductStatus in Windows 10, version 1809.

      BitLocker CSP

      Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

      +      		BitLocker CSP

      Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

      DevDetail CSP

      Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

      +      		DevDetail CSP

      Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

      Policy CSP

      Added the following new policies in Windows 10, version 1809:

      +      		Policy CSP

      Added the following new policies in Windows 10, version 1809:

      • ApplicationManagement/LaunchAppAfterLogOn
      • ApplicationManagement/ScheduleForceRestartForUpdateFailures
        • @@ -360,24 +360,24 @@ This article lists new and updated articles for the Mobile Device Management (MD
      Wifi CSP

      Added a new node WifiCost in Windows 10, version 1809.

      +      		Wifi CSP

      Added a new node WifiCost in Windows 10, version 1809.

      Diagnose MDM failures in Windows 10

      Recent changes:

      +      		Diagnose MDM failures in Windows 10

      Recent changes:

      • Added procedure for collecting logs remotely from Windows 10 Holographic.
      • Added procedure for downloading the MDM Diagnostic Information log.
      BitLocker CSP

      Added new node AllowStandardUserEncryption in Windows 10, version 1809.

      +      		BitLocker CSP

      Added new node AllowStandardUserEncryption in Windows 10, version 1809.

      Policy CSP

      Recent changes:

      +      		Policy CSP

      Recent changes:

      • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.
      • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
        • @@ -398,8 +398,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
      WiredNetwork CSPNew CSP added in Windows 10, version 1809. +WiredNetwork CSPNew CSP added in Windows 10, version 1809.
      @@ -419,8 +419,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy DDF file -

      Updated the DDF files in the Windows 10 version 1703 and 1709.

      +Policy DDF file +

      Updated the DDF files in the Windows 10 version 1703 and 1709.

      • Download the Policy DDF file for Windows 10, version 1709
      • Download the Policy DDF file for Windows 10, version 1703
        • @@ -444,35 +444,35 @@ This article lists new and updated articles for the Mobile Device Management (MD -WindowsDefenderApplicationGuard CSP -

        Added the following node in Windows 10, version 1803:

        +WindowsDefenderApplicationGuard CSP +

        Added the following node in Windows 10, version 1803:

        • Settings/AllowVirtualGPU
        • Settings/SaveFilesToHost
        -NetworkProxy CSP -

        Added the following node in Windows 10, version 1803:

        +NetworkProxy CSP +

        Added the following node in Windows 10, version 1803:

        • ProxySettingsPerUser
        -Accounts CSP -

        Added a new CSP in Windows 10, version 1803.

        +Accounts CSP +

        Added a new CSP in Windows 10, version 1803.

        -MDM Migration Analysis Tool (MMAT) -

        Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

        +MDM Migration Analysis Tool (MMAT) +

        Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

        -CSP DDF files download -

        Added the DDF download of Windows 10, version 1803 configuration service providers.

        +CSP DDF files download +

        Added the DDF download of Windows 10, version 1803 configuration service providers.

        -Policy CSP -

        Added the following new policies for Windows 10, version 1803:

        +Policy CSP +

        Added the following new policies for Windows 10, version 1803:

        • Bluetooth/AllowPromptedProximalConnections
        • KioskBrowser/EnableEndSessionButton
          • @@ -500,41 +500,41 @@ This article lists new and updated articles for the Mobile Device Management (MD -eUICCs CSP -

          Added the following node in Windows 10, version 1803:

          +eUICCs CSP +

          Added the following node in Windows 10, version 1803:

          • IsEnabled
          -DeviceStatus CSP -

          Added the following node in Windows 10, version 1803:

          +DeviceStatus CSP +

          Added the following node in Windows 10, version 1803:

          • OS/Mode
          -Understanding ADMX-backed policies -

          Added the following videos:

          +Understanding ADMX-backed policies +

          Added the following videos:

          -AccountManagement CSP -

          Added a new CSP in Windows 10, version 1803.

          +AccountManagement CSP +

          Added a new CSP in Windows 10, version 1803.

          -RootCATrustedCertificates CSP -

          Added the following node in Windows 10, version 1803:

          +RootCATrustedCertificates CSP +

          Added the following node in Windows 10, version 1803:

          • UntrustedCertificates
          -Policy CSP -

          Added the following new policies for Windows 10, version 1803:

          +Policy CSP +

          Added the following new policies for Windows 10, version 1803:

          • ApplicationDefaults/EnableAppUriHandlers
          • ApplicationManagement/MSIAllowUserControlOverInstall
            • @@ -556,16 +556,16 @@ This article lists new and updated articles for the Mobile Device Management (MD
          -Policy CSP - Bluetooth -

          Added new section ServicesAllowedList usage guide.

          +Policy CSP - Bluetooth +

          Added new section ServicesAllowedList usage guide.

          -MultiSIM CSP -

          Added SyncML examples and updated the settings descriptions.

          +MultiSIM CSP +

          Added SyncML examples and updated the settings descriptions.

          -RemoteWipe CSP -

          Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.

          +RemoteWipe CSP +

          Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.

          @@ -585,8 +585,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy CSP -

          Added the following new policies for Windows 10, version 1803:

          +Policy CSP +

          Added the following new policies for Windows 10, version 1803:

          • Display/DisablePerProcessDpiForApps
          • Display/EnablePerProcessDpi
            • @@ -603,12 +603,12 @@ This article lists new and updated articles for the Mobile Device Management (MD
              -VPNv2 ProfileXML XSD -

              Updated the XSD and Plug-in profile example for VPNv2 CSP.

              +VPNv2 ProfileXML XSD +

              Updated the XSD and Plug-in profile example for VPNv2 CSP.

              -AssignedAccess CSP -

              Added the following nodes in Windows 10, version 1803:

              +AssignedAccess CSP +

              Added the following nodes in Windows 10, version 1803:

              • Status
              • ShellLauncher
                • @@ -617,12 +617,12 @@ This article lists new and updated articles for the Mobile Device Management (MD

                Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.

                -MultiSIM CSP -

                Added a new CSP in Windows 10, version 1803.

                +MultiSIM CSP +

                Added a new CSP in Windows 10, version 1803.

                -EnterpriseModernAppManagement CSP -

                Added the following node in Windows 10, version 1803:

                +EnterpriseModernAppManagement CSP +

                Added the following node in Windows 10, version 1803:

                • MaintainProcessorArchitectureOnUpdate
                @@ -645,8 +645,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy CSP -

                Added the following new policies for Windows 10, version 1803:

                +Policy CSP +

                Added the following new policies for Windows 10, version 1803:

                • Browser/AllowConfigurationUpdateForBooksLibrary
                • Browser/AlwaysEnableBooksLibrary
                  • @@ -744,16 +744,16 @@ This article lists new and updated articles for the Mobile Device Management (MD

                  Security/RequireDeviceEncryption - updated to show it is supported in desktop.

                  -BitLocker CSP -

                  Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

                  +BitLocker CSP +

                  Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

                  -EnterpriseModernAppManagement CSP -

                  Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

                  +EnterpriseModernAppManagement CSP +

                  Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

                  -DMClient CSP -

                  Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

                  +DMClient CSP +

                  Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

                  • AADSendDeviceToken
                  • BlockInStatusPage
                    • @@ -764,16 +764,16 @@ This article lists new and updated articles for the Mobile Device Management (MD
                  -Defender CSP -

                  Added new node (OfflineScan) in Windows 10, version 1803.

                  +Defender CSP +

                  Added new node (OfflineScan) in Windows 10, version 1803.

                  -UEFI CSP -

                  Added a new CSP in Windows 10, version 1803.

                  +UEFI CSP +

                  Added a new CSP in Windows 10, version 1803.

                  -Update CSP -

                  Added the following nodes in Windows 10, version 1803:

                  +Update CSP +

                  Added the following nodes in Windows 10, version 1803:

                  • Rollback
                  • Rollback/FeatureUpdate
                    • @@ -799,8 +799,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Configuration service provider reference -

                    Added new section CSP DDF files download

                    +Configuration service provider reference +

                    Added new section CSP DDF files download

                    @@ -820,8 +820,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy CSP -

                    Added the following policies for Windows 10, version 1709:

                    +Policy CSP +

                    Added the following policies for Windows 10, version 1709:

                    • Authentication/AllowFidoDeviceSignon
                    • Cellular/LetAppsAccessCellularData
                      • @@ -858,28 +858,28 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy DDF file -

                      Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

                      +Policy DDF file +

                      Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

                      -Policy CSP -

                      Updated the following policies:

                      +Policy CSP +

                      Updated the following policies:

                      • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
                      • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
                      -eUICCs CSP -

                      Added new CSP in Windows 10, version 1709.

                      +eUICCs CSP +

                      Added new CSP in Windows 10, version 1709.

                      -AssignedAccess CSP -

                      Added SyncML examples for the new Configuration node.

                      +AssignedAccess CSP +

                      Added SyncML examples for the new Configuration node.

                      -DMClient CSP -

                      Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

                      +DMClient CSP +

                      Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

                      @@ -899,8 +899,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy CSP -

                      Added the following new policies for Windows 10, version 1709:

                      +Policy CSP +

                      Added the following new policies for Windows 10, version 1709:

                      • Authentication/AllowAadPasswordReset
                      • Handwriting/PanelDefaultModeDocked
                        • @@ -910,16 +910,16 @@ This article lists new and updated articles for the Mobile Device Management (MD

                        Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

                        -AssignedAccess CSP -

                        Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

                        +AssignedAccess CSP +

                        Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

                        -Microsoft Store for Business and Microsoft Store -

                        Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

                        +Microsoft Store for Business and Microsoft Store +

                        Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

                        -The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2 -

                        The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

                        +The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2 +

                        The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

                        • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
                        • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
                          • @@ -928,20 +928,20 @@ This article lists new and updated articles for the Mobile Device Management (MD

                          For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

                          -EnterpriseAPN CSP -

                          Added a SyncML example.

                          +EnterpriseAPN CSP +

                          Added a SyncML example.

                          -VPNv2 CSP -

                          Added RegisterDNS setting in Windows 10, version 1709.

                          +VPNv2 CSP +

                          Added RegisterDNS setting in Windows 10, version 1709.

                          -Enroll a Windows 10 device automatically using Group Policy -

                          Added new topic to introduce a new Group Policy for automatic MDM enrollment.

                          +Enroll a Windows 10 device automatically using Group Policy +

                          Added new topic to introduce a new Group Policy for automatic MDM enrollment.

                          -MDM enrollment of Windows-based devices -

                          New features in the Settings app:

                          +MDM enrollment of Windows-based devices +

                          New features in the Settings app:

                          • User sees installation progress of critical policies during MDM enrollment.
                          • User knows what policies, profiles, apps MDM has configured
                            • @@ -967,23 +967,23 @@ This article lists new and updated articles for the Mobile Device Management (MD -Enable ADMX-backed policies in MDM -

                            Added new step-by-step guide to enable ADMX-backed policies.

                            +Enable ADMX-backed policies in MDM +

                            Added new step-by-step guide to enable ADMX-backed policies.

                            -Mobile device enrollment -

                            Added the following statement:

                            +Mobile device enrollment +

                            Added the following statement:

                            • Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
                            -CM_CellularEntries CSP -

                            Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

                            +CM_CellularEntries CSP +

                            Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

                            -EnterpriseDataProtection CSP -

                            Updated the Settings/EDPEnforcementLevel values to the following:

                            +EnterpriseDataProtection CSP +

                            Updated the Settings/EDPEnforcementLevel values to the following:

                            • 0 (default) – Off / No protection (decrypts previously protected data).
                            • 1 – Silent mode (encrypt and audit only).
                              • @@ -992,31 +992,31 @@ This article lists new and updated articles for the Mobile Device Management (MD
                            -AppLocker CSP -

                            Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.

                            +AppLocker CSP +

                            Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.

                            -DeviceManageability CSP -

                            Added the following settings in Windows 10, version 1709:

                            +DeviceManageability CSP +

                            Added the following settings in Windows 10, version 1709:

                            • Provider/ProviderID/ConfigInfo
                            • Provider/ProviderID/EnrollmentInfo
                            -Office CSP -

                            Added the following setting in Windows 10, version 1709:

                            +Office CSP +

                            Added the following setting in Windows 10, version 1709:

                            • Installation/CurrentStatus
                            -BitLocker CSP -Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. +BitLocker CSP +Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. -Firewall CSP -Updated the CSP and DDF topics. Here are the changes: +Firewall CSP +Updated the CSP and DDF topics. Here are the changes:
                            • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
                            • Changed some data types from integer to bool.
                              • @@ -1025,8 +1025,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
                            -Policy DDF file -Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies: +Policy DDF file +Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
                            • Browser/AllowMicrosoftCompatibilityList
                            • Update/DisableDualScan
                              • @@ -1034,8 +1034,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
                            -Policy CSP -

                            Added the following new policies for Windows 10, version 1709:

                            +Policy CSP +

                            Added the following new policies for Windows 10, version 1709:

                            • Browser/ProvisionFavorites
                            • Browser/LockdownFavorites
                              • diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index a4433c6dcf..437a1a48c2 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -23,14 +23,14 @@ CleanPC ----CleanPCRetainingUserData ``` **./Device/Vendor/MSFT/CleanPC** -

                              The root node for the CleanPC configuration service provider.

                              +

                              The root node for the CleanPC configuration service provider.

                              **CleanPCWithoutRetainingUserData** -

                              An integer specifying a CleanPC operation without any retention of user data. +

                              An integer specifying a CleanPC operation without any retention of user data. -

                              The only supported operation is Execute. +

                              The only supported operation is Execute. **CleanPCRetainingUserData** -

                              An integer specifying a CleanPC operation with retention of user data. +

                              An integer specifying a CleanPC operation with retention of user data. -

                              The only supported operation is Execute. +

                              The only supported operation is Execute. diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 1d42413872..44886adee0 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -23,28 +23,28 @@ The following diagram shows the CM\_CellularEntries configuration service provid ![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png) ***entryname*** -

                              Defines the name of the connection.

                              +

                              Defines the name of the connection.

                              -

                              The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.

                              +

                              The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.

                              **AlwaysOn** -

                              Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. +

                              Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. -

                              A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. +

                              A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. -

                              A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. +

                              A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. -

                              There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. +

                              There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. **AuthType** -

                              Optional. Type: String. Specifies the method of authentication used for a connection. +

                              Optional. Type: String. Specifies the method of authentication used for a connection. -

                              A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". +

                              A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". **ConnectionType** -

                              Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: +

                              Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: -
                              +
                              @@ -80,48 +80,48 @@ The following diagram shows the CM\_CellularEntries configuration service provid **Desc.langid** -

                              Optional. Specifies the UI display string used by the defined language ID. +

                              Optional. Specifies the UI display string used by the defined language ID. -

                              A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry. +

                              A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry. **Enabled** -

                              Specifies if the connection is enabled. +

                              Specifies if the connection is enabled. -

                              A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled. +

                              A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled. **IpHeaderCompression** -

                              Optional. Specifies if IP header compression is enabled. +

                              Optional. Specifies if IP header compression is enabled. -

                              A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled. +

                              A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled. **Password** -

                              Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN. +

                              Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN. **SwCompression** -

                              Optional. Specifies if software compression is enabled. +

                              Optional. Specifies if software compression is enabled. -

                              A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled. +

                              A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled. **UserName** -

                              Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN. +

                              Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN. **UseRequiresMappingsPolicy** -

                              Optional. Specifies if the connection requires a corresponding mappings policy. +

                              Optional. Specifies if the connection requires a corresponding mappings policy. -

                              A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. +

                              A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. -

                              For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. +

                              For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. **Version** -

                              Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. +

                              Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. -

                              This value must be "1" if included. +

                              This value must be "1" if included. **GPRSInfoAccessPointName** -

                              Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT". +

                              Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT". **Roaming** -

                              Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available: +

                              Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available: - 0 - Home network only. - 1 (default)- All roaming conditions (home and roaming). @@ -131,13 +131,13 @@ The following diagram shows the CM\_CellularEntries configuration service provid - 5 - Roaming only. **OEMConnectionID** -

                              Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. +

                              Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. **ApnId** -

                              Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices. +

                              Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices. **IPType** -

                              Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4". +

                              Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4". > [!WARNING] > Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6. @@ -145,14 +145,14 @@ The following diagram shows the CM\_CellularEntries configuration service provid **ExemptFromDisablePolicy** -

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt). +

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt). -

                              To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed. +

                              To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed. > [!IMPORTANT] > Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections. -

                              To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should: +

                              To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should: - Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1) - Set AllowMMSIfDataIsOff to 1 (default is 0) @@ -160,16 +160,16 @@ The following diagram shows the CM\_CellularEntries configuration service provid **ExemptFromRoaming** -

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt). +

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt). **TetheringNAI** -

                              Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0". +

                              Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0". **IdleDisconnectTimeout** -

                              Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds. +

                              Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds. > [!IMPORTANT] ->

                              You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used. +>

                              You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used. > [!NOTE] @@ -178,10 +178,10 @@ The following diagram shows the CM\_CellularEntries configuration service provid **SimIccId** -

                              For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. +

                              For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. **PurposeGroups** -

                              Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available: +

                              Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available: - Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F - LTE attach - 11A6FE68-5B47-4859-9CB6-1EAC96A8F0BD diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 2f1ccdb53c..f36f744684 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -35,48 +35,48 @@ DeveloperSetup ------------HttpsPort ``` **DeveloperSetup** -

                              The root node for the DeveloperSetup configuration service provider. +

                              The root node for the DeveloperSetup configuration service provider. **EnableDeveloperMode** -

                              A Boolean value that is used to enable Developer Mode on the device. The default value is false. +

                              A Boolean value that is used to enable Developer Mode on the device. The default value is false. -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal** -

                              The node for the Windows Device Portal. +

                              The node for the Windows Device Portal. **DevicePortal/Authentication** -

                              The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal. +

                              The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal. **DevicePortal/Authentication/Mode** -

                              An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal. +

                              An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal. -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal/Authentication/BasicAuth** -

                              The node that describes the credentials that are used for basic authentication with the Windows Device Portal. +

                              The node that describes the credentials that are used for basic authentication with the Windows Device Portal. **DevicePortal/Authentication/BasicAuth/Username** -

                              A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal. +

                              A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal. The user name must contain only ASCII characters and cannot contain a colon (:). -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal/Authentication/BasicAuth/Password** -

                              A string value that specifies the password to use when authenticating requests against the Windows Device Portal. +

                              A string value that specifies the password to use when authenticating requests against the Windows Device Portal. -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal/Connection** -

                              The node for configuring connections to the Windows Device Portal service. +

                              The node for configuring connections to the Windows Device Portal service. **DevicePortal/Connection/HttpPort** -

                              An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service. +

                              An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service. If authentication is enabled, HttpPort will redirect the user to the (required) HttpsPort. -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal/Connection/HttpsPort** -

                              An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service. +

                              An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service. -

                              The only supported operation is Replace. \ No newline at end of file +

                              The only supported operation is Replace. \ No newline at end of file diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index cc589f1f13..bd80931f74 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -147,49 +147,49 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. +

                              Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. > [!NOTE] > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. -

                              Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. +

                              Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. -

                              The default is 17 (5 PM). +

                              The default is 17 (5 PM). **Update/ActiveHoursMaxRange** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

                              Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. +

                              Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. -

                              Supported values are 8-18. +

                              Supported values are 8-18. -

                              The default value is 18 (hours). +

                              The default value is 18 (hours). **Update/ActiveHoursStart** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

                              Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. +

                              Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. > [!NOTE] > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. -

                              Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. +

                              Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. -

                              The default value is 8 (8 AM). +

                              The default value is 8 (8 AM). **Update/AllowAutoUpdate** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

                              Enables the IT admin to manage automatic update behavior to scan, download, and install updates. +

                              Enables the IT admin to manage automatic update behavior to scan, download, and install updates. -

                              Supported operations are Get and Replace. +

                              Supported operations are Get and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. - 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. @@ -202,16 +202,16 @@ The following diagram shows the Update policies in a tree format. > This option should be used only for systems under regulatory compliance, as you will not get security updates as well. -

                              If the policy is not configured, end-users get the default behavior (Auto install and restart). +

                              If the policy is not configured, end-users get the default behavior (Auto install and restart). **Update/AllowMUUpdateService** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. +

                              Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Not allowed or not configured. - 1 – Allowed. Accepts updates received through Microsoft Update. @@ -221,29 +221,29 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. -

                              Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution. +

                              Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution. -

                              Supported operations are Get and Replace. +

                              Supported operations are Get and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. - 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. -

                              This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. +

                              This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. **Update/AllowUpdateService** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. +

                              Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. -

                              Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft +

                              Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft -

                              Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working. +

                              Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Update service is not allowed. - 1 (default) – Update service is allowed. @@ -257,20 +257,20 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. -

                              Supported values are 15, 30, 60, 120, and 240 (minutes). +

                              Supported values are 15, 30, 60, 120, and 240 (minutes). -

                              The default value is 15 (minutes). +

                              The default value is 15 (minutes). **Update/AutoRestartRequiredNotificationDismissal** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 1 (default) – Auto Dismissal. - 2 – User Dismissal. @@ -280,9 +280,9 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. +

                              Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 16 (default) – User gets all applicable upgrades from Current Branch (CB). - 32 – User gets upgrades from Current Branch for Business (CBB). @@ -291,18 +291,18 @@ The following diagram shows the Update policies in a tree format. > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -

                              Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. +

                              Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. -

                              Supported values are 0-180. +

                              Supported values are 0-180. **Update/DeferQualityUpdatesPeriodInDays** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. +

                              Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. -

                              Supported values are 0-30. +

                              Supported values are 0-30. **Update/DeferUpdatePeriod** > [!NOTE] @@ -311,15 +311,15 @@ The following diagram shows the Update policies in a tree format. > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. -

                              Allows IT Admins to specify update delays for up to four weeks. +

                              Allows IT Admins to specify update delays for up to four weeks. -

                              Supported values are 0-4, which refers to the number of weeks to defer updates. +

                              Supported values are 0-4, which refers to the number of weeks to defer updates. -

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

                              If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

                              +
                              @@ -336,16 +336,16 @@ The following diagram shows the Update policies in a tree format. - - - - + + + + - - - - + + + - - - - + + + @@ -380,71 +380,71 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. -

                              Allows IT Admins to specify additional upgrade delays for up to eight months. +

                              Allows IT Admins to specify additional upgrade delays for up to eight months. -

                              Supported values are 0-8, which refers to the number of months to defer upgrades. +

                              Supported values are 0-8, which refers to the number of months to defer upgrades. -

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

                              If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. **Update/EngagedRestartDeadline** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). -

                              Supported values are 2-30 days. +

                              Supported values are 2-30 days. -

                              The default value is 0 days (not specified). +

                              The default value is 0 days (not specified). **Update/EngagedRestartSnoozeSchedule** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. +

                              Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. -

                              Supported values are 1-3 days. +

                              Supported values are 1-3 days. -

                              The default value is three days. +

                              The default value is three days. **Update/EngagedRestartTransitionSchedule** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. +

                              Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -

                              Supported values are 2-30 days. +

                              Supported values are 2-30 days. -

                              The default value is seven days. +

                              The default value is seven days. **Update/ExcludeWUDriversInQualityUpdate** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -

                              Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. +

                              Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Allow Windows Update drivers. - 1 – Exclude Windows Update drivers. **Update/IgnoreMOAppDownloadLimit** -

                              Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. +

                              Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Do not ignore MO download limit for apps and their updates. - 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. -

                              To validate this policy: +

                              To validate this policy: 1. Enable the policy ensure the device is on a cellular network. 2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: @@ -456,17 +456,17 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/IgnoreMOUpdateDownloadLimit** -

                              Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. +

                              Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Do not ignore MO download limit for OS updates. - 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. -

                              To validate this policy: +

                              To validate this policy: 1. Enable the policy and ensure the device is on a cellular network. 2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: @@ -482,24 +482,24 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. -

                              Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. +

                              Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Deferrals are not paused. - 1 – Deferrals are paused. -

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

                              If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. **Update/PauseFeatureUpdates** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -

                              Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. +

                              Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Feature Updates are not paused. - 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. @@ -509,9 +509,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. +

                              Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Quality Updates are not paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. @@ -523,9 +523,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. -

                              Allows the IT admin to set a device to CBB train. +

                              Allows the IT admin to set a device to CBB train. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – User gets upgrades from Current Branch. - 1 – User gets upgrades from Current Branch for Business. @@ -541,11 +541,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. -

                              Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. +

                              Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. -

                              Supported operations are Get and Replace. +

                              Supported operations are Get and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Not configured. The device installs all applicable updates. - 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. @@ -555,24 +555,24 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. -

                              Supported values are 15, 30, or 60 (minutes). +

                              Supported values are 15, 30, or 60 (minutes). -

                              The default value is 15 (minutes). +

                              The default value is 15 (minutes). **Update/ScheduledInstallDay** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Enables the IT admin to schedule the day of the update installation. +

                              Enables the IT admin to schedule the day of the update installation. -

                              The data type is a string. +

                              The data type is a string. -

                              Supported operations are Add, Delete, Get, and Replace. +

                              Supported operations are Add, Delete, Get, and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Every day - 1 – Sunday @@ -588,35 +588,35 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Enables the IT admin to schedule the time of the update installation. +

                              Enables the IT admin to schedule the time of the update installation. -

                              The data type is a string. +

                              The data type is a string. -

                              Supported operations are Add, Delete, Get, and Replace. +

                              Supported operations are Add, Delete, Get, and Replace. -

                              Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. +

                              Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. -

                              The default value is 3. +

                              The default value is 3. **Update/ScheduleRestartWarning** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications. +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications. -

                              Supported values are 2, 4, 8, 12, or 24 (hours). +

                              Supported values are 2, 4, 8, 12, or 24 (hours). -

                              The default value is 4 (hours). +

                              The default value is 4 (hours). **Update/SetAutoRestartNotificationDisable** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations. +

                              Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Enabled - 1 – Disabled @@ -628,11 +628,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > [!Important] > Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise. -

                              Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. +

                              Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. -

                              Supported operations are Get and Replace. +

                              Supported operations are Get and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - Not configured. The device checks for updates from Microsoft Update. - Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. @@ -659,13 +659,13 @@ Example > **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

                              Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. +

                              Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. -

                              This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. +

                              This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. -

                              To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. +

                              To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. -

                              Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. +

                              Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. > [!Note] > If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. @@ -827,50 +827,50 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici

                              - - - + + - - - + + - - - + + + - - - + + - - - + + - - - + + + - - - + + - - - + + diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 46dd29b427..8290fa7eea 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -62,25 +62,25 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered( ## Parameters *pszXmlIn* -
                                +
                                • [in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).

                                *rgszAllowedCspNode* -
                                  +
                                  • [in] Array of WCHAR\* that specify which configuration service provider nodes are allowed to be invoked.

                                  *dwNumAllowedCspNodes* -
                                    +
                                    • [in] Number of elements passed in rgszAllowedCspNode.

                                    *pbstrXmlOut* -
                                      +
                                      • [out] The resulting null–terminated XML from configuration. The caller of DMProcessConfigXMLFiltered is responsible for cleanup of the output buffer that the pbstrXmlOut parameter references. Use SysFreeString to free the memory.

                                      @@ -104,24 +104,24 @@ Returns the standard **HRESULT** value **S\_OK** to indicate success. The follow
                              - - + + - - + + - - + + - - + + - - + +

                              OS upgrade

                              8 months

                              1 month

                              Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

                              OS upgrade

                              8 months

                              1 month

                              Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

                              Update

                              1 month

                              1 week

                              +

                              Update

                              1 month

                              1 week

                              Note If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
                              @@ -361,10 +361,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

                              Other/cannot defer

                              No deferral

                              No deferral

                              Any update category not enumerated above falls into this category.

                              +

                              Other/cannot defer

                              No deferral

                              No deferral

                              Any update category not enumerated above falls into this category.

                              Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

                              BranchReadinessLevel

                              REG_DWORD

                              16: systems take Feature Updates on the Current Branch (CB) train

                              +

                              BranchReadinessLevel

                              REG_DWORD

                              16: systems take Feature Updates on the Current Branch (CB) train

                              32: systems take Feature Updates on the Current Branch for Business

                              Other value or absent: receive all applicable updates (CB)

                              DeferQualityUpdates

                              REG_DWORD

                              1: defer quality updates

                              +

                              DeferQualityUpdates

                              REG_DWORD

                              1: defer quality updates

                              Other value or absent: don’t defer quality updates

                              DeferQualityUpdatesPeriodInDays

                              REG_DWORD

                              0-30: days to defer quality updates

                              DeferQualityUpdatesPeriodInDays

                              REG_DWORD

                              0-30: days to defer quality updates

                              PauseQualityUpdates

                              REG_DWORD

                              1: pause quality updates

                              +

                              PauseQualityUpdates

                              REG_DWORD

                              1: pause quality updates

                              Other value or absent: don’t pause quality updates

                              DeferFeatureUpdates

                              REG_DWORD

                              1: defer feature updates

                              +

                              DeferFeatureUpdates

                              REG_DWORD

                              1: defer feature updates

                              Other value or absent: don’t defer feature updates

                              DeferFeatureUpdatesPeriodInDays

                              REG_DWORD

                              0-180: days to defer feature updates

                              DeferFeatureUpdatesPeriodInDays

                              REG_DWORD

                              0-180: days to defer feature updates

                              PauseFeatureUpdates

                              REG_DWORD

                              1: pause feature updates

                              +

                              PauseFeatureUpdates

                              REG_DWORD

                              1: pause feature updates

                              Other value or absent: don’t pause feature updates

                              ExcludeWUDriversInQualityUpdate

                              REG_DWORD

                              1: exclude WU drivers

                              +

                              ExcludeWUDriversInQualityUpdate

                              REG_DWORD

                              1: exclude WU drivers

                              Other value or absent: offer WU drivers

                              CONFIG_E_OBJECTBUSY

                              Another instance of the configuration management service is currently running.

                              CONFIG_E_OBJECTBUSY

                              Another instance of the configuration management service is currently running.

                              CONFIG_E_ENTRYNOTFOUND

                              No metabase entry was found.

                              CONFIG_E_ENTRYNOTFOUND

                              No metabase entry was found.

                              CONFIG_E_CSPEXCEPTION

                              An exception occurred in one of the configuration service providers.

                              CONFIG_E_CSPEXCEPTION

                              An exception occurred in one of the configuration service providers.

                              CONFIG_E_TRANSACTIONINGFAILURE

                              A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.

                              CONFIG_E_TRANSACTIONINGFAILURE

                              A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.

                              CONFIG_E_BAD_XML

                              The XML input is invalid or malformed.

                              CONFIG_E_BAD_XML

                              The XML input is invalid or malformed.
                              @@ -196,28 +196,28 @@ if ( bstr != NULL ) -

                              Minimum supported client

                              -

                              None supported

                              +

                              Minimum supported client

                              +

                              None supported

                              -

                              Minimum supported server

                              -

                              None supported

                              +

                              Minimum supported server

                              +

                              None supported

                              -

                              Minimum supported phone

                              -

                              Windows Phone 8.1

                              +

                              Minimum supported phone

                              +

                              Windows Phone 8.1

                              -

                              Header

                              -

                              Dmprocessxmlfiltered.h

                              +

                              Header

                              +

                              Dmprocessxmlfiltered.h

                              -

                              Library

                              -

                              Dmprocessxmlfiltered.lib

                              +

                              Library

                              +

                              Dmprocessxmlfiltered.lib

                              -

                              DLL

                              -

                              Dmprocessxmlfiltered.dll

                              +

                              DLL

                              +

                              Dmprocessxmlfiltered.dll

                              diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 8c5772b29c..ffdfc3e2b7 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -63,41 +63,41 @@ DMSessionActions ------------MaxTimeSessionsSkippedInLowPowerState ``` **./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions** -

                              Defines the root node for the DMSessionActions configuration service provider.

                              +

                              Defines the root node for the DMSessionActions configuration service provider.

                              ***ProviderID*** -

                              Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.

                              +

                              Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.

                              -

                              Scope is dynamic. Supported operations are Get, Add, and Delete.

                              +

                              Scope is dynamic. Supported operations are Get, Add, and Delete.

                              ***ProviderID*/CheckinAlertConfiguration** -

                              Node for the custom configuration of alerts to be sent during MDM sync session.

                              +

                              Node for the custom configuration of alerts to be sent during MDM sync session.

                              ***ProviderID*/CheckinAlertConfiguration/Nodes** -

                              Required. Root node for URIs to be queried. Scope is dynamic.

                              +

                              Required. Root node for URIs to be queried. Scope is dynamic.

                              -

                              Supported operation is Get.

                              +

                              Supported operation is Get.

                              ***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*** -

                              Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.

                              +

                              Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.

                              -

                              Supported operations are Get, Add, and Delete.

                              +

                              Supported operations are Get, Add, and Delete.

                              ***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI** -

                              Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **AlertData** -

                              Node to query the custom alert per server configuration

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Node to query the custom alert per server configuration

                              +

                              Value type is string. Supported operation is Get.

                              **PowerSettings** -

                              Node for power-related configrations

                              +

                              Node for power-related configrations

                              **PowerSettings/MaxSkippedSessionsInLowPowerState** -

                              Maximum number of continuous skipped sync sessions when the device is in low-power state.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Maximum number of continuous skipped sync sessions when the device is in low-power state.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **PowerSettings/MaxTimeSessionsSkippedInLowPowerState** -

                              Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 3716a1c54a..3b59ea0c12 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -33,12 +33,12 @@ DynamicManagement ----AlertsEnabled ``` **DynamicManagement** -

                              The root node for the DynamicManagement configuration service provider.

                              +

                              The root node for the DynamicManagement configuration service provider.

                              **NotificationsEnabled** -

                              Boolean value for sending notification to the user of a context change.

                              -

                              Default value is False. Supported operations are Get and Replace.

                              -

                              Example to turn on NotificationsEnabled:

                              +

                              Boolean value for sending notification to the user of a context change.

                              +

                              Default value is False. Supported operations are Get and Replace.

                              +

                              Example to turn on NotificationsEnabled:

                              ```xml @@ -56,40 +56,40 @@ DynamicManagement ``` **ActiveList** -

                              A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..

                              -

                              Supported operation is Get.

                              +

                              A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..

                              +

                              Supported operation is Get.

                              **Contexts** -

                              Node for context information.

                              -

                              Supported operation is Get.

                              +

                              Node for context information.

                              +

                              Supported operation is Get.

                              ***ContextID*** -

                              Node created by the server to define a context. Maximum number of characters allowed is 38.

                              -

                              Supported operations are Add, Get, and Delete.

                              +

                              Node created by the server to define a context. Maximum number of characters allowed is 38.

                              +

                              Supported operations are Add, Get, and Delete.

                              **SignalDefinition** -

                              Signal Definition XML.

                              -

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              +

                              Signal Definition XML.

                              +

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              **SettingsPack** -

                              Settings that get applied when the Context is active.

                              -

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              +

                              Settings that get applied when the Context is active.

                              +

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              **SettingsPackResponse** -

                              Response from applying a Settings Pack that contains information on each individual action.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Response from applying a Settings Pack that contains information on each individual action.

                              +

                              Value type is string. Supported operation is Get.

                              **ContextStatus** -

                              Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.

                              -

                              Value type is integer. Supported operation is Get.

                              +

                              Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.

                              +

                              Value type is integer. Supported operation is Get.

                              **Altitude** -

                              A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.

                              -

                              Value type is integer. Supported operations are Add, Get, Delete, and Replace.

                              +

                              A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.

                              +

                              Value type is integer. Supported operations are Add, Get, Delete, and Replace.

                              **AlertsEnabled** -

                              A Boolean value for sending an alert to the server when a context fails.

                              -

                              Supported operations are Get and Replace.

                              +

                              A Boolean value for sending an alert to the server when a context fails.

                              +

                              Supported operations are Get and Replace.

                              ## Examples diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index c271c1dbe6..f82e763f75 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -39,40 +39,40 @@ EnterpriseAPN --------HideView ``` **EnterpriseAPN** -

                              The root node for the EnterpriseAPN configuration service provider.

                              +

                              The root node for the EnterpriseAPN configuration service provider.

                              **EnterpriseAPN/***ConnectionName* -

                              Name of the connection as seen by Windows Connection Manager.

                              +

                              Name of the connection as seen by Windows Connection Manager.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/APNName** -

                              Enterprise APN name.

                              +

                              Enterprise APN name.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/IPType** -

                              This value can be one of the following:

                              +

                              This value can be one of the following:

                              - IPv4 - only IPV4 connection type - IPv6 - only IPv6 connection type - IPv4v6 (default)- IPv4 and IPv6 concurrently. - IPv4v6xlat - IPv6 with IPv4 provided by 46xlat -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/IsAttachAPN** -

                              Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.

                              +

                              Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/ClassId** -

                              GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

                              +

                              GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/AuthType** -

                              Authentication type. This value can be one of the following:

                              +

                              Authentication type. This value can be one of the following:

                              - None (default) - Auto @@ -80,39 +80,39 @@ EnterpriseAPN - CHAP - MSCHAPv2 -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/UserName** -

                              User name for use with PAP, CHAP, or MSCHAPv2 authentication.

                              +

                              User name for use with PAP, CHAP, or MSCHAPv2 authentication.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/Password** -

                              Password corresponding to the username.

                              +

                              Password corresponding to the username.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/IccId** -

                              Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.

                              +

                              Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/AlwaysOn** -

                              Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.

                              +

                              Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.

                              -

                              The default value is true.

                              +

                              The default value is true.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/Enabled** -

                              Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.

                              +

                              Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.

                              -

                              The default value is true.

                              +

                              The default value is true.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/Roaming** -

                              Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:

                              +

                              Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:

                              • 0 - Disallowed
                                • @@ -123,27 +123,27 @@ EnterpriseAPN
                              • 5 - UseOnlyForRoaming
                              -

                              Default is 1 (all roaming allowed).

                              +

                              Default is 1 (all roaming allowed).

                              -

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              +

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/Settings** -

                              Added in Windows 10, version 1607. Node that contains global settings.

                              +

                              Added in Windows 10, version 1607. Node that contains global settings.

                              **EnterpriseAPN/Settings/AllowUserControl** -

                              Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.

                              +

                              Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.

                              -

                              The default value is false.

                              +

                              The default value is false.

                              -

                              Supported operations are Get and Replace.

                              +

                              Supported operations are Get and Replace.

                              **EnterpriseAPN/Settings/HideView** -

                              Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.

                              +

                              Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.

                              -

                              The default value is false.

                              +

                              The default value is false.

                              -

                              Supported operations are Get and Replace.

                              +

                              Supported operations are Get and Replace.

                              ## Examples diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 9a0893f98e..cb948488da 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -45,68 +45,68 @@ EnterpriseAppVManagement ------------Policy ``` **./Vendor/MSFT/EnterpriseAppVManagement** -

                              Root node for the EnterpriseAppVManagement configuration service provider.

                              +

                              Root node for the EnterpriseAppVManagement configuration service provider.

                              **AppVPackageManagement** -

                              Used to query App-V package information (post-publish).

                              +

                              Used to query App-V package information (post-publish).

                              **AppVPackageManagement/EnterpriseID** -

                              Used to query package information. Value is always "HostedInstall".

                              +

                              Used to query package information. Value is always "HostedInstall".

                              **AppVPackageManagement/EnterpriseID/PackageFamilyName** -

                              Package ID of the published App-V package.

                              +

                              Package ID of the published App-V package.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*** -

                              Version ID of the published App-V package.

                              +

                              Version ID of the published App-V package.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name** -

                              Name specified in the published AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Name specified in the published AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version** -

                              Version specified in the published AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Version specified in the published AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher** -

                              Publisher as specified in the published asset information of the AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Publisher as specified in the published asset information of the AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation** -

                              Local package path specified in the published asset information of the AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Local package path specified in the published asset information of the AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate** -

                              Date the app was installed, as specified in the published asset information of the AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Date the app was installed, as specified in the published asset information of the AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users** -

                              Registered users for app, as specified in the published asset information of the AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Registered users for app, as specified in the published asset information of the AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId** -

                              Package ID of the published App-V package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Package ID of the published App-V package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId** -

                              Version ID of the published App-V package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Version ID of the published App-V package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri** -

                              Package URI of the published App-V package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Package URI of the published App-V package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPublishing** -

                              Used to monitor publishing operations on App-V.

                              +

                              Used to monitor publishing operations on App-V.

                              **AppVPublishing/LastSync** -

                              Used to monitor publishing status of last sync operation.

                              +

                              Used to monitor publishing status of last sync operation.

                              **AppVPublishing/LastSync/LastError** -

                              Error code and error description of last sync operation.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Error code and error description of last sync operation.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPublishing/LastSync/LastErrorDescription** -

                              Last sync error status. One of the following values may be returned:

                              +

                              Last sync error status. One of the following values may be returned:

                              - SYNC\_ERR_NONE (0) - No errors during publish. - SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish. @@ -116,10 +116,10 @@ EnterpriseAppVManagement - SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish. - SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish. -

                              Value type is string. Supported operation is Get.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPublishing/LastSync/SyncStatusDescription** -

                              Latest sync in-progress stage. One of the following values may be returned:

                              +

                              Latest sync in-progress stage. One of the following values may be returned:

                              - SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle. - SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress. @@ -127,9 +127,9 @@ EnterpriseAppVManagement - SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress. - SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress. -

                              Value type is string. Supported operation is Get.

                              +

                              Value type is string. Supported operation is Get.

                              -AppVPublishing/LastSync/SyncProgress

                              Latest sync state. One of the following values may be returned:

                              +AppVPublishing/LastSync/SyncProgress

                              Latest sync state. One of the following values may be returned:

                              - SYNC\_STATUS_IDLE (0) - App-V Sync is idle. - SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing. @@ -137,22 +137,22 @@ EnterpriseAppVManagement - SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete. - SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot. -

                              Value type is string. Supported operation is Get.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPublishing/Sync** -

                              Used to perform App-V synchronization.

                              +

                              Used to perform App-V synchronization.

                              **AppVPublishing/Sync/PublishXML** -

                              Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.

                              -

                              Supported operations are Get, Delete, and Execute.

                              +

                              Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.

                              +

                              Supported operations are Get, Delete, and Execute.

                              **AppVDynamicPolicy** -

                              Used to set App-V Policy Configuration documents for publishing packages.

                              +

                              Used to set App-V Policy Configuration documents for publishing packages.

                              **AppVDynamicPolicy/*ConfigurationId*** -

                              ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).

                              +

                              ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).

                              **AppVDynamicPolicy/*ConfigurationId*/Policy** -

                              XML for App-V Policy Configuration documents for publishing packages.

                              -

                              Value type is xml. Supported operations are Add, Get, Delete, and Replace.

                              \ No newline at end of file +

                              XML for App-V Policy Configuration documents for publishing packages.

                              +

                              Value type is xml. Supported operations are Add, Get, Delete, and Replace.

                              \ No newline at end of file diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 12f02b683f..58fdde76ab 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -40,10 +40,10 @@ EnterpriseExtFileSystem The following list describes the characteristics and parameters. **./Vendor/MSFT/EnterpriseExtFileSystem** -

                              The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.

                              +

                              The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.

                              **Persistent** -

                              The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.

                              +

                              The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.

                              > **Important**  There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer. > @@ -54,24 +54,24 @@ The following list describes the characteristics and parameters. **NonPersistent** -

                              The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.

                              +

                              The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.

                              -

                              When the device is wiped, any data stored in the NonPersistent folder is deleted.

                              +

                              When the device is wiped, any data stored in the NonPersistent folder is deleted.

                              **OemProfile** -

                              Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.

                              +

                              Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.

                              ***Directory*** -

                              The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.

                              +

                              The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.

                              -

                              Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.

                              +

                              Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.

                              -

                              Use the Get command to return the list of child node names under Directory.

                              +

                              Use the Get command to return the list of child node names under Directory.

                              -

                              Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.

                              +

                              Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.

                              ***Filename*** -

                              The name of a file in the device file system.

                              +

                              The name of a file in the device file system.

                              Supported operations is Get. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 19fbe15c22..2d9fbf4570 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -103,68 +103,68 @@ Firewall ----------------Name ``` **./Vendor/MSFT/Firewall** -

                              Root node for the Firewall configuration service provider.

                              +

                              Root node for the Firewall configuration service provider.

                              **MdmStore** -

                              Interior node.

                              -

                              Supported operation is Get.

                              +

                              Interior node.

                              +

                              Supported operation is Get.

                              **MdmStore/Global** -

                              Interior node.

                              -

                              Supported operations are Get.

                              +

                              Interior node.

                              +

                              Supported operations are Get.

                              **MdmStore/Global/PolicyVersionSupported** -

                              Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

                              -

                              Value type in integer. Supported operation is Get.

                              +

                              Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

                              +

                              Value type in integer. Supported operation is Get.

                              **MdmStore/Global/CurrentProfiles** -

                              Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

                              -

                              Value type in integer. Supported operation is Get.

                              +

                              Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

                              +

                              Value type in integer. Supported operation is Get.

                              **MdmStore/Global/DisableStatefulFtp** -

                              Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.

                              -

                              Default value is false.

                              -

                              Data type is bool. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.

                              +

                              Default value is false.

                              +

                              Data type is bool. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/SaIdleTime** -

                              This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              -

                              Default value is 300.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              +

                              Default value is 300.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/PresharedKeyEncoding** -

                              Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              -

                              Default value is 1.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              +

                              Default value is 1.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/IPsecExempt** -

                              This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              -

                              Default value is 0.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              +

                              Default value is 0.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/CRLcheck** -

                              This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:

                              +

                              This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:

                              • 0 disables CRL checking
                              • 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
                              • 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
                              -

                              Default value is 0.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Default value is 0.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/PolicyVersion** -

                              This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

                              +

                              Value type is string. Supported operation is Get.

                              **MdmStore/Global/BinaryVersionSupported** -

                              This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

                              +

                              Value type is string. Supported operation is Get.

                              **MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -

                              This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                              -

                              Boolean value. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                              +

                              Boolean value. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/EnablePacketQueue** -

                              This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:

                              +

                              This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:

                              • 0x00 indicates that all queuing is to be disabled
                                • @@ -172,71 +172,71 @@ Firewall
                              • 0x02 specifies that packets are to be queued after decryption is performed for forwarding
                              -

                              Default value is 0.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Default value is 0.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/DomainProfile** -

                              Interior node. Supported operation is Get.

                              +

                              Interior node. Supported operation is Get.

                              **MdmStore/PrivateProfile** -

                              Interior node. Supported operation is Get.

                              +

                              Interior node. Supported operation is Get.

                              **MdmStore/PublicProfile** -

                              Interior node. Supported operation is Get.

                              +

                              Interior node. Supported operation is Get.

                              **/EnableFirewall** -

                              Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/DisableStealthMode** -

                              Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is false.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is false.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/Shielded** -

                              Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.

                              -

                              Default value is false.

                              -

                              Value type is bool. Supported operations are Get and Replace.

                              +

                              Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.

                              +

                              Default value is false.

                              +

                              Value type is bool. Supported operations are Get and Replace.

                              **/DisableUnicastResponsesToMulticastBroadcast** -

                              Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is false.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is false.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/DisableInboundNotifications** -

                              Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is false.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is false.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/AuthAppsAllowUserPrefMerge** -

                              Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/GlobalPortsAllowUserPrefMerge** -

                              Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/AllowLocalPolicyMerge** -

                              Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/AllowLocalIpsecPolicyMerge** -

                              Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/DefaultOutboundAction** -

                              This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.

                              +

                              This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.

                              • 0x00000000 - allow
                              • 0x00000001 - block
                              -

                              Default value is 0 (allow).

                              -

                              Value type is integer. Supported operations are Add, Get and Replace.

                              +

                              Default value is 0 (allow).

                              +

                              Value type is integer. Supported operations are Add, Get and Replace.

                              Sample syncxml to provision the firewall settings to evaluate @@ -263,70 +263,70 @@ Sample syncxml to provision the firewall settings to evaluate ``` **/DefaultInboundAction** -

                              This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

                              +

                              This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

                              • 0x00000000 - allow
                              • 0x00000001 - block
                              -

                              Default value is 1 (block).

                              -

                              Value type is integer. Supported operations are Add, Get and Replace.

                              +

                              Default value is 1 (block).

                              +

                              Value type is integer. Supported operations are Add, Get and Replace.

                              **/DisableStealthModeIpsecSecuredPacketExemption** -

                              Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **FirewallRules** -

                              A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

                              +

                              A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

                              **FirewallRules/_FirewallRuleName_** -

                              Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

                              -

                              Supported operations are Add, Get, Replace, and Delete.

                              +

                              Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

                              +

                              Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/App** -

                              Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:

                              +

                              Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:

                              • PackageFamilyName
                              • FilePath
                              • FQBN
                              • ServiceName
                              -

                              If not specified, the default is All.

                              -

                              Supported operation is Get.

                              +

                              If not specified, the default is All.

                              +

                              Supported operation is Get.

                              **FirewallRules/_FirewallRuleName_/App/PackageFamilyName** -

                              This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/App/FilePath** -

                              This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/App/Fqbn** -

                              Fully Qualified Binary Name

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Fully Qualified Binary Name

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/App/ServiceName** -

                              This is a service name used in cases when a service, not an application, is sending or receiving traffic.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This is a service name used in cases when a service, not an application, is sending or receiving traffic.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/Protocol** -

                              0-255 number representing the ip protocol (TCP = 6, UDP = 17)

                              -

                              If not specified, the default is All.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              0-255 number representing the ip protocol (TCP = 6, UDP = 17)

                              +

                              If not specified, the default is All.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/LocalPortRanges** -

                              Comma separated list of ranges. For example, 100-120,200,300-320.

                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Comma separated list of ranges. For example, 100-120,200,300-320.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/RemotePortRanges** -

                              Comma separated list of ranges, For example, 100-120,200,300-320.

                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Comma separated list of ranges, For example, 100-120,200,300-320.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/*FirewallRuleName*/LocalAddressRanges** -

                              Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

                              +

                              Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

                              • "*" indicates any local address. If present, this must be the only token included.
                              • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
                                • @@ -334,11 +334,11 @@ Sample syncxml to provision the firewall settings to evaluate
                              • An IPv4 address range in the format of "start address - end address" with no spaces included.
                              • An IPv6 address range in the format of "start address - end address" with no spaces included.
                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/*FirewallRuleName*/RemoteAddressRanges** -

                              List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:

                              +

                              List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:

                              • "*" indicates any remote address. If present, this must be the only token included.
                              • "Defaultgateway"
                                • @@ -355,70 +355,70 @@ Sample syncxml to provision the firewall settings to evaluate
                              • An IPv4 address range in the format of "start address - end address" with no spaces included.
                              • An IPv6 address range in the format of "start address - end address" with no spaces included.
                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              -

                              The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.

                              **FirewallRules/_FirewallRuleName_/Description** -

                              Specifies the description of the rule.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Specifies the description of the rule.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/Enabled** -

                              Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -

                              If not specified - a new rule is enabled by default.

                              -

                              Boolean value. Supported operations are Get and Replace.

                              +

                              Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +

                              If not specified - a new rule is enabled by default.

                              +

                              Boolean value. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/Profiles** -

                              Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

                              -

                              If not specified, the default is All.

                              -

                              Value type is integer. Supported operations are Get and Replace.

                              +

                              Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

                              +

                              If not specified, the default is All.

                              +

                              Value type is integer. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/Action** -

                              Specifies the action for the rule.

                              -

                              Supported operation is Get.

                              +

                              Specifies the action for the rule.

                              +

                              Supported operation is Get.

                              **FirewallRules/_FirewallRuleName_/Action/Type** -

                              Specifies the action the rule enforces. Supported values:

                              +

                              Specifies the action the rule enforces. Supported values:

                              • 0 - Block
                              • 1 - Allow
                              -

                              If not specified, the default is allow.

                              -

                              Value type is integer. Supported operations are Get and Replace.

                              +

                              If not specified, the default is allow.

                              +

                              Value type is integer. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/Direction** -

                              The rule is enabled based on the traffic direction as following. Supported values:

                              +

                              The rule is enabled based on the traffic direction as following. Supported values:

                              • IN - the rule applies to inbound traffic.
                              • OUT - the rule applies to outbound traffic.
                              • If not specified, the default is Out.
                              -

                              Value type is string. Supported operations are Get and Replace.

                              +

                              Value type is string. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/InterfaceTypes** -

                              Comma separated list of interface types. Valid values:

                              +

                              Comma separated list of interface types. Valid values:

                              • RemoteAccess
                              • Wireless
                              • Lan
                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Get and Replace.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/EdgeTraversal** -

                              Indicates whether edge traversal is enabled or disabled for this rule.

                              -

                              The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.

                              -

                              New rules have the EdgeTraversal property disabled by default.

                              -

                              Value type is bool. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Indicates whether edge traversal is enabled or disabled for this rule.

                              +

                              The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.

                              +

                              New rules have the EdgeTraversal property disabled by default.

                              +

                              Value type is bool. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -

                              Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/Status** -

                              Provides information about the specific version of the rule in deployment for monitoring purposes.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Provides information about the specific version of the rule in deployment for monitoring purposes.

                              +

                              Value type is string. Supported operation is Get.

                              **FirewallRules/_FirewallRuleName_/Name** -

                              Name of the rule.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Name of the rule.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 03fb5b432d..e570b9890d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -26,18 +26,18 @@ The following is a list of functions performed by the Device HealthAttestation C ## Terms **TPM (Trusted Platform Module)** -

                              TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

                              +

                              TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

                              **DHA (Device HealthAttestation) feature** -

                              The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

                              +

                              The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

                              **DHA-Enabled device (Device HealthAttestation enabled device)** -

                              A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.

                              +

                              A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.

                              **DHA-Session (Device HealthAttestation session)** -

                              The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

                              +

                              The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

                              -

                              The following list of transactions is performed in one DHA-Session:

                              +

                              The following list of transactions is performed in one DHA-Session:

                              • DHA-CSP and DHA-Service communication:
                                • DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
                                  • @@ -57,7 +57,7 @@ The following is a list of functions performed by the Device HealthAttestation C healthattestation session diagram
                                  DHA session data (Device HealthAttestation session data) -

                                  The following list of data is produced or consumed in one DHA-Transaction:

                                  +

                                  The following list of data is produced or consumed in one DHA-Transaction:

                                  • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.
                                  • DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
                                    • @@ -73,9 +73,9 @@ The following is a list of functions performed by the Device HealthAttestation C
                                  DHA-Enabled MDM (Device HealthAttestation enabled device management solution) -

                                  Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.

                                  -

                                  DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.

                                  -

                                  The following list of operations is performed by DHA-Enabled-MDM

                                  +

                                  Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.

                                  +

                                  DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.

                                  +

                                  The following list of operations is performed by DHA-Enabled-MDM

                                  • Enables the DHA feature on a DHA-Enabled device
                                  • Issues device health attestation requests to enrolled/managed devices
                                    • @@ -84,8 +84,8 @@ The following is a list of functions performed by the Device HealthAttestation C
                                  DHA-CSP (Device HealthAttestation Configuration Service Provider) -

                                  The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.

                                  -

                                  The following list of operations is performed by DHA-CSP:

                                  +

                                  The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.

                                  +

                                  The following list of operations is performed by DHA-CSP:

                                  • Collects device boot data (DHA-BootData) from a managed device
                                  • Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
                                    • @@ -94,10 +94,10 @@ The following is a list of functions performed by the Device HealthAttestation C
                                  DHA-Service (Device HealthAttestation Service) -

                                  Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

                                  +

                                  Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

                                  -

                                  DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

                                  -

                                  The following list of operations is performed by DHA-Service:

                                  +

                                  DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

                                  +

                                  The following list of operations is performed by DHA-Service:

                                  - Receives device boot data (DHA-BootData) from a DHA-Enabled device - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) @@ -120,8 +120,8 @@ The following is a list of functions performed by the Device HealthAttestation C -Device Health Attestation – Cloud

                                  (DHA-Cloud)

                                  -

                                  DHA-Cloud is a Microsoft owned and operated DHA-Service that is:

                                  +Device Health Attestation – Cloud

                                  (DHA-Cloud)

                                  +

                                  DHA-Cloud is a Microsoft owned and operated DHA-Service that is:

                                  • Available in Windows for free
                                  • Running on a high-availability and geo-balanced cloud infrastructure
                                    • @@ -134,12 +134,12 @@ The following is a list of functions performed by the Device HealthAttestation C
                                -No cost +No cost -Device Health Attestation – On Premise

                                (DHA-OnPrem)

                                -

                                DHA-OnPrem refers to DHA-Service that is running on premises:

                                +Device Health Attestation – On Premise

                                (DHA-OnPrem)

                                +

                                DHA-OnPrem refers to DHA-Service that is running on premises:

                                • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
                                • Hosted on an enterprise owned and managed server device/hardware
                                  • @@ -152,11 +152,11 @@ The following is a list of functions performed by the Device HealthAttestation C
                              -The operation cost of running one or more instances of Server 2016 on-premises. +The operation cost of running one or more instances of Server 2016 on-premises. -Device Health Attestation - Enterprise-Managed Cloud

                              (DHA-EMC)

                              -

                              DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.

                              +Device Health Attestation - Enterprise-Managed Cloud

                              (DHA-EMC)

                              +

                              DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.

                              • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
                              • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                                • @@ -168,7 +168,7 @@ The following is a list of functions performed by the Device HealthAttestation C
                            -The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure. +The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure. @@ -193,19 +193,19 @@ HealthAttestation ----MaxSupportedProtocolVersion ``` **./Vendor/MSFT/HealthAttestation** -

                            The root node for the device HealthAttestation configuration service provider.

                            +

                            The root node for the device HealthAttestation configuration service provider.

                            **VerifyHealth** (Required) -

                            Notifies the device to prepare a device health verification request.

                            +

                            Notifies the device to prepare a device health verification request.

                            -

                            The supported operation is Execute.

                            +

                            The supported operation is Execute.

                            **Status** (Required) -

                            Provides the current status of the device health request.

                            +

                            Provides the current status of the device health request.

                            -

                            The supported operation is Get.

                            +

                            The supported operation is Get.

                            -

                            The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.

                            +

                            The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.

                            - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -213,35 +213,35 @@ HealthAttestation - 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up **ForceRetrieve** (Optional) -

                            Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.

                            +

                            Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.

                            -

                            Boolean value. The supported operation is Replace.

                            +

                            Boolean value. The supported operation is Replace.

                            **Certificate** (Required) -

                            Instructs the DHA-CSP to forward DHA-Data to the MDM server.

                            +

                            Instructs the DHA-CSP to forward DHA-Data to the MDM server.

                            -

                            Value type is b64.The supported operation is Get.

                            +

                            Value type is b64.The supported operation is Get.

                            **Nonce** (Required) -

                            Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.

                            +

                            Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.

                            -

                            The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.

                            +

                            The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.

                            -

                            The supported operations are Get and Replace.

                            +

                            The supported operations are Get and Replace.

                            **CorrelationId** (Required) -

                            Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.

                            +

                            Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.

                            -

                            Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.

                            +

                            Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.

                            **HASEndpoint** (Optional) -

                            Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.

                            +

                            Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.

                            -

                            Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.

                            +

                            Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.

                            **TpmReadyStatus** (Required) -

                            Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.

                            -

                            Value type is integer. The supported operation is Get.

                            +

                            Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.

                            +

                            Value type is integer. The supported operation is Get.

                            ## **DHA-CSP integration steps** @@ -508,14 +508,14 @@ The following list of data points are verified by the DHA-Service in DHA-Report Each of these are described in further detail in the following sections, along with the recommended actions to take. **Issued** -

                            The date and time DHA-report was evaluated or issued to MDM.

                            +

                            The date and time DHA-report was evaluated or issued to MDM.

                            **AIKPresent** -

                            When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.

                            +

                            When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.

                            -

                            If AIKPresent = True (1), then allow access.

                            +

                            If AIKPresent = True (1), then allow access.

                            -

                            If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:

                            +

                            If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -523,24 +523,24 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) -

                            This attribute reports the number of times a PC device has hibernated or resumed.

                            +

                            This attribute reports the number of times a PC device has hibernated or resumed.

                            **RestartCount** (Reported only for devices that support TPM 2.0) -

                            This attribute reports the number of times a PC device has rebooted

                            +

                            This attribute reports the number of times a PC device has rebooted

                            **DEPPolicy** -

                            A device can be trusted more if the DEP Policy is enabled on the device.

                            +

                            A device can be trusted more if the DEP Policy is enabled on the device.

                            -

                            Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.

                            +

                            Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.

                            -

                            DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            +

                            DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            - To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** -

                            If DEPPolicy = 1 (On), then allow access.

                            +

                            If DEPPolicy = 1 (On), then allow access.

                            -

                            If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:

                            +

                            If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -548,15 +548,15 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -

                            When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

                            +

                            When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

                            -

                            Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

                            +

                            Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

                            -

                            If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.

                            +

                            If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.

                            -

                            If BitLockerStatus = 1 (On), then allow access.

                            +

                            If BitLockerStatus = 1 (On), then allow access.

                            -

                            If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:

                            +

                            If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -564,11 +564,11 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** -

                            This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.

                            +

                            This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.

                            -

                            If BootManagerRevListVersion = [CurrentVersion], then allow access.

                            +

                            If BootManagerRevListVersion = [CurrentVersion], then allow access.

                            -

                            If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

                            +

                            If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI and MBI assets @@ -576,11 +576,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** -

                            This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

                            +

                            This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

                            -

                            If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.

                            +

                            If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.

                            -

                            If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

                            +

                            If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI and MBI assets @@ -588,11 +588,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** -

                            When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.

                            +

                            When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.

                            -

                            If SecureBootEnabled = 1 (True), then allow access.

                            +

                            If SecureBootEnabled = 1 (True), then allow access.

                            -

                            If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            +

                            If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -600,16 +600,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -

                            Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

                            +

                            Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

                            -

                            Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            +

                            Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            - To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** -

                            If BootdebuggingEnabled = 0 (False), then allow access.

                            +

                            If BootdebuggingEnabled = 0 (False), then allow access.

                            -

                            If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            +

                            If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -617,11 +617,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** -

                            OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

                            +

                            OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

                            -

                            If OSKernelDebuggingEnabled = 0 (False), then allow access.

                            +

                            If OSKernelDebuggingEnabled = 0 (False), then allow access.

                            -

                            If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            +

                            If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -629,15 +629,15 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** -

                            When code integrity is enabled, code execution is restricted to integrity verified code.

                            +

                            When code integrity is enabled, code execution is restricted to integrity verified code.

                            -

                            Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.

                            +

                            Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.

                            -

                            On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

                            +

                            On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

                            -

                            If CodeIntegrityEnabled = 1 (True), then allow access.

                            +

                            If CodeIntegrityEnabled = 1 (True), then allow access.

                            -

                            If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            +

                            If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -645,16 +645,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** -

                            When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.

                            +

                            When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.

                            -

                            Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            +

                            Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            - To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** -

                            If TestSigningEnabled = 0 (False), then allow access.

                            +

                            If TestSigningEnabled = 0 (False), then allow access.

                            -

                            If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            +

                            If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI and MBI assets @@ -662,33 +662,33 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** -

                            Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

                            +

                            Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

                            -

                            If SafeMode = 0 (False), then allow access.

                            +

                            If SafeMode = 0 (False), then allow access.

                            -

                            If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:

                            +

                            If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** -

                            Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.

                            +

                            Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.

                            -

                            If WinPE = 0 (False), then allow access.

                            +

                            If WinPE = 0 (False), then allow access.

                            -

                            If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

                            +

                            If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

                            **ELAMDriverLoaded** (Windows Defender) -

                            To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

                            +

                            To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

                            -

                            In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

                            +

                            In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

                            -

                            If a device is expected to use a 3rd party antivirus program, ignore the reported state.

                            +

                            If a device is expected to use a 3rd party antivirus program, ignore the reported state.

                            -

                            If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

                            +

                            If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

                            -

                            If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:

                            +

                            If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:

                            - Disallow all access - Disallow access to HBI assets @@ -696,61 +696,61 @@ Each of these are described in further detail in the following sections, along w **Bcdedit.exe /set {current} vsmlaunchtype auto** -

                            If ELAMDriverLoaded = 1 (True), then allow access.

                            +

                            If ELAMDriverLoaded = 1 (True), then allow access.

                            -

                            If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:

                            +

                            If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -

                            Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.

                            +

                            Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.

                            -

                            VSM can be enabled by using the following command in WMI or a PowerShell script:

                            +

                            VSM can be enabled by using the following command in WMI or a PowerShell script:

                            -

                            bcdedit.exe /set {current} vsmlaunchtype auto

                            +

                            bcdedit.exe /set {current} vsmlaunchtype auto

                            -

                            If VSMEnabled = 1 (True), then allow access.

                            -

                            If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            +

                            If VSMEnabled = 1 (True), then allow access.

                            +

                            If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** -

                            This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.

                            +

                            This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.

                            **BootAppSVN** -

                            This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device

                            +

                            This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device

                            -

                            If reported BootAppSVN equals an accepted value, then allow access.

                            +

                            If reported BootAppSVN equals an accepted value, then allow access.

                            -

                            If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            +

                            If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** -

                            This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.

                            +

                            This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.

                            -

                            If reported BootManagerSVN equals an accepted value, then allow access.

                            +

                            If reported BootManagerSVN equals an accepted value, then allow access.

                            -

                            If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            +

                            If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** -

                            This attribute identifies the version of the TPM that is running on the attested device.

                            -

                            TPMVersion node provides to replies "1" and "2":

                            +

                            This attribute identifies the version of the TPM that is running on the attested device.

                            +

                            TPMVersion node provides to replies "1" and "2":

                            • 1 means TPM specification version 1.2
                            • 2 means TPM specification version 2.0
                            -

                            Based on the reply you receive from TPMVersion node:

                            +

                            Based on the reply you receive from TPMVersion node:

                            - If reported TPMVersion equals an accepted value, then allow access. - If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: @@ -758,63 +758,63 @@ Each of these are described in further detail in the following sections, along w - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** -

                            The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

                            +

                            The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

                            -

                            Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

                            +

                            Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

                            -

                            If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.

                            +

                            If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.

                            -

                            If PCR[0] equals an accepted allow list value, then allow access.

                            +

                            If PCR[0] equals an accepted allow list value, then allow access.

                            -

                            If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:

                            +

                            If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** -

                            SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.

                            +

                            SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.

                            -

                            If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +

                            If SBCPHash is not present, or is an accepted allow-listed value, then allow access. -

                            If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

                            +

                            If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** -

                            This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.

                            +

                            This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.

                            -

                            If CIPolicy is not present, or is an accepted allow-listed value, then allow access.

                            +

                            If CIPolicy is not present, or is an accepted allow-listed value, then allow access.

                            -

                            If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

                            +

                            If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** -

                            This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.

                            +

                            This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.

                            -

                            If reported BootRevListInfo version equals an accepted value, then allow access.

                            +

                            If reported BootRevListInfo version equals an accepted value, then allow access.

                            -

                            If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            +

                            If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** -

                            This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.

                            +

                            This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.

                            -

                            If reported OSRevListInfo version equals an accepted value, then allow access.

                            +

                            If reported OSRevListInfo version equals an accepted value, then allow access.

                            -

                            If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            +

                            If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** -

                            HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.

                            +

                            HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.

                            -

                            In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.

                            +

                            In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.

                            ## **Device HealthAttestation CSP status and error codes** @@ -825,204 +825,204 @@ Each of these are described in further detail in the following sections, along w Description - 0 - HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED - This is the initial state for devices that have never participated in a DHA-Session. + 0 + HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED + This is the initial state for devices that have never participated in a DHA-Session. - 1 - HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED - This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. + 1 + HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED + This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. - 2 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED - This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. + 2 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED + This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. - 3 - HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE - This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. + 3 + HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE + This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. - 4 - HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL - Deprecated in Windows 10, version 1607. + 4 + HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL + Deprecated in Windows 10, version 1607. - 5 - HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL - DHA-CSP failed to get a claim quote. + 5 + HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL + DHA-CSP failed to get a claim quote. - 6 - HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY - DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. + 6 + HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY + DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. - 7 - HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL - DHA-CSP failed in retrieving Windows AIK + 7 + HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL + DHA-CSP failed in retrieving Windows AIK - 8 - HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL - Deprecated in Windows 10, version 1607. + 8 + HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL + Deprecated in Windows 10, version 1607. - 9 - HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION - Invalid TPM version (TPM version is not 1.2 or 2.0) + 9 + HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION + Invalid TPM version (TPM version is not 1.2 or 2.0) - 10 - HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL - Nonce was not found in the registry. + 10 + HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL + Nonce was not found in the registry. - 11 - HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL - Correlation ID was not found in the registry. + 11 + HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL + Correlation ID was not found in the registry. - 12 - HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL - Deprecated in Windows 10, version 1607. + 12 + HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL + Deprecated in Windows 10, version 1607. - 13 - HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL - Deprecated in Windows 10, version 1607. + 13 + HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL + Deprecated in Windows 10, version 1607. - 14 - HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL - Failure in Encoding functions. (Extremely unlikely scenario) + 14 + HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL + Failure in Encoding functions. (Extremely unlikely scenario) - 15 - HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL - Deprecated in Windows 10, version 1607. + 15 + HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL + Deprecated in Windows 10, version 1607. - 16 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML - DHA-CSP failed to load the payload it received from DHA-Service + 16 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML + DHA-CSP failed to load the payload it received from DHA-Service - 17 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML - DHA-CSP received a corrupted response from DHA-Service. + 17 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML + DHA-CSP received a corrupted response from DHA-Service. - 18 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML - DHA-CSP received an empty response from DHA-Service. + 18 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML + DHA-CSP received an empty response from DHA-Service. - 19 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK - DHA-CSP failed in decrypting the AES key from the EK challenge. + 19 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK + DHA-CSP failed in decrypting the AES key from the EK challenge. - 20 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK - DHA-CSP failed in decrypting the health cert with the AES key. + 20 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK + DHA-CSP failed in decrypting the health cert with the AES key. - 21 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB - DHA-CSP failed in exporting the AIK Public Key. + 21 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB + DHA-CSP failed in exporting the AIK Public Key. - 22 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY - DHA-CSP failed in trying to create a claim with AIK attestation data. + 22 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY + DHA-CSP failed in trying to create a claim with AIK attestation data. - 23 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB - DHA-CSP failed in appending the AIK Pub to the request blob. + 23 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB + DHA-CSP failed in appending the AIK Pub to the request blob. - 24 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT - DHA-CSP failed in appending the AIK Cert to the request blob. + 24 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT + DHA-CSP failed in appending the AIK Cert to the request blob. - 25 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE - DHA-CSP failed to obtain a Session handle. + 25 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE + DHA-CSP failed to obtain a Session handle. - 26 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE - DHA-CSP failed to connect to the DHA-Service. + 26 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE + DHA-CSP failed to connect to the DHA-Service. - 27 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE - DHA-CSP failed to create a HTTP request handle. + 27 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE + DHA-CSP failed to create a HTTP request handle. - 28 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION - DHA-CSP failed to set options. + 28 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION + DHA-CSP failed to set options. - 29 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS - DHA-CSP failed to add request headers. + 29 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS + DHA-CSP failed to add request headers. - 30 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST - DHA-CSP failed to send the HTTP request. + 30 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST + DHA-CSP failed to send the HTTP request. - 31 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE - DHA-CSP failed to receive a response from the DHA-Service. + 31 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE + DHA-CSP failed to receive a response from the DHA-Service. - 32 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS - DHA-CSP failed to query headers when trying to get HTTP status code. + 32 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS + DHA-CSP failed to query headers when trying to get HTTP status code. - 33 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE - DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. + 33 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE + DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. - 34 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE - DHA-CSP received an empty response along with a HTTP error code from DHA-Service. + 34 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE + DHA-CSP received an empty response along with a HTTP error code from DHA-Service. - 35 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER - DHA-CSP failed to impersonate user. + 35 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER + DHA-CSP failed to impersonate user. - 36 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR - DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. + 36 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR + DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. - 0xFFFF - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN - DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. + 0xFFFF + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN + DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. - 400 - Bad_Request_From_Client - DHA-CSP has received a bad (malformed) attestation request. + 400 + Bad_Request_From_Client + DHA-CSP has received a bad (malformed) attestation request. - 404 - Endpoint_Not_Reachable - DHA-Service is not reachable by DHA-CSP + 404 + Endpoint_Not_Reachable + DHA-Service is not reachable by DHA-CSP diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 875c7d0ded..f2da07d4e2 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -41,12 +41,12 @@ The Store for Business provides services that enable a management tool to synchr -

                            Application data

                            -

                            The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.

                            +

                            Application data

                            +

                            The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.

                            -

                            Licensing models

                            -

                            Offline vs. Online

                            +

                            Licensing models

                            +

                            Offline vs. Online

                            Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.

                            Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.

                            diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index ad2d4edddc..69893ff362 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -21,36 +21,36 @@ The following diagram shows the Messaging configuration service provider in tree **./User/Vendor/MSFT/Messaging** -

                            Root node for the Messaging configuration service provider.

                            +

                            Root node for the Messaging configuration service provider.

                            **AuditingLevel** -

                            Turns on the "Text" auditing feature.

                            -

                            The following list shows the supported values:

                            +

                            Turns on the "Text" auditing feature.

                            +

                            The following list shows the supported values:

                            • 0 (Default) - Off
                            • 1 - On
                            -

                            Supported operations are Get and Replace.

                            +

                            Supported operations are Get and Replace.

                            **Auditing** -

                            Node for auditing.

                            -

                            Supported operation is Get.

                            +

                            Node for auditing.

                            +

                            Supported operation is Get.

                            **Messages** -

                            Node for messages.

                            -

                            Supported operation is Get.

                            +

                            Node for messages.

                            +

                            Supported operation is Get.

                            **Count** -

                            The number of messages to return in the Data setting. The default is 100.

                            -

                            Supported operations are Get and Replace.

                            +

                            The number of messages to return in the Data setting. The default is 100.

                            +

                            Supported operations are Get and Replace.

                            **RevisionId** -

                            Retrieves messages whose revision ID is greater than RevisionId.

                            -

                            Supported operations are Get and Replace.

                            +

                            Retrieves messages whose revision ID is greater than RevisionId.

                            +

                            Supported operations are Get and Replace.

                            **Data** -

                            The JSON string of text messages on the device.

                            -

                            Supported operations are Get and Replace.

                            +

                            The JSON string of text messages on the device.

                            +

                            Supported operations are Get and Replace.

                            **SyncML example** diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 6c898afe02..ceacdde6dd 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -140,53 +140,53 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma -

                            s:

                            -

                            MessageFormat

                            -

                            MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

                            -

                            Message format is bad

                            -

                            80180001

                            +

                            s:

                            +

                            MessageFormat

                            +

                            MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

                            +

                            Message format is bad

                            +

                            80180001

                            -

                            s:

                            -

                            Authentication

                            -

                            MENROLL_E_DEVICE_AUTHENTICATION_ERROR

                            -

                            User not recognized

                            -

                            80180002

                            +

                            s:

                            +

                            Authentication

                            +

                            MENROLL_E_DEVICE_AUTHENTICATION_ERROR

                            +

                            User not recognized

                            +

                            80180002

                            -

                            s:

                            -

                            Authorization

                            -

                            MENROLL_E_DEVICE_AUTHORIZATION_ERROR

                            -

                            User not allowed to enroll

                            -

                            80180003

                            +

                            s:

                            +

                            Authorization

                            +

                            MENROLL_E_DEVICE_AUTHORIZATION_ERROR

                            +

                            User not allowed to enroll

                            +

                            80180003

                            -

                            s:

                            -

                            CertificateRequest

                            -

                            MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR

                            -

                            Failed to get certificate

                            -

                            80180004

                            +

                            s:

                            +

                            CertificateRequest

                            +

                            MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR

                            +

                            Failed to get certificate

                            +

                            80180004

                            -

                            s:

                            -

                            EnrollmentServer

                            -

                            MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

                            - -

                            80180005

                            +

                            s:

                            +

                            EnrollmentServer

                            +

                            MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

                            + +

                            80180005

                            -

                            a:

                            -

                            InternalServiceFault

                            -

                            MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

                            -

                            The server hit an unexpected issue

                            -

                            80180006

                            +

                            a:

                            +

                            InternalServiceFault

                            +

                            MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

                            +

                            The server hit an unexpected issue

                            +

                            80180006

                            -

                            a:

                            -

                            InvalidSecurity

                            -

                            MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

                            -

                            Cannot parse the security header

                            -

                            80180007

                            +

                            a:

                            +

                            InvalidSecurity

                            +

                            MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

                            +

                            Cannot parse the security header

                            +

                            80180007

                            @@ -240,46 +240,46 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. -

                            DeviceCapReached

                            -

                            MENROLL_E_DEVICECAPREACHED

                            -

                            User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.

                            -

                            80180013

                            +

                            DeviceCapReached

                            +

                            MENROLL_E_DEVICECAPREACHED

                            +

                            User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.

                            +

                            80180013

                            -

                            DeviceNotSupported

                            -

                            MENROLL_E_DEVICENOTSUPPORTED

                            -

                            Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.

                            -

                            80180014

                            +

                            DeviceNotSupported

                            +

                            MENROLL_E_DEVICENOTSUPPORTED

                            +

                            Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.

                            +

                            80180014

                            -

                            NotSupported

                            -

                            MENROLL_E_NOTSUPPORTED

                            -

                            Mobile device management generally not supported (would save an admin call)

                            -

                            80180015

                            +

                            NotSupported

                            +

                            MENROLL_E_NOTSUPPORTED

                            +

                            Mobile device management generally not supported (would save an admin call)

                            +

                            80180015

                            -

                            NotEligibleToRenew

                            -

                            MENROLL_E_NOTELIGIBLETORENEW

                            -

                            Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.

                            -

                            80180016

                            +

                            NotEligibleToRenew

                            +

                            MENROLL_E_NOTELIGIBLETORENEW

                            +

                            Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.

                            +

                            80180016

                            -

                            InMaintenance

                            -

                            MENROLL_E_INMAINTENANCE

                            -

                            Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.

                            -

                            80180017

                            +

                            InMaintenance

                            +

                            MENROLL_E_INMAINTENANCE

                            +

                            Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.

                            +

                            80180017

                            -

                            UserLicense

                            -

                            MENROLL_E_USERLICENSE

                            -

                            License of user is in bad state and blocking the enrollment. The user needs to call the admin.

                            -

                            80180018

                            +

                            UserLicense

                            +

                            MENROLL_E_USERLICENSE

                            +

                            License of user is in bad state and blocking the enrollment. The user needs to call the admin.

                            +

                            80180018

                            -

                            InvalidEnrollmentData

                            -

                            MENROLL_E_ENROLLMENTDATAINVALID

                            -

                            The server rejected the enrollment data. The server may not be configured correctly.

                            -

                            80180019

                            +

                            InvalidEnrollmentData

                            +

                            MENROLL_E_ENROLLMENTDATAINVALID

                            +

                            The server rejected the enrollment data. The server may not be configured correctly.

                            +

                            80180019

                            diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index f0fadc3fe5..19462512ee 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -45,79 +45,79 @@ NetworkQoSPolicy --------DSCPAction ``` **NetworkQoSPolicy** -

                            The root node for the NetworkQoSPolicy configuration service provider.

                            +

                            The root node for the NetworkQoSPolicy configuration service provider.

                            **Version** -

                            Specifies the version information. +

                            Specifies the version information. -

                            The data type is int. +

                            The data type is int. -

                            The only supported operation is Get. +

                            The only supported operation is Get. ***Name*** -

                            Node for the QoS policy name. +

                            Node for the QoS policy name. ***Name*/IPProtocolMatchCondition** -

                            Specifies the IP protocol used to match the network traffic. +

                            Specifies the IP protocol used to match the network traffic. -

                            Valid values are: +

                            Valid values are: - 0 (default) - Both TCP and UDP - 1 - TCP - 2 - UDP -

                            The data type is int. +

                            The data type is int. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/AppPathNameMatchCondition** -

                            Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. +

                            Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. -

                            The data type is char. +

                            The data type is char. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/SourcePortMatchCondition** -

                            Specifies a single port or a range of ports to be used to match the network traffic source. +

                            Specifies a single port or a range of ports to be used to match the network traffic source. -

                            Valid values are: +

                            Valid values are: - A range of source ports: _[first port number]_-_[last port number]_ - A single source port: _[port number]_ -

                            The data type is char. +

                            The data type is char. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/DestinationPortMatchCondition** -

                            Specifies a single source port or a range of ports to be used to match the network traffic destination. +

                            Specifies a single source port or a range of ports to be used to match the network traffic destination. -

                            Valid values are: +

                            Valid values are: - A range of destination ports: _[first port number]_-_[last port number]_ - A single destination port: _[port number]_ -

                            The data type is char. +

                            The data type is char. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/PriorityValue8021Action** -

                            Specifies the IEEE 802.1p priority value to apply to matching network traffic. +

                            Specifies the IEEE 802.1p priority value to apply to matching network traffic. -

                            Valid values are 0-7. +

                            Valid values are 0-7. -

                            The data type is int. +

                            The data type is int. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/DSCPAction** -

                            The differentiated services code point (DSCP) value to apply to matching network traffic. +

                            The differentiated services code point (DSCP) value to apply to matching network traffic. -

                            Valid values are 0-63. +

                            Valid values are 0-63. -

                            The data type is int. +

                            The data type is int. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ## Related topics diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 40757af748..5e8ad6957f 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -48,8 +48,8 @@ The following table shows the OMA DM standards that Windows uses. -

                            Data transport and session

                            -
                              +

                              Data transport and session

                              +

                              • Client-initiated remote HTTPS DM session over SSL.

                              • Remote HTTPS DM session over SSL.

                              • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.

                                • @@ -57,14 +57,14 @@ The following table shows the OMA DM standards that Windows uses.
                              -

                              Bootstrap XML

                              -
                                +

                                Bootstrap XML

                                +

                                • OMA Client Provisioning XML.

                                -

                                DM protocol commands

                                -

                                The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.

                                +

                                DM protocol commands

                                +

                                The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.

                                • Add (Implicit Add supported)

                                • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.

                                  • @@ -95,16 +95,16 @@ The following table shows the OMA DM standards that Windows uses.

                                  Meta XML tag in SyncHdr is ignored by the device.

                                  -

                                  OMA DM standard objects

                                  -
                                    +

                                    OMA DM standard objects

                                    +

                                    • DevInfo

                                    • DevDetail

                                    • OMA DM DMS account objects (OMA DM version 1.2)

                                    -

                                    Security

                                    -
                                      +

                                      Security

                                      +

                                      • Authenticate DM server initiation notification SMS message (not used by enterprise management)

                                      • Application layer Basic and MD5 client authentication

                                      • Authenticate server with MD5 credential at application level

                                        • @@ -113,8 +113,8 @@ The following table shows the OMA DM standards that Windows uses.
                                      -

                                      Nodes

                                      -

                                      In the OMA DM tree, the following rules apply for the node name:

                                      +

                                      Nodes

                                      +

                                      In the OMA DM tree, the following rules apply for the node name:

                                      • "." can be part of the node name.

                                      • The node name cannot be empty.

                                        • @@ -122,8 +122,8 @@ The following table shows the OMA DM standards that Windows uses.
                                      -

                                      Provisioning Files

                                      -

                                      Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.

                                      +

                                      Provisioning Files

                                      +

                                      Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.

                                      If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.

                                      Note

                                      To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.

                                      @@ -133,12 +133,12 @@ The following table shows the OMA DM standards that Windows uses.
                                      -

                                      WBXML support

                                      -

                                      Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.

                                      +

                                      WBXML support

                                      +

                                      Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.

                                      -

                                      Handling of large objects

                                      -

                                      In Windows 10, version 1511, client support for uploading large objects to the server was added.

                                      +

                                      Handling of large objects

                                      +

                                      In Windows 10, version 1511, client support for uploading large objects to the server was added.

                                      @@ -162,52 +162,52 @@ Common elements are used by other OMA DM element types. The following table list -

                                      Chal

                                      -

                                      Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.

                                      +

                                      Chal

                                      +

                                      Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.

                                      -

                                      Cmd

                                      -

                                      Specifies the name of an OMA DM command referenced in a Status element.

                                      +

                                      Cmd

                                      +

                                      Specifies the name of an OMA DM command referenced in a Status element.

                                      -

                                      CmdID

                                      -

                                      Specifies the unique identifier for an OMA DM command.

                                      +

                                      CmdID

                                      +

                                      Specifies the unique identifier for an OMA DM command.

                                      -

                                      CmdRef

                                      -

                                      Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.

                                      +

                                      CmdRef

                                      +

                                      Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.

                                      -

                                      Cred

                                      -

                                      Specifies the authentication credential for the originator of the message.

                                      +

                                      Cred

                                      +

                                      Specifies the authentication credential for the originator of the message.

                                      -

                                      Final

                                      -

                                      Indicates that the current message is the last message in the package.

                                      +

                                      Final

                                      +

                                      Indicates that the current message is the last message in the package.

                                      -

                                      LocName

                                      -

                                      Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.

                                      +

                                      LocName

                                      +

                                      Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.

                                      -

                                      LocURI

                                      -

                                      Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

                                      +

                                      LocURI

                                      +

                                      Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

                                      -

                                      MsgID

                                      -

                                      Specifies a unique identifier for an OMA DM session message.

                                      +

                                      MsgID

                                      +

                                      Specifies a unique identifier for an OMA DM session message.

                                      -

                                      MsgRef

                                      -

                                      Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.

                                      +

                                      MsgRef

                                      +

                                      Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.

                                      -

                                      RespURI

                                      -

                                      Specifies the URI that the recipient must use when sending a response to this message.

                                      +

                                      RespURI

                                      +

                                      Specifies the URI that the recipient must use when sending a response to this message.

                                      -

                                      SessionID

                                      -

                                      Specifies the identifier of the OMA DM session associated with the containing message.

                                      +

                                      SessionID

                                      +

                                      Specifies the identifier of the OMA DM session associated with the containing message.

                                      Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
                                      @@ -216,28 +216,28 @@ Common elements are used by other OMA DM element types. The following table list -

                                      Source

                                      -

                                      Specifies the message source address.

                                      +

                                      Source

                                      +

                                      Specifies the message source address.

                                      -

                                      SourceRef

                                      -

                                      Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.

                                      +

                                      SourceRef

                                      +

                                      Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.

                                      -

                                      Target

                                      -

                                      Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.

                                      +

                                      Target

                                      +

                                      Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.

                                      -

                                      TargetRef

                                      -

                                      Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.

                                      +

                                      TargetRef

                                      +

                                      Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.

                                      -

                                      VerDTD

                                      -

                                      Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.

                                      +

                                      VerDTD

                                      +

                                      Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.

                                      -

                                      VerProto

                                      -

                                      Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.

                                      +

                                      VerProto

                                      +

                                      Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.

                                      @@ -272,32 +272,32 @@ The following table shows the sequence of events during a typical DM session. -

                                      1

                                      -

                                      DM client is invoked to call back to the management server

                                      +

                                      1

                                      +

                                      DM client is invoked to call back to the management server

                                      Enterprise scenario – The device task schedule invokes the DM client.

                                      -

                                      The MO server sends a server trigger message to invoke the DM client.

                                      +

                                      The MO server sends a server trigger message to invoke the DM client.

                                      The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

                                      Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.

                                      -

                                      2

                                      -

                                      The device sends a message, over an IP connection, to initiate the session.

                                      -

                                      This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.

                                      +

                                      2

                                      +

                                      The device sends a message, over an IP connection, to initiate the session.

                                      +

                                      This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.

                                      -

                                      3

                                      -

                                      The DM server responds, over an IP connection (HTTPS).

                                      -

                                      The server sends initial device management commands, if any.

                                      +

                                      3

                                      +

                                      The DM server responds, over an IP connection (HTTPS).

                                      +

                                      The server sends initial device management commands, if any.

                                      -

                                      4

                                      -

                                      The device responds to server management commands.

                                      -

                                      This message includes the results of performing the specified device management operations.

                                      +

                                      4

                                      +

                                      The device responds to server management commands.

                                      +

                                      This message includes the results of performing the specified device management operations.

                                      -

                                      5

                                      -

                                      The DM server terminates the session or sends another command.

                                      -

                                      The DM session ends, or Step 4 is repeated.

                                      +

                                      5

                                      +

                                      The DM server terminates the session or sends another command.

                                      +

                                      The DM session ends, or Step 4 is repeated.

                                      diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index bf3d84f0f4..7a1a41565d 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -30,14 +30,14 @@ Personalization ----LockScreenImageStatus ``` **./Vendor/MSFT/Personalization** -

                                      Defines the root node for the Personalization configuration service provider.

                                      +

                                      Defines the root node for the Personalization configuration service provider.

                                      **DesktopImageUrl** -

                                      Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

                                      -

                                      Value type is string. Supported operations are Add, Get, Delete, and Replace.

                                      +

                                      Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

                                      +

                                      Value type is string. Supported operations are Add, Get, Delete, and Replace.

                                      **DesktopImageStatus** -

                                      Represents the status of the desktop image. Valid values:

                                      +

                                      Represents the status of the desktop image. Valid values:

                                      • 1 - Successfully downloaded or copied.
                                      • 2 - Download or copy in progress.
                                        • @@ -47,18 +47,18 @@ Personalization
                                      • 6 - Max retry failed.
                                      • 7 - Blocked, SKU not allowed
                                      -

                                      Supporter operation is Get.

                                      +

                                      Supporter operation is Get.

                                      > [!Note] > This setting is only used to query status. To set the image, use the DesktopImageUrl setting. **LockScreenImageUrl** -

                                      Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

                                      -

                                      Value type is string. Supported operations are Add, Get, Delete, and Replace.

                                      +

                                      Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

                                      +

                                      Value type is string. Supported operations are Add, Get, Delete, and Replace.

                                      **LockScreenImageStatus** -

                                      Represents the status of the lock screen image. Valid values:

                                      +

                                      Represents the status of the lock screen image. Valid values:

                                      • 1 - Successfully downloaded or copied.
                                      • 2 - Download or copy in progress.
                                        • @@ -68,7 +68,7 @@ Personalization
                                      • 6 - Max retry failed.
                                      • 7 - Blocked, SKU not allowed
                                      -

                                      Supporter operation is Get.

                                      +

                                      Supporter operation is Get.

                                      > [!Note] > This setting is only used to query status. To set the image, use the LockScreenImageUrl setting. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index da0f0543dc..a03f3f09f7 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -48,24 +48,24 @@ The following diagram shows the Policy configuration service provider in tree fo **./Vendor/MSFT/Policy** -

                                      The root node for the Policy configuration service provider. +

                                      The root node for the Policy configuration service provider. -

                                      Supported operation is Get. +

                                      Supported operation is Get. **Policy/Config** -

                                      Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. +

                                      Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. -

                                      Supported operation is Get. +

                                      Supported operation is Get. **Policy/Config/_AreaName_** -

                                      The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. +

                                      The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. -

                                      Supported operations are Add, Get, and Delete. +

                                      Supported operations are Add, Get, and Delete. **Policy/Config/_AreaName/PolicyName_** -

                                      Specifies the name/value pair used in the policy. +

                                      Specifies the name/value pair used in the policy. -

                                      The following list shows some tips to help you when configuring policies: +

                                      The following list shows some tips to help you when configuring policies: - Separate substring values by the Unicode &\#xF000; in the XML file. @@ -77,59 +77,59 @@ The following diagram shows the Policy configuration service provider in tree fo - Value type is string. **Policy/Result** -

                                      Groups the evaluated policies from all providers that can be configured. +

                                      Groups the evaluated policies from all providers that can be configured. -

                                      Supported operation is Get. +

                                      Supported operation is Get. **Policy/Result/_AreaName_** -

                                      The area group that can be configured by a single technology independent of the providers. +

                                      The area group that can be configured by a single technology independent of the providers. -

                                      Supported operation is Get. +

                                      Supported operation is Get. **Policy/Result/_AreaName/PolicyName_** -

                                      Specifies the name/value pair used in the policy. +

                                      Specifies the name/value pair used in the policy. -

                                      Supported operation is Get. +

                                      Supported operation is Get. **Policy/ConfigOperations** -

                                      Added in Windows 10, version 1703. The root node for grouping different configuration operations. +

                                      Added in Windows 10, version 1703. The root node for grouping different configuration operations. -

                                      Supported operations are Add, Get, and Delete. +

                                      Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall** -

                                      Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration. +

                                      Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration. > [!NOTE] > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)). -

                                      ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. +

                                      ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. -

                                      Supported operations are Add, Get, and Delete. +

                                      Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_** -

                                      Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. +

                                      Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. -

                                      Supported operations are Add, Get, and Delete. +

                                      Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** -

                                      Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. +

                                      Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. -

                                      Supported operations are Add, Get, and Delete. +

                                      Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** -

                                      Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. +

                                      Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. -

                                      Supported operations are Add and Get. Does not support Delete. +

                                      Supported operations are Add and Get. Does not support Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** -

                                      Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. +

                                      Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. -

                                      Supported operations are Add, Get, and Delete. +

                                      Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** -

                                      Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. +

                                      Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. -

                                      Supported operations are Add and Get. Does not support Delete. +

                                      Supported operations are Add and Get. Does not support Delete. ## Policies diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index b394ffb753..3df3e81293 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -761,7 +761,7 @@ PIN enforces the following behavior for desktop and mobile devices: The default value is 1. The following list shows the supported values and actual enforced values: - +
                                      @@ -777,24 +777,24 @@ The default value is 1. The following list shows the supported values and actual - - - + + + - - - + + + - - - + + + - - - + + +

                                      Mobile

                                      1,2,3,4

                                      Same as the value set

                                      Mobile

                                      1,2,3,4

                                      Same as the value set

                                      Desktop Local Accounts

                                      1,2,3

                                      3

                                      Desktop Local Accounts

                                      1,2,3

                                      3

                                      Desktop Microsoft Accounts

                                      1,2

                                      		<p2

                                      Desktop Microsoft Accounts

                                      1,2

                                      		<p2

                                      Desktop Domain Accounts

                                      Not supported

                                      		Not supported

                                      Desktop Domain Accounts

                                      Not supported

                                      		Not supported
                                      diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index d627137d97..b033f662cc 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -747,7 +747,7 @@ The following list shows the supported values for Windows 8.1: - 1 – Allowed, except for Secondary Data Requests. - 2 (default) – Allowed. - @@ -790,7 +790,7 @@ The following list shows the supported values for Windows 10 version 1809 and ol Most restrictive value is 0. - diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 1813782b4c..1fe9517d3d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1747,7 +1747,7 @@ Other/cannot defer: Any update category not specifically enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B -