deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into microsoft-edge-preview

Browse Source
This commit is contained in:
Patti Short 2018-07-23 13:44:17 -07:00
commit a2bbace07e
33 changed files with 1848 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/TOC.md
View File

@ -315,6 +315,8 @@
#### [WiFi DDF file](wifi-ddf-file.md)
### [Win32AppInventory CSP](win32appinventory-csp.md)
#### [Win32AppInventory DDF file](win32appinventory-ddf-file.md)
### [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)
#### [Win32CompatibilityAppraiser DDF file](win32compatibilityappraiser-ddf.md)
### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
#### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md)
### [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)

28
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -2417,6 +2417,34 @@ Footnotes:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)

53
windows/client-management/mdm/defender-csp.md
View File

@ -12,6 +12,8 @@ ms.date: 07/19/2018
# Defender CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
@ -176,6 +178,57 @@ An interior node to group information about Windows Defender health status.
Supported operation is Get.
<a href="" id="health-productstatus"></a>**Health/ProductStatus**
Added in Windows 10, next major version. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
Data type is integer. Supported operation is Get.
Supported product status values:
- No status = 0
- Service not running = 1 << 0
- Service started without any malware protection engine = 1 << 1
- Pending full scan due to threat action = 1 << 2
- Pending reboot due to threat action = 1 << 3
- ending manual steps due to threat action = 1 << 4
- AV signatures out of date = 1 << 5
- AS signatures out of date = 1 << 6
- No quick scan has happened for a specified period = 1 << 7
- No full scan has happened for a specified period = 1 << 8
- System initiated scan in progress = 1 << 9
- System initiated clean in progress = 1 << 10
- There are samples pending submission = 1 << 11
- Product running in evaluation mode = 1 << 12
- Product running in non-genuine Windows mode = 1 << 13
- Product expired = 1 << 14
- Off-line scan required = 1 << 15
- Service is shutting down as part of system shutdown = 1 << 16
- Threat remediation failed critically = 1 << 17
- Threat remediation failed non-critically = 1 << 18
- No status flags set (well initialized state) = 1 << 19
- Platform is out of date = 1 << 20
- Platform update is in progress = 1 << 21
- Platform is about to be outdated = 1 << 22
- Signature or platform end of life is past or is impending = 1 << 23
- Windows SMode signatures still in use on non-Win10S install = 1 << 24
Example:
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Defender/Health/ProductStatus</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="health-computerstate"></a>**Health/ComputerState**
Provide the current state of the device.

26
windows/client-management/mdm/defender-ddf.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 01/29/20178
ms.date: 07/12/2018
---
# Defender DDF file
@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Defende
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
The XML below is for Windows 10, next major version.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -43,7 +43,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/Defender</MIME>
<MIME>com.microsoft/1.2/MDM/Defender</MIME>
</DFType>
</DFProperties>
<Node>
@ -286,6 +286,26 @@ The XML below is the current version for this CSP.
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ProductStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ComputerState</NodeName>
<DFProperties>

BIN
windows/client-management/mdm/images/provisioning-csp-defender.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.3 KiB

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-win32compatibilityappraiser.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

4
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1638,6 +1638,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node Health/ProductStatus.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption.</p>
</td></tr>

96
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/03/2018
ms.date: 07/20/2018
---
# Policy CSP
@ -468,6 +468,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-allowflashclicktorun" id="browser-allowflashclicktorun">Browser/AllowFlashClickToRun</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowfullscreenmode" id="browser-allowfullscreenmode">Browser/AllowFullScreenMode</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowinprivate" id="browser-allowinprivate">Browser/AllowInPrivate</a>
</dd>
@ -480,15 +483,33 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-allowpopups" id="browser-allowpopups">Browser/AllowPopups</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowprelaunch" id="browser-allowprelaunch">Browser/AllowPrelaunch</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowprinting" id="browser-allowprinting">Browser/AllowPrinting</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowsavinghistory" id="browser-allowsavinghistory">Browser/AllowSavingHistory</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowsearchenginecustomization" id="browser-allowsearchenginecustomization">Browser/AllowSearchEngineCustomization</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar" id="browser-allowsearchsuggestionsinaddressbar">Browser/AllowSearchSuggestionsinAddressBar</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowsideloadingofextensions" id="browser-allowsideloadingofextensions">Browser/AllowSideloadingOfExtensions</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowsmartscreen" id="browser-allowsmartscreen">Browser/AllowSmartScreen</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowtabpreloading" id="browser-allowtabpreloading">Browser/AllowTabPreloading</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-allowwebcontentonnewtabpage" id="browser-allowwebcontentonnewtabpage">Browser/AllowWebContentOnNewTabPage</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-alwaysenablebookslibrary" id="browser-alwaysenablebookslibrary">Browser/AlwaysEnableBooksLibrary</a>
</dd>
@ -498,6 +519,24 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-configureadditionalsearchengines" id="browser-configureadditionalsearchengines">Browser/ConfigureAdditionalSearchEngines</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-configurefavoritesbar" id="browser-configurefavoritesbar">Browser/ConfigureFavoritesBar</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-configurehomebutton" id="browser-configurehomebutton">Browser/ConfigureHomeButton</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-configurekioskmode" id="browser-configurekioskmode">Browser/ConfigureKioskMode</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-configurekioskresetafteridletimeout" id="browser-configurekioskresetafteridletimeout">Browser/ConfigureKioskResetAfterIdleTimeout</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-configureopenmicrosoftedgewith" id="browser-configureopenmicrosoftedgewith">Browser/ConfigureOpenMicrosoftEdgeWith</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics" id="browser-configuretelemetryformicrosoft365analytics">Browser/ConfigureTelemetryForMicrosoft365Analytics</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-disablelockdownofstartpages" id="browser-disablelockdownofstartpages">Browser/DisableLockdownOfStartPages</a>
</dd>
@ -513,6 +552,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-firstrunurl" id="browser-firstrunurl">Browser/FirstRunURL</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-forceenabledextensions" id="browser-forceenabledextensions">Browser/ForceEnabledExtensions</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-homepages" id="browser-homepages">Browser/HomePages</a>
</dd>
@ -522,6 +564,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge" id="browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-preventcerterroroverrides" id="browser-preventcerterroroverrides">Browser/PreventCertErrorOverrides</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-preventfirstrunpage" id="browser-preventfirstrunpage">Browser/PreventFirstRunPage</a>
</dd>
@ -546,12 +591,21 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-setdefaultsearchengine" id="browser-setdefaultsearchengine">Browser/SetDefaultSearchEngine</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-sethomebuttonurl" id="browser-sethomebuttonurl">Browser/SetHomeButtonURL</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-setnewtabpageurl" id="browser-setnewtabpageurl">Browser/SetNewTabPageURL</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer" id="browser-showmessagewhenopeningsitesininternetexplorer">Browser/ShowMessageWhenOpeningSitesInInternetExplorer</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge" id="browser-syncfavoritesbetweenieandmicrosoftedge">Browser/SyncFavoritesBetweenIEAndMicrosoftEdge</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-unlockhomebutton" id="browser-unlockhomebutton">Browser/UnlockHomeButton</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-usesharedfolderforbooks" id="browser-usesharedfolderforbooks">Browser/UseSharedFolderForBooks</a>
</dd>
@ -939,6 +993,18 @@ The following diagram shows the Policy configuration service provider in tree fo
### DeviceInstallation policies
<dl>
<dd>
<a href="./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids" id="deviceinstallation-allowinstallationofmatchingdeviceids">DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</a>
</dd>
<dd>
<a href="./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses" id="deviceinstallation-allowinstallationofmatchingdevicesetupclasses">DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</a>
</dd>
<dd>
<a href="./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork" id="deviceinstallation-preventdevicemetadatafromnetwork">DeviceInstallation/PreventDeviceMetadataFromNetwork</a>
</dd>
<dd>
<a href="./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings" id="deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings">DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</a>
</dd>
<dd>
<a href="./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids" id="deviceinstallation-preventinstallationofmatchingdeviceids">DeviceInstallation/PreventInstallationOfMatchingDeviceIDs</a>
</dd>
@ -3670,11 +3736,14 @@ The following diagram shows the Policy configuration service provider in tree fo
- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g)
- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
@ -4075,22 +4144,37 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions)
- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash)
- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun)
- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode)
- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate)
- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist)
- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager)
- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups)
- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch)
- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting)
- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory)
- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization)
- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions)
- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen)
- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading)
- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage)
- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary)
- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit)
- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines)
- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar)
- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton)
- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode)
- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout)
- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith)
- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics)
- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages)
- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry)
- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist)
- [Browser/ForceEnabledExtensions](./policy-csp-browser.md#browser-forceenabledextensions)
- [Browser/HomePages](./policy-csp-browser.md#browser-homepages)
- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites)
- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge)
- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides)
- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage)
- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection)
- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride)
@ -4099,8 +4183,11 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites)
- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer)
- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine)
- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl)
- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl)
- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer)
- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge)
- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton)
- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks)
- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera)
- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata)
@ -4122,7 +4209,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g)
- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
@ -4189,6 +4275,10 @@ The following diagram shows the Policy configuration service provider in tree fo
- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage)

3
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -67,7 +67,8 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh
> [!Note]
> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesnt support Delete command. This policy doesnt support setting the value to be 0 again after it was previously set 1. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
Note: This policy doesnt support Delete command. This policy doesnt support setting the value to be 0 again after it was previously set 1. In Windows 10, next major version, Delete command and setting the value to be 0 again if it was previously set to 1 will be supported.
The following list shows the supported values:

301
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 03/12/2018
ms.date: 07/23/2018
---
# Policy CSP - DeviceInstallation
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -19,6 +21,18 @@ ms.date: 03/12/2018
## DeviceInstallation policies
<dl>
<dd>
<a href="#deviceinstallation-allowinstallationofmatchingdeviceids">DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</a>
</dd>
<dd>
<a href="#deviceinstallation-allowinstallationofmatchingdevicesetupclasses">DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</a>
</dd>
<dd>
<a href="#deviceinstallation-preventdevicemetadatafromnetwork">DeviceInstallation/PreventDeviceMetadataFromNetwork</a>
</dd>
<dd>
<a href="#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings">DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</a>
</dd>
<dd>
<a href="#deviceinstallation-preventinstallationofmatchingdeviceids">DeviceInstallation/PreventInstallationOfMatchingDeviceIDs</a>
</dd>
@ -28,6 +42,290 @@ ms.date: 03/12/2018
</dl>
<hr/>
<!--Policy-->
<a href="" id="deviceinstallation-allowinstallationofmatchingdeviceids"></a>**DeviceInstallation/AllowInstallationOfMatchingDeviceIDs**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Allow*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deviceinstallation-allowinstallationofmatchingdevicesetupclasses"></a>**DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Allow*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deviceinstallation-preventdevicemetadatafromnetwork"></a>**DeviceInstallation/PreventDeviceMetadataFromNetwork**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.
If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent device metadata retrieval from the Internet*
- GP name: *DeviceMetadata_PreventDeviceMetadataFromNetwork*
- GP path: *System/Device Installation*
- GP ADMX file name: *DeviceSetup.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings"></a>**DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting.
If you enable this policy setting, Windows is prevented from installing or updating the device driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" or the "Allow installation of devices for these device classes" policy setting.
If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent installation of devices not described by other policy settings*
- GP name: *DeviceInstall_Unspecified_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
@ -159,6 +457,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
<!--/Policies-->

31
windows/client-management/mdm/supl-csp.md
View File

@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 06/26/2017
ms.date: 07/20/2018
---
# SUPL CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The SUPL configuration service provider is used to configure the location client, as shown in the following table.
@ -220,35 +222,50 @@ Specifies the name of the H-SLP root certificate as a string, in the format *nam
<a href="" id="rootcertificate-data"></a>**RootCertificate/Data**
The base 64 encoded blob of the H-SLP root certificate.
<a href="" id="rootcertificate"></a>**RootCertificate2**
Specifies the root certificate for the H-SLP server.
<a href="" id="rootcertificate2-name"></a>**RootCertificate2/Name**
Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
<a href="" id="rootcertificate2-data"></a>**RootCertificate2/Data**
The base 64 encoded blob of the H-SLP root certificate.
<a href="" id="rootcertificate"></a>**RootCertificate3**
Specifies the root certificate for the H-SLP server.
<a href="" id="rootcertificate3-name"></a>**RootCertificate3/Name**
Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
<a href="" id="rootcertificate3-data"></a>**RootCertificate3/Data**
The base 64 encoded blob of the H-SLP root certificate.
<a href="" id="rootcertificate"></a>**RootCertificate4**
Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server.
<a href="" id="rootcertificate-name"></a>**RootCertificate4/Name**
Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
<a href="" id="rootcertificate-data"></a>**RootCertificate4/Data**
The base 64 encoded blob of the H-SLP root certificate.
Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate.
<a href="" id="rootcertificate"></a>**RootCertificate5**
Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server.
<a href="" id="rootcertificate2-name"></a>**RootCertificate5/Name**
Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
<a href="" id="rootcertificate2-data"></a>**RootCertificate5/Data**
The base 64 encoded blob of the H-SLP root certificate.
Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate.
<a href="" id="rootcertificate"></a>**RootCertificate6**
Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server.
<a href="" id="rootcertificate3-name"></a>**RootCertificate6/Name**
Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
<a href="" id="rootcertificate3-data"></a>**RootCertificate6/Data**
The base 64 encoded blob of the H-SLP root certificate.
Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate.
<a href="" id="v2upl1"></a>**V2UPL1**
Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time.

22
windows/client-management/mdm/supl-ddf-file.md
View File

@ -7,17 +7,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 12/05/2017
ms.date: 07/20/2018
---
# SUPL DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **SUPL** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
The XML below is for Windows 10, next major version.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -43,7 +45,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
<MIME>com.microsoft/1.1/MDM/SUPL</MIME>
</DFType>
</DFProperties>
<Node>
@ -200,7 +202,7 @@ The XML below is the current version for this CSP.
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operators network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.</Description>
<Description>Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.</Description>
<DFFormat>
<int />
</DFFormat>
@ -749,7 +751,7 @@ The XML below is the current version for this CSP.
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operators network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.</Description>
<Description>Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.</Description>
<DFFormat>
<int />
</DFFormat>
@ -858,13 +860,3 @@ The XML below is the current version for this CSP.
</Node>
</MgmtTree>
```
 
 

615
windows/client-management/mdm/win32compatibilityappraiser-csp.md Normal file
View File

@ -0,0 +1,615 @@
---
title: Win32CompatibilityAppraiser CSP
description:
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/19/2018
---
# Win32CompatibilityAppraiser CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, next major version.
The following diagram shows the Storage configuration service provider in tree format.
![Win32CompatibilityAppraiser CSP diagram](images/provisioning-csp-win32compatibilityappraiser.png)
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/Win32CompatibilityAppraiser**
The root node for the Win32CompatibilityAppraiser configuration service provider.
<a href="" id="compatibilityappraiser"></a>**CompatibilityAppraiser**
This represents the state of the Compatibility Appraiser.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis**
This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-commercialid"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId**
The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.
Value type is string. Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosiscommercialidsetandvalid"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid**
A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.
Value type is bool. Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-alltargetosversionsrequested"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested**
A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
Value type is bool. Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-osskuisvalidforappraiser"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser**
A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser.
Value type is bool. Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-appraisercodeanddataversionsaboveminimum"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum**
An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data.
The values are:
- 0 == Neither the code nor data is of a sufficient version
- 1 == The code version is insufficient but the data version is sufficient
- 2 == The code version is sufficient but the data version is insufficient
- 3 == Both the code and data are of a sufficient version
Value type is integer. Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-rebootpending"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending**
A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
Value type is bool. Supported operation is Get.
<a href="" id="compatibilityappraiser-appraiserrunresultreport"></a>**CompatibilityAppraiser/AppraiserRunResultReport**
This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations.
For the report XML schema see [Appraiser run result report](#appraiser-run-result-report).
<a href="" id="universaltelemetryclient"></a>**UniversalTelemetryClient**
This represents the state of the Universal Telemetry Client, or DiagTrack service.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis**
This represents various settings that affect whether the Universal Telemetry Client can upload data and how much data it can upload.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-telemetryoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn**
An integer value representing what level of telemetry will be uploaded.
Value type is integer. Supported operation is Get.
The values are:
- 0 == Security data will be sent
- 1 == Basic telemetry will be sent
- 2 == Enhanced telemetry will be sent
- 3 == Full telemetry will be sent
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-commercialdataoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn**
An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload.
Value type is integer. Supported operation is Get.
The values are:
- 0 == Setting is disabled
- 1 == Setting is enabled
- 2 == Setting is not applicable to this version of Windows
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-diagtrackservicerunning"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning**
A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
Value type is bool. Supported operation is Get.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-msaserviceenabled"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled**
A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
Value type is bool. Supported operation is Get.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-internetexplorertelemetryoptin"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn**
An integer value representing what websites Internet Explorer will collect telemetry data for.
Value type is integer. Supported operation is Get.
The values are:
- 0 == Telemetry collection is disabled
- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones
- 2 == Telemetry collection is enabled for internet websites and restricted website zones
- 3 == Telemetry collection is enabled for all websites
- 0x7FFFFFFF == Telemetry collection is not configured
<a href="" id="universaltelemetryclient-utcconnectionreport"></a>**UniversalTelemetryClient/UtcConnectionReport**
This provides an XML representation of the UTC connections during the most recent summary period.
For the report XML schema, see [UTC connection report](#utc-connection-report).
<a href="" id="windowserrorreporting"></a>**WindowsErrorReporting**
This represents the state of the Windows Error Reporting service.
<a href="" id="windowserrorreporting-werconfigurationdiagnosis"></a>**WindowsErrorReporting/WerConfigurationDiagnosis**
This represents various settings that affect whether the Windows Error Reporting service can upload data and how much data it can upload.
<a href="" id="windowserrorreporting-werconfigurationdiagnosis-wertelemetryoptin"></a>**WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn**
An integer value indicating the amount of WER data that will be uploaded.
Value type integer. Supported operation is Get.
The values are:
- 0 == Data will not send due to UTC opt-in
- 1 == Data will not send due to WER opt-in
- 2 == Basic WER data will send but not the complete set of data
- 3 == The complete set of WER data will send
<a href="" id="windowserrorreporting-werconfigurationdiagnosis-mostrestrictivesetting"></a>**WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting**
An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted.
Value type integer. Supported operation is Get.
The values are:
- 0 == System telemetry settings are restricting uploads
- 1 == WER basic policies are restricting uploads
- 2 == WER advanced policies are restricting uploads
- 3 == WER consent policies are restricting uploads
- 4 == There are no restrictive settings
<a href="" id="windowserrorreporting-werconnectionreport"></a>**WindowsErrorReporting/WerConnectionReport**
This provides an XML representation of the most recent WER connections of various types.
For the report XML schema, see [Windows Error Reporting connection report](#windows-error-reporting-connection-report).
## XML schema for the reports
### Appraiser run result report
```
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" >
<xs:annotation>
<xs:documentation>CSP schema for the Compatibility Appraiser Diagnostic CSP.</xs:documentation>
<xs:documentation>Schema defining the Win32CompatibilityAppraiser\CompatibilityAppraiser\AppraiserRunResultReport CSP node.</xs:documentation>
<xs:documentation>Copyright (c) Microsoft Corporation, all rights reserved.</xs:documentation>
</xs:annotation>
<xs:simpleType name="RunCategoryType">
<xs:annotation>
<xs:documentation>Defines a category of Appraiser run.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="LastSecurityModeRunAttempt">
<xs:annotation>
<xs:documentation>LastSecurityModeRunAttempt - The most recent run that was skipped because the "Allow Telemetry" setting was set to "Security".</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastEnterpriseRun">
<xs:annotation>
<xs:documentation>LastEnterpriseRun - The most recent run that was invoked with the "ent" command line.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastFatallyErroredRun">
<xs:annotation>
<xs:documentation>LastFatallyErroredRun - The most recent run that returned a failed "ErrorCode".</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastSuccessfulRun">
<xs:annotation>
<xs:documentation>LastSuccessfulRun - The most recent run that returned a successful "ErrorCode".</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastFullSyncRun">
<xs:annotation>
<xs:documentation>LastFullSyncRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run).</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastSuccessfulFullSyncRun">
<xs:annotation>
<xs:documentation>LastSuccessfulFullSyncRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run) and also returned a successful "ErrorCode".</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastSuccessfulFromEnterprisePerspectiveRun">
<xs:annotation>
<xs:documentation>LastSuccessfulFromEnterprisePerspectiveRun - The most recent run that returned a successful "EnterpriseErrorCode".</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastSuccessfulFromEnterprisePerspectiveFullSyncRun">
<xs:annotation>
<xs:documentation>LastSuccessfulFromEnterprisePerspectiveEnterpriseRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run) and also returned a successful "EnterpriseErrorCode".</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastSuccessfulFromEnterprisePerspectiveEnterpriseRun">
<xs:annotation>
<xs:documentation>LastSuccessfulFromEnterprisePerspectiveEnterpriseRun - The most recent run that was invoked with the "ent" command line and also returned a successful "EnterpriseErrorCode".</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="LastRunResultOfAnyCategoryType">
<xs:annotation>
<xs:documentation>Represents the most recent run of the Compatibility Appraiser.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="CurrentlyRunning" type="xs:boolean" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>CurrentlyRunning - A boolean representing whether the specified Compatibility Appraiser run is still in progress.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="CrashedOrInterrupted" type="xs:boolean" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>CrashedOrInterrupted - A boolean representing whether the specified Compatibility Appraiser run ended before it finished scanning for compatibility data.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ErrorCode" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>ErrorCode - An integer which is the HRESULT error code, of a type that is relevant to any computer, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="EnterpriseErrorCode" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>EnterpriseErrorCode - An integer which is the HRESULT error code, of a type that is relevant mainly to enterprise computers, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="RunStartTimestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>RunStartTimestamp - The time when the specified Compatibility Appraiser run started.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="RunEndTimestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>RunEndTimestamp - The time when the specified Compatibility Appraiser run ended.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ComponentWhichCausedErrorCode" type="xs:string" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>ComponentWhichCausedErrorCode - The name of the internal component, if any, which caused the ErrorCode node to be a failure value during the specified Compatibility Appraiser run. Note that the ErrorCode node might be a failure value for a reason other than an internal component failure.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ErroredComponent" type="xs:string" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>ErroredComponent - The name of one of the internal components, if any, which encountered failure HRESULT codes during the specified Compatibility Appraiser run. A failure of an internal component may not necessarily cause the ErrorCode node to contain a failed HRESULT code.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RunResultOfSpecificCategoryType">
<xs:annotation>
<xs:documentation>Represents the most recent run of the Compatibility Appraiser that satisfied a particular condition.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="ErrorCode" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>ErrorCode - An integer which is the HRESULT error code, of a type that is relevant to any computer, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="EnterpriseErrorCode" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>EnterpriseErrorCode - An integer which is the HRESULT error code, of a type that is relevant mainly to enterprise computers, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="RunStartTimestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>RunStartTimestamp - The time when the specified Compatibility Appraiser run started.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="RunEndTimestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>RunEndTimestamp - The time when the specified Compatibility Appraiser run ended.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ComponentWhichCausedErrorCode" type="xs:string" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>ComponentWhichCausedErrorCode - The name of the internal component, if any, which caused the ErrorCode node to be a failure value during the specified Compatibility Appraiser run. Note that the ErrorCode node might be a failure value for a reason other than an internal component failure.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ErroredComponent" type="xs:string" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>ErroredComponent - The name of one of the internal components, if any, which encountered failure HRESULT codes during the specified Compatibility Appraiser run. A failure of an internal component may not necessarily cause the ErrorCode node to contain a failed HRESULT code.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="RunCategory" type="RunCategoryType" use="required">
<xs:annotation>
<xs:documentation>RunCategory - A string which details the category of Appraiser run.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="RunResultReportType">
<xs:annotation>
<xs:documentation>Defines the latest run results for all known categories.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="LastRunResult" type="LastRunResultOfAnyCategoryType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastRunResult - Represents the most recent run of the Compatibility Appraiser.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="LastRunResultForCategory" type="RunResultOfSpecificCategoryType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>LastRunResultForCategory - Represents the most recent run of the Compatibility Appraiser that satisfied a particular condition.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:element name="RunResultReport" type="RunResultReportType"/>
</xs:schema>
```
### UTC connection report
```
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:fusion="urn:schemas-microsoft-com:asm.v1" elementFormDefault="qualified" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<xs:annotation>
<xs:documentation>CSP schema for the Compatibility Appraiser Diagnostic CSP.</xs:documentation>
<xs:documentation>Schema defining the Win32CompatibilityAppraiser\UniversalTelemetryClient\UtcConnectionReport CSP node.</xs:documentation>
<xs:documentation>Copyright (c) Microsoft Corporation, all rights reserved.</xs:documentation>
</xs:annotation>
<xs:complexType name="ConnectionSummaryType">
<xs:annotation>
<xs:documentation>Defines the latest UTC connection results, if any.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="ConnectionSummaryStartingTimestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>ConnectionSummaryStartingTimestamp - The starting time of the most recent UTC summary window.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ConnectionSummaryEndingTimestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>ConnectionSummaryEndingTimestamp - The ending time of the most recent UTC summary window.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="TimestampOfLastSuccessfulUpload" type="xs:unsignedLong" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>TimestampOfLastSuccessfulUpload - The ending time of the most recent UTC summary window that included a successful data upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="LastHttpErrorCode" type="xs:unsignedInt" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastHttpErrorCode - The HTTP error code from the last failed internet connection.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ProxyDetected" type="xs:boolean" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>ProxyDetected - A boolean value representing whether an internet connection during the summary window was directed through a proxy.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ConnectionsSuccessful" type="xs:unsignedInt" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>ConnectionsSuccessful - An integer value summarizing the success of internet connections during the summary window. The values are: 0 == "All connections failed", 1 == "Some connections succeeded and some failed", and 2 == "All connections succeeded".</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="DataUploaded" type="xs:unsignedInt" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>DataUploaded - An integer value summarizing the success of data uploads during the summary window. The values are: 0 == "All data was dropped", 1 == "Some data was dropped and some was sent successfully", 2 == "All data was sent successfully", and 3 == "No data was present to upload".</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="AnyCertificateValidationFailures" type="xs:boolean" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>AnyCertificateValidationFailures - A boolean value representing whether there were any failed attempts to validate certificates in the summary window.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="LastCertificateValidationFailureCode" type="xs:unsignedInt" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastCertificateValidationFailureCode - The most recent error code from a failed attempt at validating a certificate.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ConnectionReportType">
<xs:annotation>
<xs:documentation>Lists results of UTC connections.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="ConnectionSummary" type="ConnectionSummaryType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>Defines the latest UTC connection results, if any.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:element name="ConnectionReport" type="ConnectionReportType"/>
</xs:schema>
```
### Windows Error Reporting connection report
```
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:fusion="urn:schemas-microsoft-com:asm.v1" elementFormDefault="qualified" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<xs:annotation>
<xs:documentation>CSP schema for the Compatibility Appraiser Diagnostic CSP.</xs:documentation>
<xs:documentation>Schema defining the Win32CompatibilityAppraiser\WindowsErrorReporting\WerConnectionReport CSP node.</xs:documentation>
<xs:documentation>Copyright (c) Microsoft Corporation, all rights reserved.</xs:documentation>
</xs:annotation>
<xs:complexType name="LastNormalUploadSuccessType">
<xs:annotation>
<xs:documentation>LastNormalUploadSuccess - A summary of the last time WER successfully performed a normal data upload, if any.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Timestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Timestamp - The time when WER attempted the upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="UploadDuration" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>UploadDuration - The time taken while attempting the upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="PayloadSize" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>PayloadSize - The size of the payload that WER attempted to upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Protocol" type="xs:string" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Protocol - The communication protocol that WER used during the upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Stage" type="xs:string" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Stage - The processing stage that WER was in when the upload ended.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="BytesUploaded" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>BytesUploaded - The number of bytes that WER successfully uploaded.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ServerName" type="xs:string" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>ServerName - The name of the server that WER attempted to upload data to.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="LastNormalUploadFailureType">
<xs:annotation>
<xs:documentation>LastNormalUploadFailure - A summary of the last time WER failed to perform a normal data upload, if any.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Timestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Timestamp - The time when WER attempted the upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="HttpExchangeResult" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>HttpExchangeResult - The result of the HTTP connection between WER and the server that it tried to upload to.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="UploadDuration" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>UploadDuration - The time taken while attempting the upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="PayloadSize" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>PayloadSize - The size of the payload that WER attempted to upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Protocol" type="xs:string" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Protocol - The communication protocol that WER used during the upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Stage" type="xs:string" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Stage - The processing stage that WER was in when the upload ended.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="RequestStatusCode" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>RequestStatusCode - The status code returned by the server in response to the upload request.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="BytesUploaded" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>BytesUploaded - The number of bytes that WER successfully uploaded.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ServerName" type="xs:string" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>ServerName - The name of the server that WER attempted to upload data to.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="TransportHr" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>TransportHr - The HRESULT code encountered when transferring data to the server.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="LastResumableUploadSuccessType">
<xs:annotation>
<xs:documentation>LastResumableUploadSuccess - A summary of the last time WER successfully performed a resumable data upload, if any.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Timestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Timestamp - The time when WER attempted the upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="LastBlockId" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastBlockId - The identifier of the most recent block of the payload that WER attempted to upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="TotalBytesUploaded" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>TotalBytesUploaded - The number of bytes that WER successfully uploaded so far, possibly over multiple resumable upload attempts.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="LastResumableUploadFailureType">
<xs:annotation>
<xs:documentation>LastResumableUploadFailure - A summary of the last time WER failed to perform a resumable data upload, if any.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Timestamp" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Timestamp - The time when WER attempted the upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="HttpExchangeResult" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>HttpExchangeResult - The result of the HTTP connection between WER and the server that it tried to upload to.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="LastBlockId" type="xs:unsignedInt" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastBlockId - The identifier of the most recent block of the payload that WER attempted to upload.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="TotalBytesUploaded" type="xs:unsignedLong" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>TotalBytesUploaded - The number of bytes that WER successfully uploaded so far, possibly over multiple resumable upload attempts.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ConnectionSummaryType">
<xs:annotation>
<xs:documentation>Defines the latest WER connection results, if any.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="LastNormalUploadSuccess" type="LastNormalUploadSuccessType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastNormalUploadSuccess - A summary of the last time WER successfully performed a normal data upload, if any.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="LastNormalUploadFailure" type="LastNormalUploadFailureType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastNormalUploadFailure - A summary of the last time WER failed to perform a normal data upload, if any.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="LastResumableUploadSuccess" type="LastResumableUploadSuccessType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastResumableUploadSuccess - A summary of the last time WER successfully performed a resumable data upload, if any.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="LastResumableUploadFailure" type="LastResumableUploadFailureType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>LastResumableUploadFailure - A summary of the last time WER failed to perform a resumable data upload, if any.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ConnectionReportType">
<xs:annotation>
<xs:documentation>Lists results of WER connections.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="ConnectionSummary" type="ConnectionSummaryType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>Defines the latest WER connection results, if any.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:element name="ConnectionReport" type="ConnectionReportType"/>
</xs:schema>
```

537
windows/client-management/mdm/win32compatibilityappraiser-ddf.md Normal file
View File

@ -0,0 +1,537 @@
---
title: Win32CompatibilityAppraiser DDF file
description: XML file containing the device description framework
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/19/2018
---
# Win32CompatibilityAppraiser DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Win32CompatibilityAppraiser** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is for Windows 10, next major version.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Win32CompatibilityAppraiser</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The root node for the Win32CompatibilityAppraiser configuration service provider.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/Win32CompatibilityAppraiser</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>CompatibilityAppraiser</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This represents the state of the Compatibility Appraiser.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>CompatibilityAppraiser</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AppraiserConfigurationDiagnosis</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data. </Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>AppraiserConfigurationDiagnosis</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CommercialId</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>CommercialId</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CommercialIdSetAndValid</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>CommercialIdSetAndValid</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllTargetOsVersionsRequested</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>AllTargetOsVersionsRequested</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OsSkuIsValidForAppraiser</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>OsSkuIsValidForAppraiser</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppraiserCodeAndDataVersionsAboveMinimum</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version".</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>AppraiserCodeVersionAboveMinimum</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RebootPending</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>RebootPending</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>AppraiserRunResultReport</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>AppraiserRunResultReport</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>UniversalTelemetryClient</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This represents the state of the Universal Telemetry Client, or DiagTrack service.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>UniversalTelemetryClient</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>UtcConfigurationDiagnosis</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This represents various settings that affect whether the Universal Telemetry Client can upload data and how much data it can upload.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>UtcConfigurationDiagnosis</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TelemetryOptIn</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent".</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>TelemetryOptIn</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CommercialDataOptIn</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows".</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>CommercialDataOptIn</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DiagTrackServiceRunning</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>DiagTrackServiceRunning</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MsaServiceEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>MsaServiceEnabled</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InternetExplorerTelemetryOptIn</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured".</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>InternetExplorerTelemetryOptIn</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>UtcConnectionReport</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This provides an XML representation of the UTC connections during the most recent summary period.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>UtcConnectionReport</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>WindowsErrorReporting</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This represents the state of the Windows Error Reporting service.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>WindowsErrorReporting</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>WerConfigurationDiagnosis</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This represents various settings that affect whether the Windows Error Reporting service can upload data and how much data it can upload.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>WerConfigurationDiagnosis</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>WerTelemetryOptIn</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send".</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>WerTelemetryOptIn</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MostRestrictiveSetting</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings".</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>MostRestrictiveSetting</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>WerConnectionReport</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This provides an XML representation of the most recent WER connections of various types.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>WerConnectionReport</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

BIN
windows/deployment/update/images/app-reliability.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/deployment/update/images/device-reliability-crash-count.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/deployment/update/images/device-reliability-device-count.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/deployment/update/images/device-reliability-event1001-PSoutput.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/deployment/update/images/event_1001.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

126
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 07/11/2018
ms.date: 07/20/2018
ms.localizationpriority: high
---
@ -20,10 +20,13 @@ This topic compiles the most common issues encountered with configuring and usin
If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here.
[Devices not showing up](#devices-not-showing-up)
[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness)
[Device Health crash data not appearing](#device-health-crash-data-not-appearing)
[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability)
[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability)
[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability)
[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb)
@ -36,7 +39,7 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
[Exporting large data sets](#exporting-large-data-sets)
### Devices not showing up
### Devices not appearing in Upgrade Readiness
In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
@ -58,77 +61,96 @@ If you want to check a large number of devices, you should run the latest script
If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog.
If you have deployed images that have not been generalized, then many of them might have the same ID and so analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps:
If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps:
1. Net stop diagtrack
2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f
3. Net start diagtrack
#### Devices not appearing in Device Health Device Reliability
### Device Health crash data not appearing
[![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png)
#### Is WER disabled?
If Windows Error Reporting (WER) is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health.
If you have devices that appear in other solutions, but not Device Health, follow these steps to investigate the issue:
1. Confirm that the devices are running Windows10.
2. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
3. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set).
4. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
5. Wait 48 hours for activity to appear in the reports.
6. If you need additional troubleshooting, contact Microsoft Support.
Check these registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
### Device crashes not appearing in Device Health Device Reliability
If you need further information on Windows Error Reporting (WER) settings, see WER Settings.
[![Device Reliability tile showing crash count highlighted](images/device-reliability-crash-count.png)](images/device-reliability-crash-count.png)
If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue:
1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic.
2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals.
3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set):
- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes.
5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this:
[![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png)
You can use the following Windows PowerShell snippet to summarize recent occurences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however).
```powershell
$limitToMostRecentNEvents = 20
Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} |
?{ $_.Properties[2].Value -match "crash|blue" } |
% { [pscustomobject]@{
TimeCreated=$_.TimeCreated
WEREvent=$_.Properties[2].Value
BucketId=$_.Properties[0].Value
ContextHint = $(
if($_.Properties[2].Value -eq "bluescreen"){"kernel"}
else{ $_.Properties[5].Value }
)
}} | Select-Object -First $limitToMostRecentNEvents
```
The output should look something like this:
[![Typical output for this snippet](images/device-reliability-event1001-PSoutput.png)](images/device-reliability-event1001-PSoutput.png)
6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events.
7. Wait 48 hours for activity to appear in the reports.
8. If you need additional troubleshooting, contact Microsoft Support.
#### Endpoint connectivity
Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required). For suggested methods, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication).
To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*:
For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication).
```powershell
### Apps not appearing in Device Health App Reliability
$endPoints = @(
'watson.telemetry.microsoft.com'
'oca.telemetry.microsoft.com'
'v10.events.data.microsoft.com'
)
[![App Reliability tile showing relability events trend](images/app-reliability.png)](images/app-reliability.png)
$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue:
```
1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic.
2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind:
- Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system.
- Enrolling more devices helps to ensure that there are enough naturally occurring app crashes.
- You can also use test apps which are designed to crash on demand.
If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set):
To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events.
5. Wait 48 hours for activity to appear in the reports.
6. If you need additional troubleshooting, contact Microsoft Support.
```powershell
[scriptblock]$accessTest = {
$endPoints = @(
'watson.telemetry.microsoft.com'
'oca.telemetry.microsoft.com'
'v10.events.data.microsoft.com'
)
$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
}
$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
$accessTest.ToString() > $scriptFullPath
$null > $outputFileFullPath
$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`""
$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
Start-Sleep -Seconds 120
Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
Get-Content $outputFileFullPath
```
As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
### Upgrade Readiness shows many "Computers with outdated KB"
If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile:

5
windows/deployment/update/windows-analytics-get-started.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/08/2018
ms.date: 07/18/2018
ms.localizationpriority: medium
---
@ -52,6 +52,9 @@ To enable data sharing, configure your proxy sever to whitelist the following en
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health for device tickets. |
| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |
| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. **Note:** In this context login.live.com is *not* used for access to Microsoft Account consumer services. The endpoint is used only as part of the WIndows Error Reporting protocol to enhance the integrity of error reports. |
>[!NOTE]

2
windows/security/hardware-protection/TOC.md
View File

@ -2,7 +2,7 @@
## [Encrypted Hard Drive](encrypted-hard-drive.md)
## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
## [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md)
## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)

53
windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md
View File

@ -15,46 +15,37 @@ ms.date: 06/29/2017
Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard.
Protecting system services and data with Windows Defender System Guard is an important first step, but is just the beginning of what we need to do as it doesnt protect the rest of the operating system, information on the device, other apps, or the network.
Since systems are generally compromised through the application layer, and often though browsers, Windows 10 includes Windows Defender Application Guard to isolate Microsoft Edge from the operating system, information on the device, and the network.
With this, Windows can start to protect the broader range of resources.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees:
The following diagram shows Windows Defender System Guard and Windows Defender Application Guard in relation to the Windows 10 operating system.
- Protect and maintain the integrity of the system as it starts up
- Protect and maintain the integrity of the system after it's running
- Validate that system integrity has truly been maintained through local and remote attestation
![Application Guard and System Guard](images/application-guard-and-system-guard.png)
## Maintaining the integrity of the system as it starts
## What security threats do containers protect against
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
Exploiting zero days and vulnerabilities are an increasing threat that attackers are attempting to take advantage of.
The following diagram shows the traditional Windows software stack: a kernel with an app platform, and an app running on top of it.
Lets look at how an attacker might elevate privileges and move down the stack.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the devices [Secure Boot feature](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-8.1-and-8/hh824987), which is part of the Unified Extensible Firmware Interface (UEFI).
![Traditional Windows software stack](images/traditional-windows-software-stack.png)
After successful verification and startup of the devices firmware and Windows bootloader, the next opportunity for attackers to tamper with the systems integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection.
In desktop operating systems, those apps typically run under the context of the users privileges.
If the app was malicious, it would have access to all the files in the file system, all the settings that you as a user Standard user have access to, and so on.
This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the systems antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasnt been compromised before the remainder of your system defenses start.
A different type of app may run under the context of an Administrator.
If attackers exploit a vulnerability in that app, they could gain Administrator privileges.
Then they can start turning off defenses.
![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
They can poke down a little bit lower in the stack and maybe elevate to System, which is greater than Administrator.
Or if they can exploit the kernel mode, they can turn on and turn off all defenses, while at the same time making the computer look healthy.
SecOps tools could report the computer as healthy when in fact its completely under the control of someone else.
## Maintaining integrity of the system after its running (run time)
One way to address this threat is to use a sandbox, as smartphones do.
That puts a layer between the app layer and the Windows platform services.
Universal Windows Platform (UWP) applications work this way.
But what if a vulnerability in the sandbox exists?
The attacker can escape and take control of the system.
Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary.
## How containers help protect Windows 10
Windows 10 addresses this by using virtualization based security to isolate more and more components out of Windows (left side) over time and moving those components into a separate, isolated hardware container.
The container helps prevent zero days and vulnerabilities from allowing an attacker to take control of a device.
Anything that's running in that container on the right side will be safe, even from Windows, even if the kernel's compromised.
Anything that's running in that container will also be secure against a compromised app.
Initially, Windows Defender System Guard will protect things like authentication and other system services and data that needs to resist malware, and more things will be protected over time.
With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few.
![Windows Defender System Guard](images/windows-defender-system-guard.png)
## Validating platform integrity after Windows is running (run time)
While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we cant just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the devices integrity.
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the devices Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the devices firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)

BIN
windows/security/hardware-protection/images/windows-defender-system-guard-boot-time-integrity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/hardware-protection/images/windows-defender-system-guard-validate-system-integrity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

18
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -25,7 +25,7 @@ Install the Remote Server Administration Tools for Windows 10 on a computer runn
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate.
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
Hybrid Azure AD joined devices needs one Group Policy settings:
* Enable Windows Hello for Business
@ -36,7 +36,7 @@ Domain controllers automatically request a certificate from the *Domain Controll
To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object
#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
@ -47,7 +47,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
8. In the details pane, right-click **Certificate Services Client <EFBFBD> Auto-Enrollment** and select **Properties**.
8. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**.
9. Select **Enabled** from the **Configuration Model** list.
10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
11. Select the **Update certificates that use certificate templates** check box.
@ -58,7 +58,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO<EFBFBD>**
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO**
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
### Windows Hello for Business Group Policy
@ -100,16 +100,16 @@ The best way to deploy the Windows Hello for Business Group Policy object is to
The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO<EFBFBD>**
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object.
Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All other users ignore the Group Policy object.
## Other Related Group Policy settings
### Windows Hello for Business
There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings.
There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting so they are applicable to any user that sign-in from a computer with these policy settings.
#### Use a hardware security device
@ -117,7 +117,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
#### Use biometrics
@ -144,7 +144,7 @@ Windows 10 provides eight PIN Complexity Group Policy settings that give you gra
## Add users to the Windows Hello for Business Users group
Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business . You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
### Section Review
> [!div class="checklist"]

2
windows/security/information-protection/TOC.md
View File

@ -15,7 +15,7 @@
### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
### [BitLocker: Management for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)

75
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -11,82 +11,41 @@ author: brianlic-msft
ms.date: 07/18/2018
---
# BitLocker Management Recommendations for Enterprises
# BitLocker Management for Enterprises
This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices.
The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
## Forward-looking recommendations for managing BitLocker
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction.
Therefore, we recommend that you upgrade your hardware so that your devices comply with Modern Standby or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD).
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for:
- [Domain-joined computers](#dom_join)
- [Devices joined to Azure Active Directory (Azure AD)](#azure_ad)
- [Workplace-joined PCs and Phones](#work_join)
- [Servers](#servers)
- [Scripts](#powershell)
<br />
## BitLocker management at a glance
| | PC Old Hardware | PC New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone
|---|---|----|---|---|
|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
<br />
*PC hardware that supports Modern Standby or HSTI
<br />
<br />
<a id="dom_join"></a>
## Recommendations for domain-joined computers
Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. For more information, see [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption).
## Managing domain-joined computers and moving to cloud
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
For older client computers with BitLocker that are domain joined on-premises, use Microsoft BitLocker Administration and Management<sup>[1]</sup>. Using MBAM provides the following functionality:
Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. When moving to cloud-based management, following these steps could be helpful:
- Encrypts device with BitLocker using MBAM
- Stores BitLocker Recovery keys in MBAM Server
- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
- Provides Reporting on Compliance and Recovery key access audit
1. Disable MBAM management and leave MBAM as only a database backup for the recovery key.
2. Join the computers to Azure Active Directory (Azure AD).
3. Use `Manage-bde -protectors -aadbackup` to backup the recovery key to Azure AD.
<a id="MBAM25"></a>
<sup>[1]</sup>The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated.
<br />
Enterprises that choose to continue managing BitLocker on-premises after MBAM support ends can use the [BitLocker WMI provider class](https://msdn.microsoft.com/library/windows/desktop/aa376483) to create a custom management solution.
<a id="azure_ad"></a>
## Recommendations for devices joined to Azure Active Directory
## Managing devices joined to Azure Active Directory
<a id="MDM"></a>
Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
<a id="work_join"></a>
## Workplace-joined PCs and phones
## Managing workplace-joined PCs and phones
For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, and similarly for Azure AD domain join.
For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
<a id="servers"></a>
## Recommendations for servers
## Managing servers
Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
@ -98,8 +57,6 @@ If you are installing a server manually, such as a stand-alone server, then choo
For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
<a id ="powershell"></a>
## PowerShell examples
For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.
@ -136,8 +93,6 @@ PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
```
<a id = "articles"></a>
## Related Articles
[BitLocker: FAQs](bitlocker-frequently-asked-questions.md)

4
windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/21/2018
ms.date: 07/19/2018
---
# Deploy, manage, and report on Windows Defender Antivirus
@ -41,7 +41,7 @@ You'll also see additional links for:
Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][]
Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management)
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]

21
windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 07/19/2018
---
# Specify the cloud-delivered protection level
@ -30,6 +30,7 @@ ms.date: 04/30/2018
- Group Policy
- System Center Configuration Manager (current branch)
- Intune
You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
@ -59,6 +60,24 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
**Use Intune to specify the level of cloud-delivered protection:**
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
5. On the **File Blocking Level** switch, select one of the following:
1. **High** to provide a strong level of detection
2. **High +** to apply additional protection measures
3. **Zero tolerance** to block all unknown executables
> [!WARNING]
> While unlikely, setting this switch to **High** might cause some legitimate files to be detected. The **High +** setting might impact client performance. We recommend you set this to the default level (**Not configured**).
8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)

4
windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/26/2017
ms.date: 07/19/2018
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
@ -22,7 +22,7 @@ In some cases, the protection will be labeled as Endpoint Protection, although t
See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune).
For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/en-us/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
## Related topics

6
windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
View File

@ -64,3 +64,9 @@ Answering frequently asked questions about Windows Defender Application Guard (A
|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?|
|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and well work with you to enable the feature.|
<br>
| | |
|---|----------------------------|
|**Q:** |What is the WDAGUtilityAccount local account?|
|**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.|
<br>