diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 095188a9ba..33c89a2952 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -9,18 +9,16 @@ ms.localizationpriority: medium
ms.date: 03/28/2022
ms.topic: article
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Windows Tools/Administrative Tools
-**Applies to**
-
-- Windows 11
-- Windows 10
-
**Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users.
## Windows Tools folder (Windows 11)
diff --git a/windows/client-management/appv-deploy-and-config.md b/windows/client-management/appv-deploy-and-config.md
index f0c9843f27..6b89d95acc 100644
--- a/windows/client-management/appv-deploy-and-config.md
+++ b/windows/client-management/appv-deploy-and-config.md
@@ -9,6 +9,9 @@ author: vinaypamnani-msft
ms.date: 06/26/2017
ms.reviewer:
manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Deploy and configure App-V apps using MDM
@@ -482,4 +485,4 @@ EnterpriseAppVManagement
-```
\ No newline at end of file
+```
diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index 4063a64e10..5d78440379 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -1,7 +1,7 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world's largest enterprise cloud identity management service.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -9,9 +9,12 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
ms.date: 12/31/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Azure Active Directory integration with MDM
@@ -50,7 +53,7 @@ Once a user has an Azure AD account added to Windows and enrolled in MDM, the en
Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
-2. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
+1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
@@ -143,8 +146,8 @@ The pages rendered by the MDM in the integrated enrollment process must use Wind
There are three distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
-2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
-3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
+1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
+1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
These scenarios support Windows Pro, Enterprise, and Education.
@@ -183,7 +186,7 @@ The following parameters are passed in the query string:
Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
-**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw…
+**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw...
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
@@ -333,7 +336,7 @@ Alert sample:
UserToken inserted here
- … other XML tags …
+ ... other XML tags ...
```
@@ -362,7 +365,7 @@ Here's an example.
user
- … other XML tags …
+ ... other XML tags ...
```
@@ -386,7 +389,7 @@ The following sample REST API call illustrates how an MDM can use the Microsoft
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
-Authorization: Bearer eyJ0eXAiO………
+Authorization: Bearer eyJ0eXAiO.........
Accept: application/json
Content-Type: application/json
{ "isManaged":true,
@@ -398,7 +401,7 @@ Where:
- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD.
-- **eyJ0eXAiO**……… - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
+- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index cc058826be..ad2ed3b4a8 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -9,6 +9,9 @@ author: vinaypamnani-msft
ms.date: 12/18/2020
ms.reviewer:
manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center
@@ -21,8 +24,8 @@ Microsoft Intune can be accessed directly using its own admin center. For more i
If you use the Azure portal, then you can access Intune using the following steps:
1. Go to your Azure AD Blade.
-2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
-3. Select **Microsoft Intune** and configure the blade.
+1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
+1. Select **Microsoft Intune** and configure the blade.
@@ -30,4 +33,4 @@ Configure the blade
-You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users).
+You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users).
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
index c85858a2d0..199bd846e9 100644
--- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,9 +1,6 @@
---
title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
-MS-HAID:
- - 'p\_phdevicemgmt.bulk\_enrollment'
- - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@@ -12,39 +9,43 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Bulk enrollment
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
-- Set up devices in bulk for large organizations to be managed by MDM.
-- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
-- Set up school computers.
-- Set up industrial machinery.
-- Set handheld POS devices.
+- Set up devices in bulk for large organizations to be managed by MDM.
+- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
+- Set up school computers.
+- Set up industrial machinery.
+- Set handheld POS devices.
On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
> [!NOTE]
-> - Bulk-join is not supported in Azure Active Directory Join.
-> - Bulk enrollment does not work in Intune standalone environment.
-> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
-> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
-> - Bulk Token creation is not supported with federated accounts.
+>
+> - Bulk-join is not supported in Azure Active Directory Join.
+> - Bulk enrollment does not work in Intune standalone environment.
+> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
+> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
+> - Bulk Token creation is not supported with federated accounts.
## What you need
-- Windows 10 devices.
-- Windows Configuration Designer (WCD) tool.
+- Windows 10 devices.
+- Windows Configuration Designer (WCD) tool.
To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
-- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
-- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
+- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
+- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
@@ -53,52 +54,52 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool.
-2. Select **Advanced Provisioning**.
+1. Select **Advanced Provisioning**.
-3. Enter a project name and select **Next**.
-4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
-5. Skip **Import a provisioning package (optional)** and select **Finish**.
-6. Expand **Runtime settings** > **Workplace**.
-7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**.
+1. Enter a project name and select **Next**.
+1. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
+1. Skip **Import a provisioning package (optional)** and select **Finish**.
+1. Expand **Runtime settings** > **Workplace**.
+1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
-8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
+1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings:
- - **AuthPolicy** - Select **OnPremise**.
- - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- - **Secret** - Password
+ - **AuthPolicy** - Select **OnPremise**.
+ - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
+ - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
+ - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
+ - **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
Here's the screenshot of the WCD at this point.
-9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-10. When you're done adding all the settings, on the **File** menu, select **Save**.
-11. On the main menu, select **Export** > **Provisioning package**.
+1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
+1. When you're done adding all the settings, on the **File** menu, select **Save**.
+1. On the main menu, select **Export** > **Provisioning package**.
-12. Enter the values for your package and specify the package output location.
+1. Enter the values for your package and specify the package output location.
-13. Select **Build**.
+1. Select **Build**.
-14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
-15. Apply the package to your devices.
+1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
+1. Apply the package to your devices.
## Create and apply a provisioning package for certificate authentication
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool.
-2. Select **Advanced Provisioning**.
-3. Enter a project name and select **Next**.
-4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
-5. Skip **Import a provisioning package (optional)** and select **Finish**.
-6. Specify the certificate.
+1. Select **Advanced Provisioning**.
+1. Enter a project name and select **Next**.
+1. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
+1. Skip **Import a provisioning package (optional)** and select **Finish**.
+1. Specify the certificate.
1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**.
2. Enter a **CertificateName** and then select **Add**.
3. Enter the **CertificatePasword**.
@@ -107,42 +108,42 @@ Using the WCD, create a provisioning package using the enrollment information re
6. For **KeyLocation**, select **Software only**.
-7. Specify the workplace settings.
+1. Specify the workplace settings.
1. Got to **Workplace** > **Enrollments**.
2. Enter the **UPN** for the enrollment and then select **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings:
- - **AuthPolicy** - Select **Certificate**.
- - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- - **Secret** - the certificate thumbprint.
+ - **AuthPolicy** - Select **Certificate**.
+ - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
+ - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
+ - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
+ - **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
-8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-9. When you're done adding all the settings, on the **File** menu, select **Save**.
-10. Export and build the package (steps 10-13 in the procedure above).
-11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
-12. Apply the package to your devices.
+1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
+1. When you're done adding all the settings, on the **File** menu, select **Save**.
+1. Export and build the package (steps 10-13 in the procedure above).
+1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
+1. Apply the package to your devices.
## Apply a provisioning package
Here's the list of articles about applying a provisioning package:
-- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package)
-- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image)
-- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below
+- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package)
+- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image)
+- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below
## Apply a package from the Settings menu
-1. Go to **Settings** > **Accounts** > **Access work or school**.
-2. Select **Add or remove a provisioning package**.
-3. Select **Add a package**.
+1. Go to **Settings** > **Accounts** > **Access work or school**.
+1. Select **Add or remove a provisioning package**.
+1. Select **Add a package**.
## Validate that the provisioning package was applied
-1. Go to **Settings** > **Accounts** > **Access work or school**.
-2. Select **Add or remove a provisioning package**.
+1. Go to **Settings** > **Accounts** > **Access work or school**.
+1. Select **Add or remove a provisioning package**.
You should see your package listed.
## Retry logic if there's a failure
@@ -159,6 +160,5 @@ In addition, provisioning will be restarted in a SYSTEM context after a sign in
Here are links to step-by-step provisioning articles:
-- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
-- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
-
+- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
+- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md
index 2f5129ba9b..526ac9e52c 100644
--- a/windows/client-management/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/certificate-authentication-device-enrollment.md
@@ -9,22 +9,25 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Certificate authentication device enrollment
-This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
+This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
-> [!Note]
+> [!NOTE]
> To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
## In this topic
-- [Discovery service](#discovery-service)
-- [Enrollment policy web service](#enrollment-policy-web-service)
-- [Enrollment web service](#enrollment-web-service)
+- [Discovery service](#discovery-service)
+- [Enrollment policy web service](#enrollment-policy-web-service)
+- [Enrollment web service](#enrollment-web-service)
-For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
+For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery Service
@@ -135,7 +138,7 @@ Cache-Control: no-cache
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
-
B64EncodedSampleBinarySecurityToken
@@ -296,14 +299,13 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
- wsu:Id=”29801C2F-F26B-46AD-984B-AFAEFB545FF8”>
+ wsu:Id="29801C2F-F26B-46AD-984B-AFAEFB545FF8">
B64EncodedSampleBinarySecurityToken
-
+
@@ -312,13 +314,13 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
SignedMessageBlob/ds:SignatureValue>
-
+
-
+
@@ -443,7 +445,7 @@ The following example shows the encoded provisioning XML.
-
+
@@ -487,7 +489,7 @@ The following example shows the encoded provisioning XML.
-
+
@@ -498,4 +500,4 @@ The following example shows the encoded provisioning XML.
-```
\ No newline at end of file
+```
diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md
index 8b44256d9e..64e6ecdcb0 100644
--- a/windows/client-management/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/certificate-renewal-windows-mdm.md
@@ -1,9 +1,6 @@
---
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
-MS-HAID:
- - 'p\_phdevicemgmt.certificate\_renewal'
- - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@@ -12,29 +9,32 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
-> [!Note]
+> [!NOTE]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
## Automatic certificate renewal request
Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal.
-> [!Note]
+> [!NOTE]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
-For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
+For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
-With automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
+With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
-During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
+During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
@@ -94,28 +94,28 @@ The following example shows the details of an automatic renewal request.
## Certificate renewal schedule configuration
-In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP’s RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
+In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week.
-> [!Note]
-> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
+> [!NOTE]
+> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
-- The signature of the PKCS\#7 BinarySecurityToken is correct
-- The client’s certificate is in the renewal period
-- The certificate was issued by the enrollment service
-- The requester is the same as the requester for initial enrollment
-- For standard client’s request, the client hasn’t been blocked
+- The signature of the PKCS\#7 BinarySecurityToken is correct
+- The client's certificate is in the renewal period
+- The certificate was issued by the enrollment service
+- The requester is the same as the requester for initial enrollment
+- For standard client's request, the client hasn't been blocked
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
-> [!Note]
+> [!NOTE]
> The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of a certificate renewal response.
@@ -145,14 +145,14 @@ The following example shows the details of a certificate renewal response.
```
-> [!Note]
+> [!NOTE]
> The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
-- CertificateStore
-- w7 APPLICATION
-- DMClient
-- EnterpriseAppManagement
+- CertificateStore
+- w7 APPLICATION
+- DMClient
+- EnterpriseAppManagement
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index d3410f5068..f598797aba 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -6,14 +6,16 @@ author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/25/2020
ms.topic: article
-ms.custom:
- - CI 111493
- - CI 125140
- - CSSTroubleshooting
-audience: ITPro
+ms.custom:
+- CI 111493
+- CI 125140
+- CSSTroubleshooting
ms.localizationpriority: medium
manager: kaushika
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Change in default removal policy for external storage media in Windows 10, version 1809
@@ -39,20 +41,20 @@ You can use the storage device policy setting to change the manner in which Wind
To change the policy for an external storage device:
1. Connect the device to the computer.
-2. Right-click **Start**, then select **File Explorer**.
-3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
-4. Right-click **Start**, then select **Disk Management**.
-5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
+1. Right-click **Start**, then select **File Explorer**.
+1. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
+1. Right-click **Start**, then select **Disk Management**.
+1. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
-6. Select **Policies**.
+1. Select **Policies**.
> [!NOTE]
> Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box.
>
> If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available.
-7. Select the policy that you want to use.
+1. Select the policy that you want to use.
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index 56b72cdf0a..a901d37738 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -8,14 +8,12 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 05/24/2022
+appliesto:
+- ✅ Windows 11
---
# Secured-core PC configuration lock
-**Applies to**
-
-- Windows 11
-
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 2abfcd2135..9fdc0d93bf 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -9,11 +9,11 @@ ms.date: 01/18/2022
manager: aaroncz
ms.topic: article
appliesto:
- - ✅ Windows 10 and later
- - ✅ Windows 11 and later
+- ✅ Windows 11
+- ✅ Windows 10
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
ms.technology: itpro-manage
---
diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md
index 4c730c626d..40e3b7efcc 100644
--- a/windows/client-management/device-update-management.md
+++ b/windows/client-management/device-update-management.md
@@ -1,7 +1,7 @@
---
title: Mobile device management MDM for device updates
description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -10,8 +10,11 @@ ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 11/15/2017
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Mobile device management (MDM) for device updates
@@ -19,24 +22,24 @@ ms.collection:
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
-With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
+With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
-In particular, Windows 10 provides APIs to enable MDMs to:
+In particular, Windows 10 provides APIs to enable MDMs to:
-- Ensure machines stay up to date by configuring Automatic Update policies.
-- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
-- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
+- Ensure machines stay up to date by configuring Automatic Update policies.
+- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
+- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
-This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
+This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
-In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
+In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
-- Configure automatic update policies to ensure devices stay up to date.
-- Get device compliance information (the list of updates that are needed but not yet installed).
-- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
-- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
+- Configure automatic update policies to ensure devices stay up to date.
+- Get device compliance information (the list of updates that are needed but not yet installed).
+- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
+- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
-The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
+The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](mdm/update-csp.md) and the update policy area of the [Policy CSP](mdm/policy-configuration-service-provider.md).
@@ -46,9 +49,9 @@ The following diagram provides a conceptual overview of how this works:
The diagram can be roughly divided into three areas:
-- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
-- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
-- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
+- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
+- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
+- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
## Getting update metadata using the Server-Server sync protocol
@@ -60,38 +63,37 @@ This section describes this setup. The following diagram shows the server-server
MSDN provides much information about the Server-Server sync protocol. In particular:
-- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
-- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
+- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
+- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights:
-- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
-- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
-- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
+- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
+- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
+- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> [!NOTE]
-> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
-
+> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn't affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## Examples of update metadata XML structure and element descriptions
The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below:
-- **UpdateID** – The unique identifier for an update
-- **RevisionNumber** – Revision number for the update in case the update was modified.
-- **CreationDate** – the date on which this update was created.
-- **UpdateType** – The type of update, which could include the following:
- - **Detectoid** – if this update identity represents a compatibility logic
- - **Category** – This element could represent either of the following:
- - A Product category the update belongs to. For example, Windows, MS office, and so on.
- - The classification the update belongs to. For example, drivers, security, and so on.
- - **Software** – If the update is a software update.
- - **Driver** – if the update is a driver update.
-- **LocalizedProperties** – represents the language the update is available in, title and description of the update. It has the following fields:
- - **Language** – The language code identifier (LCID). For example, en or es.
- - **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.”
-- **KBArticleID** – The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
+- **UpdateID** - The unique identifier for an update
+- **RevisionNumber** - Revision number for the update in case the update was modified.
+- **CreationDate** - the date on which this update was created.
+- **UpdateType** - The type of update, which could include the following:
+ - **Detectoid** - if this update identity represents a compatibility logic
+ - **Category** - This element could represent either of the following:
+ - A Product category the update belongs to. For example, Windows, MS office, and so on.
+ - The classification the update belongs to. For example, drivers, security, and so on.
+ - **Software** - If the update is a software update.
+ - **Driver** - if the update is a driver update.
+- **LocalizedProperties** - represents the language the update is available in, title and description of the update. It has the following fields:
+ - **Language** - The language code identifier (LCID). For example, en or es.
+ - **Title** - Title of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)"
+ - **Description** - Description of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed."
+- **KBArticleID** - The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
## Recommended Flow for Using the Server-Server Sync Protocol
@@ -103,17 +105,16 @@ First some background:
- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
-
The following procedure describes a basic algorithm for a metadata sync service:
-- Initialization uses the following steps:
- a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
-- Sync periodically (we recommend once every 2 hours - no more than once/hour).
- 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
+- Initialization uses the following steps:
+ a. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
+- Sync periodically (we recommend once every 2 hours - no more than once/hour).
+ 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
- - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- - Remove updates from the "needed update IDs to fault in" list once they've been brought in.
+ - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
+ - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
+ - Remove updates from the "needed update IDs to fault in" list once they've been brought in.
These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed.
@@ -121,22 +122,22 @@ These steps get information about the set of Microsoft Updates that IT needs to
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information:
-- Configure automatic update policies to ensure devices stay up to date.
-- Get device compliance information (the list of updates that are needed but not yet installed)
-- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
-- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
+- Configure automatic update policies to ensure devices stay up to date.
+- Get device compliance information (the list of updates that are needed but not yet installed)
+- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
+- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
The following list describes a suggested model for applying updates.
-1. Have a "Test Group" and an "All Group".
-2. In the Test group, just let all updates flow.
-3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
+1. Have a "Test Group" and an "All Group".
+1. In the Test group, just let all updates flow.
+1. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
Updates are configured using a combination of the [Update CSP](mdm/update-csp.md), and the update portion of the [Policy CSP](mdm/policy-configuration-service-provider.md).
### Update policies
-The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
+The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following information shows the Update policies in a tree format.
@@ -181,13 +182,12 @@ Policy
**Update/ActiveHoursEnd**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
@@ -195,9 +195,9 @@ The default is 17 (5 PM).
**Update/ActiveHoursMaxRange**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
Supported values are 8-18.
@@ -205,13 +205,12 @@ The default value is 18 (hours).
**Update/ActiveHoursStart**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
@@ -219,8 +218,7 @@ The default value is 8 (8 AM).
**Update/AllowAutoUpdate**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
@@ -228,35 +226,32 @@ Supported operations are Get and Replace.
The following list shows the supported values:
-- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
-- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
-- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
-- 5 – Turn off automatic updates.
+- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
+- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
+- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
+- 5 - Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
-
If the policy isn't configured, end users get the default behavior (Auto install and restart).
**Update/AllowMUUpdateService**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
The following list shows the supported values:
-- 0 – Not allowed or not configured.
-- 1 – Allowed. Accepts updates received through Microsoft Update.
+- 0 - Not allowed or not configured.
+- 1 - Allowed. Accepts updates received through Microsoft Update.
**Update/AllowNonMicrosoftSignedUpdate**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
@@ -264,15 +259,14 @@ Supported operations are Get and Replace.
The following list shows the supported values:
-- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
-- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
+- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
+- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
**Update/AllowUpdateService**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
@@ -282,19 +276,17 @@ Enabling this policy will disable that functionality, and may cause connection t
The following list shows the supported values:
-- 0 – Update service isn't allowed.
-- 1 (default) – Update service is allowed.
+- 0 - Update service isn't allowed.
+- 1 (default) - Update service is allowed.
> [!NOTE]
-> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-
+> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
**Update/AutoRestartNotificationSchedule**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
Supported values are 15, 30, 60, 120, and 240 (minutes).
@@ -302,51 +294,47 @@ The default value is 15 (minutes).
**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
The following list shows the supported values:
-- 1 (default) – Auto Dismissal.
-- 2 – User Dismissal.
+- 1 (default) - Auto Dismissal.
+- 2 - User Dismissal.
**Update/BranchReadinessLevel**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
The following list shows the supported values:
-- 16 (default) – User gets all applicable upgrades from Current Branch (CB).
-- 32 – User gets upgrades from Current Branch for Business (CBB).
+- 16 (default) - User gets all applicable upgrades from Current Branch (CB).
+- 32 - User gets upgrades from Current Branch for Business (CBB).
**Update/DeferFeatureUpdatesPeriodInDays**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
Supported values are 0-180.
**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
Supported values are 0-30.
**Update/DeferUpdatePeriod**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to four weeks.
@@ -383,10 +371,9 @@ If the **Allow Telemetry** policy is enabled and the Options value is set to 0,
**Update/DeferUpgradePeriod**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to enter more upgrade delays for up to eight months.
@@ -398,10 +385,9 @@ If the **Allow Telemetry** policy is enabled and the Options value is set to 0,
**Update/EngagedRestartDeadline**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
+Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
Supported values are 2-30 days.
@@ -409,10 +395,9 @@ The default value is 0 days (not specified).
**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
Supported values are 1-3 days.
@@ -420,10 +405,9 @@ The default value is three days.
**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Supported values are 2-30 days.
@@ -431,70 +415,67 @@ The default value is seven days.
**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
The following list shows the supported values:
-- 0 (default) – Allow Windows Update drivers.
-- 1 – Exclude Windows Update drivers.
+- 0 (default) - Allow Windows Update drivers.
+- 1 - Exclude Windows Update drivers.
**Update/IgnoreMOAppDownloadLimit**
-Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
The following list shows the supported values:
-- 0 (default) – Don't ignore MO download limit for apps and their updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
+- 0 (default) - Don't ignore MO download limit for apps and their updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates.
To validate this policy:
-1. Enable the policy ensure the device is on a cellular network.
-2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
+1. Enable the policy ensure the device is on a cellular network.
+1. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
+1. Verify that any downloads that are above the download size limit will complete without being paused.
**Update/IgnoreMOUpdateDownloadLimit**
-Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
The following list shows the supported values:
-- 0 (default) – Don't ignore MO download limit for OS updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
+- 0 (default) - Don't ignore MO download limit for OS updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates.
To validate this policy:
-1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+1. Enable the policy and ensure the device is on a cellular network.
+1. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
+1. Verify that any downloads that are above the download size limit will complete without being paused.
**Update/PauseDeferrals**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
The following list shows the supported values:
-- 0 (default) – Deferrals aren't paused.
-- 1 – Deferrals are paused.
+- 0 (default) - Deferrals aren't paused.
+- 1 - Deferrals are paused.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
@@ -502,51 +483,48 @@ If the **Allow Telemetry** policy is enabled and the Options value is set to 0,
**Update/PauseFeatureUpdates**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
The following list shows the supported values:
-- 0 (default) – Feature Updates aren't paused.
-- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
+- 0 (default) - Feature Updates aren't paused.
+- 1 - Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
**Update/PauseQualityUpdates**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
The following list shows the supported values:
-- 0 (default) – Quality Updates aren't paused.
-- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
+- 0 (default) - Quality Updates aren't paused.
+- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
**Update/RequireDeferUpgrade**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to CBB train.
The following list shows the supported values:
-- 0 (default) – User gets upgrades from Current Branch.
-- 1 – User gets upgrades from Current Branch for Business.
+- 0 (default) - User gets upgrades from Current Branch.
+- 1 - User gets upgrades from Current Branch for Business.
**Update/RequireUpdateApproval**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
@@ -554,15 +532,14 @@ Supported operations are Get and Replace.
The following list shows the supported values:
-- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
+- 0 - Not configured. The device installs all applicable updates.
+- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
**Update/ScheduleImminentRestartWarning**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
Supported values are 15, 30, or 60 (minutes).
@@ -570,8 +547,7 @@ The default value is 15 (minutes).
**Update/ScheduledInstallDay**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the day of the update installation.
@@ -581,19 +557,18 @@ Supported operations are Add, Delete, Get, and Replace.
The following list shows the supported values:
-- 0 (default) – Every day
-- 1 – Sunday
-- 2 – Monday
-- 3 – Tuesday
-- 4 – Wednesday
-- 5 – Thursday
-- 6 – Friday
-- 7 – Saturday
+- 0 (default) - Every day
+- 1 - Sunday
+- 2 - Monday
+- 3 - Tuesday
+- 4 - Wednesday
+- 5 - Thursday
+- 6 - Friday
+- 7 - Saturday
**Update/ScheduledInstallTime**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the time of the update installation.
@@ -607,10 +582,9 @@ The default value is 3.
**Update/ScheduleRestartWarning**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
Supported values are 2, 4, 8, 12, or 24 (hours).
@@ -618,21 +592,20 @@ The default value is 4 (hours).
**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
+Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
The following list shows the supported values:
-- 0 (default) – Enabled
-- 1 – Disabled
+- 0 (default) - Enabled
+- 1 - Disabled
**Update/UpdateServiceUrl**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-> [!Important]
+> [!IMPORTANT]
> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
@@ -641,8 +614,8 @@ Supported operations are Get and Replace.
The following list shows the supported values:
-- Not configured. The device checks for updates from Microsoft Update.
-- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
+- Not configured. The device checks for updates from Microsoft Update.
+- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
Example
@@ -665,7 +638,7 @@ Example
**Update/UpdateServiceUrlAlternate**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
@@ -675,7 +648,7 @@ To use this setting, you must set two server name values: the server from which
Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
-> [!Note]
+> [!NOTE]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
@@ -731,9 +704,7 @@ The MDM must first present the EULA to IT and have them accept it before the upd
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> [!NOTE]
-> For the Windows 10 build, the client may need to reboot after additional updates are added.
-
-
+> For the Windows 10 build, the client may need to reboot after additional updates are added.
Supported operations are Get and Add.
@@ -798,9 +769,9 @@ Supported operation is Get.
**InstallableUpdates/*Installable Update Guid*/Type**
The UpdateClassification value of the update. Valid values are:
-- 0 - None
-- 1 - Security
-- 2 = Critical
+- 0 - None
+- 1 - Security
+- 2 = Critical
Supported operation is Get.
@@ -834,40 +805,39 @@ Upgrades deferred until the next period.
Supported operation is Get.
-
## Windows 10, version 1607 for update management
-Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
+Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
-- Update/ActiveHoursEnd
-- Update/ActiveHoursStart
-- Update/AllowMUUpdateService
-- Update/BranchReadinessLevel
-- Update/DeferFeatureUpdatePeriodInDays
-- Update/DeferQualityUpdatePeriodInDays
-- Update/ExcludeWUDriversInQualityUpdate
-- Update/PauseFeatureUpdates
-- Update/PauseQualityUpdates
+- Update/ActiveHoursEnd
+- Update/ActiveHoursStart
+- Update/AllowMUUpdateService
+- Update/BranchReadinessLevel
+- Update/DeferFeatureUpdatePeriodInDays
+- Update/DeferQualityUpdatePeriodInDays
+- Update/ExcludeWUDriversInQualityUpdate
+- Update/PauseFeatureUpdates
+- Update/PauseQualityUpdates
Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate.
|GPO key|Type|Value|
|--- |--- |--- |
|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train
32: systems take Feature Updates on the Current Branch for Business
Other value or absent: receive all applicable updates (CB)|
-|DeferQualityUpdates|REG_DWORD|1: defer quality updates
Other value or absent: don’t defer quality updates|
+|DeferQualityUpdates|REG_DWORD|1: defer quality updates
Other value or absent: don't defer quality updates|
|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates|
-|PauseQualityUpdates|REG_DWORD|1: pause quality updates
Other value or absent: don’t pause quality updates|
-|DeferFeatureUpdates|REG_DWORD|1: defer feature updates
Other value or absent: don’t defer feature updates|
+|PauseQualityUpdates|REG_DWORD|1: pause quality updates
Other value or absent: don't pause quality updates|
+|DeferFeatureUpdates|REG_DWORD|1: defer feature updates
Other value or absent: don't defer feature updates|
|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
-|PauseFeatureUpdates|REG_DWORD|1: pause feature updates
Other value or absent: don’t pause feature updates|
+|PauseFeatureUpdates|REG_DWORD|1: pause feature updates
Other value or absent: don't pause feature updates|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers|
-Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
+Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
-- Update/RequireDeferUpgrade
-- Update/DeferUpgradePeriod
-- Update/DeferUpdatePeriod
-- Update/PauseDeferrals
+- Update/RequireDeferUpgrade
+- Update/DeferUpgradePeriod
+- Update/DeferUpdatePeriod
+- Update/PauseDeferrals
## Update management user experience screenshot
@@ -877,7 +847,6 @@ The following screenshots of the administrator console show the list of update t
-
## SyncML example
Set auto update to notify and defer.
diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md
index 246e8babc9..a2b1c288ba 100644
--- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md
@@ -1,7 +1,7 @@
---
title: Diagnose MDM failures in Windows 10
description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -10,8 +10,11 @@ ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/25/2018
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Diagnose MDM failures in Windows 10
@@ -70,22 +73,22 @@ In this location, the **Admin** channel logs events by default. However, if you
### Collect admin logs
1. Right click on the **Admin** node.
-2. Select **Save all events as**.
-3. Choose a location and enter a filename.
-4. Click **Save**.
-5. Choose **Display information for these languages** and then select **English**.
-6. Click **Ok**.
+1. Select **Save all events as**.
+1. Choose a location and enter a filename.
+1. Click **Save**.
+1. Choose **Display information for these languages** and then select **English**.
+1. Click **Ok**.
For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**.
### Collect debug logs
1. Right click on the **Debug** node.
-2. Select **Save all events as**.
-3. Choose a location and enter a filename.
-4. Click **Save**.
-5. Choose **Display information for these languages** and then select **English**.
-6. Click **Ok**.
+1. Select **Save all events as**.
+1. Choose a location and enter a filename.
+1. Click **Save**.
+1. Choose **Display information for these languages** and then select **English**.
+1. Click **Ok**.
You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update.
@@ -240,32 +243,32 @@ After the logs are collected on the device, you can retrieve the files through t
For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected.
1. Open eventvwr.msc.
-2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
+1. Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
-3. Navigate to the etl file that you got from the device and then open the file.
-4. Click **Yes** when prompted to save it to the new log format.
+1. Navigate to the etl file that you got from the device and then open the file.
+1. Click **Yes** when prompted to save it to the new log format.
-5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
+1. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
-6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
+1. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
-7. Now you're ready to start reviewing the logs.
+1. Now you're ready to start reviewing the logs.
## Collect device state data
-Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
+Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
```xml
diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md
index 371357b658..4e2488f898 100644
--- a/windows/client-management/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md
@@ -1,9 +1,6 @@
---
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
-MS-HAID:
- - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_'
- - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@@ -12,30 +9,31 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Disconnecting from the management infrastructure (unenrollment)
The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account.
-The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy.
+The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy.
During disconnection, the client executes the following tasks:
-- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well.
-- Removes certificates that are configured by MDM server.
-- Ceases enforcement of the settings policies applied by the management infrastructure.
-- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure.
-- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort.
-
+- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well.
+- Removes certificates that are configured by MDM server.
+- Ceases enforcement of the settings policies applied by the management infrastructure.
+- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure.
+- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort.
## In this topic
-- [User-initiated disconnection](#user-initiated-disconnection)
-- [Server-initiated disconnection](#server-initiated-disconnection)
-- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page)
-- [IT admin–requested disconnection](#it-admin-requested-disconnection)
-- [Unenrollment from Azure Active Directory Join](#dataloss)
-
+- [User-initiated disconnection](#user-initiated-disconnection)
+- [Server-initiated disconnection](#server-initiated-disconnection)
+- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page)
+- [IT admin-requested disconnection](#it-admin-requested-disconnection)
+- [Unenrollment from Azure Active Directory Join](#dataloss)
## User-initiated disconnection
@@ -44,9 +42,9 @@ In Windows, after the user confirms the account deletion command and before the
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> [!NOTE]
-> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
+> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
-
+
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
@@ -100,7 +98,6 @@ The following sample shows an OMA DM first package that contains a generic alert
After the previous package is sent, the unenrollment process begins.
-
## Server-initiated disconnection
When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1.
@@ -119,7 +116,6 @@ When the server initiates disconnection, all undergoing sessions for the enrollm
```
-
## Unenrollment from Work Access settings page
@@ -127,9 +123,8 @@ If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by
You can only use the Work Access page to unenroll under the following conditions:
-- Enrollment was done using bulk enrollment.
-- Enrollment was created using the Work Access page.
-
+- Enrollment was done using bulk enrollment.
+- Enrollment was created using the Work Access page.
## Unenrollment from Azure Active Directory Join
@@ -145,15 +140,8 @@ Before remotely unenrolling corporate devices, you must ensure that there is at
In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device.
-## IT admin–requested disconnection
+## IT admin-requested disconnection
-The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic.
+The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic.
When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management.
-
-
-
-
-
-
-
diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md
index 67353c881b..553ecce5d4 100644
--- a/windows/client-management/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md
@@ -8,18 +8,21 @@ ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 11/01/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Enable ADMX policies in MDM
-
Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
+
- Find the policy from the list ADMX policies.
- Find the Group Policy related information from the MDM policy description.
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
@@ -28,20 +31,20 @@ Summary of steps to enable a policy:
See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune.
-
+
## Enable a policy
> [!NOTE]
> See [Understanding ADMX policies in Policy CSP](understanding-admx-backed-policies.md).
-1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
+1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP Friendly name
- GP name
- GP ADMX file name
- GP path
-2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
+1. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
1. Click **Start**, then in the text box type **gpedit**.
@@ -61,7 +64,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
-3. Create the SyncML to enable the policy that doesn't require any parameter.
+1. Create the SyncML to enable the policy that doesn't require any parameter.
In this example, you configure **Enable App-V Client** to **Enabled**.
@@ -89,10 +92,8 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
```
-
## Enable a policy that requires parameters
-
1. Create the SyncML to enable the policy that requires parameters.
In this example, the policy is in **Administrative Templates > System > App-V > Publishing**.
@@ -113,13 +114,12 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
4. Search for GP name **Publishing_Server2_policy**.
-
5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
Here's the snippet from appv.admx:
```xml
-
+
@@ -263,7 +263,6 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
```
-
## Disable a policy
The \ payload is \. Here is an example to disable AppVirtualization/PublishingAllowServer2.
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index 8bffb182d7..d22d2d0223 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -7,25 +7,24 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 04/30/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Enroll a Windows 10 device automatically using Group Policy
-**Applies to:**
-
-- Windows 11
-- Windows 10
-
Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
Requirements:
+
- Active Directory-joined PC running Windows 10, version 1709 or later
- The enterprise has configured a mobile device management (MDM) service
- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
@@ -34,11 +33,12 @@ Requirements:
> [!TIP]
> For more information, see the following topics:
+>
> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
-The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered.
+The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered.
> [!NOTE]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
@@ -58,7 +58,7 @@ The following steps demonstrate required settings using the Intune service:
:::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
-2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
+1. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
@@ -67,9 +67,9 @@ The following steps demonstrate required settings using the Intune service:
>
> For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
-3. Verify that the device OS version is Windows 10, version 1709 or later.
+1. Verify that the device OS version is Windows 10, version 1709 or later.
-4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
+1. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
@@ -83,21 +83,21 @@ The following steps demonstrate required settings using the Intune service:
-5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
+1. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
-6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
+1. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
:::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
-7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune.
+1. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
-8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal).
+1. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal).
-9. Verify that Microsoft Intune should allow enrollment of Windows devices.
+1. Verify that Microsoft Intune should allow enrollment of Windows devices.
:::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png":::
@@ -106,6 +106,7 @@ You may contact your domain administrators to verify if the group policy has bee
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
Requirements:
+
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
@@ -114,17 +115,17 @@ Requirements:
-2. Under **Best match**, select **Edit group policy** to launch it.
+1. Under **Best match**, select **Edit group policy** to launch it.
-3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
+1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
:::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png":::
-4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**.
+1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**.
:::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
-5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
+1. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
> [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**.
@@ -138,28 +139,27 @@ Requirements:
- > [!Tip]
+ > [!TIP]
> You can avoid this behavior by using Conditional Access Policies in Azure AD.
Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
-6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.
+1. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.
-7. Select **Info** to see the MDM enrollment information.
+1. Select **Info** to see the MDM enrollment information.
If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app).
-
### Task Scheduler app
1. Select **Start**, then in the text box type `task scheduler`.
-2. Under **Best match**, select **Task Scheduler** to launch it.
+1. Under **Best match**, select **Task Scheduler** to launch it.
-3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
+1. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
@@ -173,6 +173,7 @@ Requirements:
## Configure the auto-enrollment for a group of devices
Requirements:
+
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured (with Intune or a third-party service provider)
- Enterprise AD must be integrated with Azure AD.
@@ -203,9 +204,9 @@ Requirements:
- 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
-2. Install the package on the Domain Controller.
+1. Install the package on the Domain Controller.
-3. Navigate, depending on the version to the folder:
+1. Navigate, depending on the version to the folder:
- 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**
@@ -227,23 +228,23 @@ Requirements:
- 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)**
-4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
+1. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
-5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
+1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
-6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
+1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
-2. Create a Security Group for the PCs.
+1. Create a Security Group for the PCs.
-3. Link the GPO.
+1. Link the GPO.
-4. Filter using Security Groups.
+1. Filter using Security Groups.
## Troubleshoot auto-enrollment of devices
@@ -253,12 +254,12 @@ To collect Event Viewer logs:
1. Open Event Viewer.
-2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**.
+1. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**.
- > [!Tip]
+ > [!TIP]
> For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
-3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:
+1. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:
:::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
@@ -276,7 +277,7 @@ To collect Event Viewer logs:
:::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
- > [!Note]
+ > [!NOTE]
> This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs:
@@ -313,8 +314,8 @@ To collect Event Viewer logs:
- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)
-
### Useful Links
+
- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md
index 6646d4df78..de9278fca0 100644
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@@ -1,6 +1,6 @@
---
title: Enterprise app management
-description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
+description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@@ -9,32 +9,35 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 10/04/2021
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Enterprise app management
-This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
+This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals
-Windows 10 offers the ability for management servers to:
+Windows 10 offers the ability for management servers to:
-- Install apps directly from the Microsoft Store for Business
-- Deploy offline Store apps and licenses
-- Deploy line-of-business (LOB) apps (non-Store apps)
-- Inventory all apps for a user (Store and non-Store apps)
-- Inventory all apps for a device (Store and non-Store apps)
-- Uninstall all apps for a user (Store and non-Store apps)
-- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- Remove the provisioned app on the device running Windows 10 for desktop editions
+- Install apps directly from the Microsoft Store for Business
+- Deploy offline Store apps and licenses
+- Deploy line-of-business (LOB) apps (non-Store apps)
+- Inventory all apps for a user (Store and non-Store apps)
+- Inventory all apps for a device (Store and non-Store apps)
+- Uninstall all apps for a user (Store and non-Store apps)
+- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
+- Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps
-Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
+Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
-- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
-- nonStore - Apps that weren't acquired from the Microsoft Store.
-- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
+- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
+- nonStore - Apps that weren't acquired from the Microsoft Store.
+- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
@@ -150,19 +153,19 @@ Inventory is specific to the package full name and lists bundled packs and resou
Here are the nodes for each package full name:
-- Name
-- Version
-- Publisher
-- Architecture
-- InstallLocation
-- IsFramework
-- IsBundle
-- InstallDate
-- ResourceID
-- RequiresReinstall
-- PackageStatus
-- Users
-- IsProvisioned
+- Name
+- Version
+- Publisher
+- Architecture
+- InstallLocation
+- IsFramework
+- IsBundle
+- InstallDate
+- ResourceID
+- RequiresReinstall
+- PackageStatus
+- Users
+- IsProvisioned
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md).
@@ -206,9 +209,9 @@ You can use the EnterpriseModernAppManagement CSP to query for all app licenses
Here are the nodes for each license ID:
-- LicenseCategory
-- LicenseUsage
-- RequestedID
+- LicenseCategory
+- LicenseUsage
+- RequestedID
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md).
@@ -285,11 +288,11 @@ Here are some examples.
### Unlock the device for developer mode
-Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
+Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
-Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
+Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](mdm/policy-configuration-service-provider.md).
@@ -333,10 +336,10 @@ If you purchased an app from the Store for Business and the app is specified for
Here are the requirements for this scenario:
-- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
-- The device requires connectivity to the Microsoft Store.
-- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
-- The user must be signed in with their Azure AD identity.
+- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
+- The device requires connectivity to the Microsoft Store.
+- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
+- The user must be signed in with their Azure AD identity.
Here are some examples.
@@ -357,12 +360,12 @@ Here are some examples.
Here are the changes from the previous release:
-1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
-2. The value for flags can be "0" or "1"
+1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
+1. The value for flags can be "0" or "1"
When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
-3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
+1. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
@@ -372,8 +375,8 @@ The app license only needs to be deployed as part of the initial installation of
In the SyncML, you need to specify the following information in the Exec command:
-- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
-- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
+- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
+- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
Here's an example of an offline license installation.
@@ -461,8 +464,8 @@ Here's an example of an app installation with dependencies.
-
-
+
+
@@ -495,13 +498,13 @@ Here's an example of an app installation with dependencies and optional packages
-
-
+
+
-
-
@@ -531,7 +534,7 @@ To provision app for all users of a device from a hosted location, the managemen
Here's an example of app installation.
> [!NOTE]
-> This is only supported in Windows 10 for desktop editions.
+> This is only supported in Windows 10 for desktop editions.
```xml
@@ -560,15 +563,15 @@ Here's an example of app installation.
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
-- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
-- Dependencies can be specified if required to be installed with the package. This is optional.
+- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
+- Dependencies can be specified if required to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
Here's an example of app installation with dependencies.
> [!NOTE]
-> This is only supported in Windows 10 for desktop editions.
+> This is only supported in Windows 10 for desktop editions.
```xml
@@ -593,7 +596,7 @@ Here's an example of app installation with dependencies.
-
+
@@ -606,14 +609,14 @@ Here's an example of app installation with dependencies.
When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query:
-- Status - indicates the status of app installation.
- - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
- - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
-- LastError - The last error reported by the app deployment server.
-- LastErrorDescription - Describes the last error reported by the app deployment server.
-- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress.
+- Status - indicates the status of app installation.
+ - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
+ - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
+ - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
+ - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
+- LastError - The last error reported by the app deployment server.
+- LastErrorDescription - Describes the last error reported by the app deployment server.
+- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress.
Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
@@ -677,14 +680,13 @@ The Data field value of 0 (zero) indicates success. Otherwise it's an error code
> [!NOTE]
> At this time, the alert for Store app installation isn't yet available.
-
## Uninstall your apps
-You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
+You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
-- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
-- nonStore - These apps that weren't acquired from the Microsoft Store.
-- System - These apps are part of the OS. You can't uninstall these apps.
+- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
+- nonStore - These apps that weren't acquired from the Microsoft Store.
+- System - These apps are part of the OS. You can't uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name.
@@ -723,13 +725,12 @@ You can remove provisioned apps from a device for a specific version, or for all
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
-
Removing provisioned app occurs in the device context.
Here's an example for removing a provisioned app from a device.
```xml
-
+
1
@@ -821,7 +822,7 @@ To update an app from Microsoft Store, the device requires contact with the stor
Here's an example of an update scan.
```xml
-
+
1
@@ -835,7 +836,7 @@ Here's an example of an update scan.
Here's an example of a status check.
```xml
-
+
1
@@ -863,7 +864,7 @@ Turning off updates only applies to updates from the Microsoft Store at the devi
Here's an example.
```xml
-
+
1
diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md
index 5acabf7ab8..d51111f943 100644
--- a/windows/client-management/esim-enterprise-management.md
+++ b/windows/client-management/esim-enterprise-management.md
@@ -8,11 +8,15 @@ ms.author: vinpa
ms.topic: conceptual
ms.technology: itpro-manage
ms.date: 12/31/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# How Mobile Device Management Providers support eSIM Management on Windows
The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
+
- Onboard to Azure Active Directory
- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
- [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md
index a50c18383c..44ea3c1a36 100644
--- a/windows/client-management/federated-authentication-device-enrollment.md
+++ b/windows/client-management/federated-authentication-device-enrollment.md
@@ -9,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 07/28/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Federated authentication device enrollment
@@ -34,7 +37,7 @@ The discovery web service provides the configuration information necessary for a
> [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
-The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
+The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain "enterpriseenrollment" to the domain of the email address, and by appending the path "/EnrollmentServer/Discovery.svc". For example, if the email address is "sample@contoso.com", the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The first request is a standard HTTP GET request.
@@ -74,10 +77,10 @@ After the device gets a response from the server, the device sends a POST reques
The following logic is applied:
-1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails.
-2. If that fails, the device tries HTTP to see whether it's redirected:
- - If the device isn't redirected, it prompts the user for the server address.
- - If the device is redirected, it prompts the user to allow the redirect.
+1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails.
+1. If that fails, the device tries HTTP to see whether it's redirected:
+ - If the device isn't redirected, it prompts the user for the server address.
+ - If the device is redirected, it prompts the user to allow the redirect.
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
@@ -123,31 +126,32 @@ The following example shows the discovery service request.
The discovery response is in the XML format and includes the following fields:
-- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
-- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
-- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
+- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
+- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
+- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
-> [!Note]
+> [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
-> [!Note]
+> [!NOTE]
> Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
-> - Parse the OS version from the data sent up during the discovery request.
-> - Append the OS version as a parameter in the AuthenticationServiceURL.
-> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
+>
+> - Parse the OS version from the data sent up during the discovery request.
+> - Append the OS version as a parameter in the AuthenticationServiceURL.
+> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
-> [!Note]
+> [!NOTE]
> The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
The following are the explicit requirements for the server.
-- The ```` element must support HTTPS.
-- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
-- WP doesn’t support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
+- The ```` element must support HTTPS.
+- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
+- WP doesn't support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
The enrollment client issues an HTTPS request as follows:
@@ -236,8 +240,8 @@ This web service implements the X.509 Certificate Enrollment Policy Protocol (MS
For Federated authentication policy, the security token credential is provided in a request message using the `` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
-- wsse:Security: The enrollment client implements the `` element defined in \[WSS\] section 5. The `` element must be a child of the `` element.
-- wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header.
+- wsse:Security: The enrollment client implements the `` element defined in \[WSS\] section 5. The `` element must be a child of the `` element.
+- wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header.
As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server.
@@ -386,7 +390,7 @@ The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.
The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
-> [!Note]
+> [!NOTE]
> The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
The following example shows the enrollment web service request for federated authentication.
@@ -474,15 +478,15 @@ The following example shows the enrollment web service request for federated aut
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
-> [!Note]
+> [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate.
The provisioning XML contains:
-- The requested certificates (required)
-- The DM client configuration (required)
+- The requested certificates (required)
+- The DM client configuration (required)
The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server.
@@ -558,7 +562,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
-
+
@@ -602,7 +606,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
-
+
@@ -615,14 +619,14 @@ The following code shows sample provisioning XML (presented in the preceding pac
> [!NOTE]
>
-> - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
+> - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
>
-> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
+> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
>
-> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
+> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
>
-> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
+> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
>
-> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
+> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
>
-> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
+> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
index 3f1e0ef47a..540d2b2666 100644
--- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
@@ -10,15 +10,13 @@ manager: aaroncz
ms.author: vinpa
ms.topic: troubleshooting
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
-**Applies to**
-- Windows 10
-- Windows 11
-
-
In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education.
| Policy name | Policy path | Comments |
@@ -34,7 +32,3 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). |
| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |
-
-
-
-
diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md
index 702e05c056..db2ff0f60d 100644
--- a/windows/client-management/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/implement-server-side-mobile-application-management.md
@@ -7,14 +7,13 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 08/03/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
appliesto:
- - ✅ Windows 10 and later
- - ✅ Windows 11 and later
+- ✅ Windows 11
+- ✅ Windows 10
---
-
# Support for mobile application management on Windows
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index 1ed28e0f9b..60014772f7 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -1,40 +1,34 @@
---
title: Manage corporate devices
-description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones.
+description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
-keywords: [MDM, device management]
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/14/2021
ms.topic: article
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Manage corporate devices
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11.
+You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11.
## In this section
| Topic | Description |
| --- | --- |
| [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment |
-| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
+| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
| [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
| [New policies for Windows 10 (and Windows 11)](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
| [Group Policies that apply only to Windows Enterprise and Windows Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
-| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations |
-
-
+| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations |
## Learn more
@@ -47,4 +41,3 @@ You can use the same management tools to manage all device types running Windows
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/)
-
diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index 6f1cf2860e..71760bdd78 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -9,16 +9,14 @@ manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
---
# Manage Device Installation with Group Policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2022
-
## Summary
By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
@@ -26,6 +24,7 @@ By using Windows operating systems, administrators can determine what devices ca
## Introduction
### General
+
This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.
@@ -72,7 +71,7 @@ Group Policy guides:
### Scenario #1: Prevent installation of all printers
-In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the ‘prevent/allow’ functionality of Device Installation policies in Group Policy.
+In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy.
### Scenario #2: Prevent installation of a specific printer
@@ -84,11 +83,11 @@ In this scenario, you'll combine what you learned from both scenario #1 and scen
### Scenario #4: Prevent installation of a specific USB device
-This scenario, although similar to scenario #2, brings another layer of complexity – how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
+This scenario, although similar to scenario #2, brings another layer of complexity - how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
-In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
+In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
## Technology Review
@@ -107,7 +106,7 @@ The four types of identifiers are:
- Device Instance ID
- Device ID
- Device setup classes
-- ‘Removable Devices’ device type
+- 'Removable Devices' device type
#### Device Instance ID
@@ -146,12 +145,12 @@ For more information, see [Device Setup Classes](/windows-hardware/drivers/insta
This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
-The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly referred to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly referred to devices that could be connected to an existing computer/machine:
+The following two links provide the complete list of Device Setup Classes. 'System Use' classes are mostly referred to devices that come with a computer/machine from the factory, while 'Vendor' classes are mostly referred to devices that could be connected to an existing computer/machine:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
-#### ‘Removable Device’ Device type
+#### 'Removable Device' Device type
Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
@@ -164,7 +163,7 @@ Device Installation section in Group Policy is a set of policies that control wh
The following passages are brief descriptions of the Device Installation policies that are used in this guide.
> [!NOTE]
-> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
+> Device Installation control is applied only to machines ('computer configuration') and not users ('user configuration') by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
#### Allow administrators to override Device Installation Restriction policies
@@ -219,22 +218,22 @@ To complete each of the scenarios, ensure you have:
- A client computer running Windows.
-- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
+- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
- A USB/network printer pre-installed on the machine.
- Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps.
-### Understanding implications of applying ‘Prevent’ policies retroactive
+### Understanding implications of applying 'Prevent' policies retroactive
-All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
+All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
-For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones.
+For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones.
This option is a powerful tool, but as such it has to be used carefully.
> [!IMPORTANT]
-> Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
+> Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
## Determine device identification strings
@@ -249,19 +248,19 @@ To find device identification strings using Device Manager
1. Make sure your printer is plugged in and installed.
-2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
+1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
-3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
+1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
-4. Find the “Printers” section and find the target printer
+1. Find the "Printers" section and find the target printer
 _Selecting the printer in Device Manager_
-5. Double-click the printer and move to the ‘Details’ tab.
+1. Double-click the printer and move to the 'Details' tab.
-  _Open the ‘Details’ tab to look for the device identifiers_
+  _Open the 'Details' tab to look for the device identifiers_
-6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies.
+1. From the 'Value' window, copy the most detailed Hardware ID - we'll use this value in the policies.
@@ -311,24 +310,24 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
-2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
+1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
-3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters
+1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters
-4. Have a USB/network printer available to test the policy with
+1. Have a USB/network printer available to test the policy with
-### Scenario steps – preventing installation of prohibited devices
+### Scenario steps - preventing installation of prohibited devices
Getting the right device identifier to prevent it from being installed:
1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID).
-2. If you don’t have such device installed on your system or know the name of the class, you can check the following two links:
+1. If you don't have such device installed on your system or know the name of the class, you can check the following two links:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
-3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
+1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
> Printers\
> Class = Printer\
@@ -340,40 +339,40 @@ Getting the right device identifier to prevent it from being installed:
Creating the policy to prevent all printers from being installed:
-1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
-2. Navigate to the Device Installation Restriction page:
+1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
-3. Make sure all policies are disabled (recommended to keep ‘applied layered order of evaluation’ policy enabled).
+1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled).
-4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
-6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
+1. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
 _List of prevent Class GUIDs_
-7. Click ‘OK’.
+1. Click 'OK'.
-8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
-9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’
+1. Optional - if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
> [!IMPORTANT]
-> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using ‘Disk Drive’ class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
+> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
### Testing the scenario
-1. If you haven't completed step #9 – follow these steps:
+1. If you haven't completed step #9 - follow these steps:
- 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
- 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
+ 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
+ 1. For USB printer - unplug and plug back the cable; for network device - make a search for the printer in the Windows Settings app.
1. You shouldn't be able to reinstall the printer.
-2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
+1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
## Scenario #2: Prevent installation of a specific printer
@@ -385,39 +384,39 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
-2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
+1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
-### Scenario steps – preventing installation of a specific device
+### Scenario steps - preventing installation of a specific device
Getting the right device identifier to prevent it from being installed:
-1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously
+1. Get your printer's Hardware ID - in this example we'll use the identifier we found previously
 _Printer Hardware ID_
-2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
+1. Write down the device ID (in this case Hardware ID) - WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
Creating the policy to prevent a single printer from being installed:
-1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
-2. Navigate to the Device Installation Restriction page:
+1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
-3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
-4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block.
-5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0
+1. Enter the printer device ID you found above - WSDPRINT\CanonMX920_seriesC1A0
 _Prevent Device ID list_
-6. Click ‘OK’.
+1. Click 'OK'.
-7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install.
+1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install.
-8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’.
+1. Optional - if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'.
### Testing the scenario
@@ -425,12 +424,11 @@ If you completed step #8 above and restarted the machine, look for your printer
If you haven't completed step #8, follow these steps:
-1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
+1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
-2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
-
-3. You shouldn't be able to reinstall the printer.
+1. For USB printer - unplug and plug back the cable; for network device - make a search for the printer in the Windows Settings app.
+1. You shouldn't be able to reinstall the printer.
## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
@@ -442,67 +440,66 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
-2. Disable all previous Device Installation policies, and enable ‘Apply layered order of evaluation’.
+1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'.
-3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters.
+1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
-4. Have a USB/network printer available to test the policy with.
+1. Have a USB/network printer available to test the policy with.
-### Scenario steps – preventing installation of an entire class while allowing a specific printer
+### Scenario steps - preventing installation of an entire class while allowing a specific printer
-Getting the device identifier for both the Printer Class and a specific printer – following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
+Getting the device identifier for both the Printer Class and a specific printer - following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
- ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}
- Hardware ID = WSDPRINT\CanonMX920_seriesC1A0
-First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one:
+First create a 'Prevent Class' policy and then create 'Allow Device' one:
-1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
-2. Navigate to the Device Installation Restriction page:
+1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
-3. Make sure all policies are disabled
+1. Make sure all policies are disabled
-4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
-6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
+1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
 _List of prevent Class GUIDs_
-7. Click ‘OK’.
+1. Click 'OK'.
-8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
-9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’
+1. To complete the coverage of all future and existing printers - Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'
-10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
+1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it - this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
 _Apply layered order of evaluation policy_
-9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
-10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
-11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
+1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
 _Allow Printer Hardware ID_
-12. Click ‘OK’.
+1. Click 'OK'.
-13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed).
+1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and allows the target printer to be installed (or stayed installed).
## Testing the scenario
1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document.
-2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all.
-
+1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer - you shouldn't be bale to print anything or able to access the printer at all.
## Scenario #4: Prevent installation of a specific USB device
@@ -514,67 +511,65 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section
-2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications.
+1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario) - although the policy is disabled in default, it's recommended to be enabled in most practical applications.
-### Scenario steps – preventing installation of a specific device
+### Scenario steps - preventing installation of a specific device
Getting the right device identifier to prevent it from being installed and its location in the PnP tree:
1. Connect a USB thumb drive to the machine
-2. Open Device Manager
+1. Open Device Manager
-3. Find the USB thumb-drive and select it.
+1. Find the USB thumb-drive and select it.
 _Selecting the usb thumb-drive in Device Manager_
-4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree.
+1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree.
 _Changing view in Device Manager to see the PnP connection tree_
> [!NOTE]
- > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
+ > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked.
 _When blocking one device, all the devices that are nested below it will be blocked as well_
-5. Double-click the USB thumb-drive and move to the ‘Details’ tab.
+1. Double-click the USB thumb-drive and move to the 'Details' tab.
-6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
+1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
 _USB device hardware IDs_
Creating the policy to prevent a single USB thumb-drive from being installed:
-1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
-2. Navigate to the Device Installation Restriction page:
+1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
-3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
-4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block.
-5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07
+1. Enter the USB thumb-drive device ID you found above - USBSTOR\DiskGeneric_Flash_Disk______8.07
 _Prevent Device IDs list_
-6. Click ‘OK’.
+1. Click 'OK'.
-7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install.
-
-8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’
+1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install.
+1. Optional - if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'
### Testing the scenario
-1. If you haven't completed step #8 – follow these steps:
+1. If you haven't completed step #8 - follow these steps:
- - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”.
+ - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device".
- You shouldn't be able to reinstall the device.
-2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
-
+1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
@@ -586,15 +581,15 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
-2. Disable all previous Device Installation policies, and **enable** ‘Apply layered order of evaluation’.
+1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'.
-3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters.
+1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
-4. Have a USB thumb-drive available to test the policy with.
+1. Have a USB thumb-drive available to test the policy with.
-### Scenario steps – preventing installation of all USB devices while allowing only an authorized USB thumb-drive
+### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive
-Getting the device identifier for both the USB Classes and a specific USB thumb-drive – following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
+Getting the device identifier for both the USB Classes and a specific USB thumb-drive - following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
- USB Bus Devices (hubs and host controllers)
- Class = USB
@@ -610,16 +605,16 @@ Getting the device identifier for both the USB Classes and a specific USB thumb-
As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
-- “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03
-- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
-- “Generic USB Hub” -> USB\USB20_HUB
+- "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03
+- "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30
+- "Generic USB Hub" -> USB\USB20_HUB
 _USB devices nested under each other in the PnP tree_
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine.
> [!IMPORTANT]
-> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list:
+> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list:
>
> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
> USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
@@ -629,49 +624,49 @@ These devices are internal devices on the machine that define the USB port conne
>
> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.
-First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one:
+First create a 'Prevent Class' policy and then create 'Allow Device' one:
-1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
+1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
-2. Navigate to the Device Installation Restriction page:
+1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
-3. Make sure all policies are disabled
+1. Make sure all policies are disabled
-4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
+1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
-6. Enter both USB classes GUID you found above with the curly braces:
+1. Enter both USB classes GUID you found above with the curly braces:
> {36fc9e60-c465-11cf-8056-444553540000}/
> {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
-7. Click ‘OK’.
+1. Click 'OK'.
-8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs.
> [!IMPORTANT]
> The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
-9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
+1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it - this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
 _Apply layered order of evaluation policy_
-10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
+1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
-11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
-12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07
+1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation - USBSTOR\DiskGeneric_Flash_Disk______8.07
 _Allowed USB Device IDs list_
-13. Click ‘OK’.
+1. Click 'OK'.
-14. Click ‘Apply’ on the bottom right of the policy’s window.
+1. Click 'Apply' on the bottom right of the policy's window.
-15. To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’.
+1. To apply the 'Prevent' coverage of all currently installed USB devices - Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'.
### Testing the scenario
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index 0bb88c2d24..8ef58c88ac 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -9,20 +9,18 @@ manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Manage the Settings app with Group Policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016
-
You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.
->[!Note]
+>[!NOTE]
>Each server that you want to manage access to the Settings App must be patched.
If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
@@ -47,4 +45,4 @@ The Group Policy can be configured in one of two ways: specify a list of pages t
Here are some examples:
- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**.
-- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.
\ No newline at end of file
+- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index b3940204c7..5f5eab5ac7 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -6,13 +6,13 @@ ms.localizationpriority: medium
ms.date: 06/03/2022
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.topic: overview
ms.technology: itpro-manage
appliesto:
- - ✅ Windows 10 and later
- - ✅ Windows 11 and later
+- ✅ Windows 11
+- ✅ Windows 10
---
# Manage Windows devices in your organization - transitioning to modern management
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 0771fcc433..b88325b27f 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -5,22 +5,20 @@ ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 09/14/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.topic: article
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Create mandatory user profiles
-**Applies to**
-
-- Windows 10
-- Windows 11
-
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
@@ -60,7 +58,7 @@ First, you create a default user profile with the customizations that you want,
> [!NOTE]
> Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
-1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
+1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10).
@@ -88,7 +86,6 @@ First, you create a default user profile with the customizations that you want,
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
-
1. In **Copy To**, under **Permitted to use**, click **Change**.
diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md
index 7023a7b517..a9010c65c9 100644
--- a/windows/client-management/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm-enrollment-of-windows-devices.md
@@ -1,10 +1,7 @@
---
title: MDM enrollment of Windows 10-based devices
description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources.
-MS-HAID:
- - 'p\_phdevicemgmt.enrollment\_ui'
- - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -12,27 +9,30 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
ms.date: 12/31/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# MDM enrollment of Windows 10-based devices
-In today’s cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization’s resources, such as apps, the corporate network, and email.
+In today's cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email.
> [!NOTE]
> When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device.
-## Connect corporate-owned Windows 10-based devices
+## Connect corporate-owned Windows 10-based devices
-You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
+You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
### Connect your device to an Active Directory domain (join a domain)
-Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app.
+Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app.
> [!NOTE]
> Mobile devices can't be connected to an Active Directory domain.
@@ -41,15 +41,15 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Educatio
Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain:
-1. On the **Who Owns this PC?** page, select **My work or school owns it**.
+1. On the **Who Owns this PC?** page, select **My work or school owns it**.
-2. Next, select **Join a domain**.
+1. Next, select **Join a domain**.
-3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
+1. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
@@ -57,27 +57,27 @@ Joining your device to an Active Directory domain during the out-of-box-experien
To create a local account and connect the device:
-1. Launch the Settings app.
+1. Launch the Settings app.
-2. Next, select **Accounts**.
+1. Next, select **Accounts**.
-3. Navigate to **Access work or school**.
+1. Navigate to **Access work or school**.
-4. Select **Connect**.
+1. Select **Connect**.
-5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
+1. Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
-6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
+1. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
@@ -89,10 +89,8 @@ There are a few instances where your device can't be connected to an Active Dire
|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. |
| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. |
-| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. |
-| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
-
-
+| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You'll need to switch to an administrator account to continue. |
+| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
### Connect your device to an Azure AD domain (join Azure AD)
@@ -102,19 +100,19 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
To join a domain:
-1. Select **My work or school owns it**, then select **Next.**
+1. Select **My work or school owns it**, then select **Next.**
-2. Select **Join Azure AD**, and then select **Next.**
+1. Select **Join Azure AD**, and then select **Next.**
-3. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services.
+1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services.
If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication.
- Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
+ Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization's Azure AD domain.
@@ -122,37 +120,37 @@ To join a domain:
To create a local account and connect the device:
-1. Launch the Settings app.
+1. Launch the Settings app.
-2. Next, navigate to **Accounts**.
+1. Next, navigate to **Accounts**.
-3. Navigate to **Access work or school**.
+1. Navigate to **Access work or school**.
-4. Select **Connect**.
+1. Select **Connect**.
-5. Under **Alternate Actions**, select **Join this device to Azure Active Directory**.
+1. Under **Alternate Actions**, select **Join this device to Azure Active Directory**.
-6. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
+1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
-7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
+1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM.
- After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username.
+ After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username.
@@ -165,42 +163,39 @@ There are a few instances where your device can't be connected to an Azure AD do
| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. |
| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. |
| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. |
-| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. |
+| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You'll need to switch to an administrator account to continue. |
| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. |
-| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
-
-
+| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
## Connect personally owned devices
-
-Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school.
+Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school.
### Connect to a work or school account
-All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps.
+All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps.
### Use the Settings app
To create a local account and connect the device:
-1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**.
+1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**.
-2. Navigate to **Access work or school**.
+1. Navigate to **Access work or school**.
-3. Select **Connect**.
+1. Select **Connect**.
-4. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
+1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
-5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
+1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
@@ -210,13 +205,13 @@ To create a local account and connect the device:
-6. After you complete the flow, your Microsoft account will be connected to your work or school account.
+1. After you complete the flow, your Microsoft account will be connected to your work or school account.
### Connect to MDM on a desktop (enrolling in device management)
-All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app.
+All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app.
### Use the Settings app
@@ -226,29 +221,29 @@ To create a local account and connect the device:
-2. Next, navigate to **Accounts**.
+1. Next, navigate to **Accounts**.
-3. Navigate to **Access work or school**.
+1. Navigate to **Access work or school**.
-4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
+1. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
-5. Type in your work email address.
+1. Type in your work email address.
-6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information.
+1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen.
- After you complete the flow, your device will be connected to your organization’s MDM.
+ After you complete the flow, your device will be connected to your organization's MDM.
### Help with connecting personally owned devices
@@ -256,25 +251,23 @@ There are a few instances where your device may not be able to connect to work.
| Error Message | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
-| Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. |
-| We couldn't find your identity in your organization’s cloud. | The username you entered wasn't found on your Azure AD tenant. |
+| Your device is already connected to your organization's cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. |
+| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. |
| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. |
-| You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
-| We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
-
+| You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
+| We couldn't auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
## Connect your Windows 10-based device to work using a deep link
+Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience.
-Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience.
-
-In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory.
+In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory.
The deep link used for connecting your device to work will always use the following format.
**ms-device-enrollment:?mode={mode\_name}**
-| Parameter | Description | Supported Value for Windows 10|
+| Parameter | Description | Supported Value for Windows 10|
|-----------|--------------------------------------------------------------|----------------------------------------------|
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. |
|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
@@ -297,9 +290,9 @@ The deep link used for connecting your device to work will always use the follow
To connect your devices to MDM using deep links:
-1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**:
+1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**:
- (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
+ (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
- IT admins can add this link to a welcome email that users can select to enroll into MDM.
@@ -310,13 +303,13 @@ To connect your devices to MDM using deep links:
- IT admins can also add this link to an internal web page that users refer to enrollment instructions.
-2. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511).
+1. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511).
Type in your work email address.
-3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
+1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
After you complete the flow, your device will be connected to your organization's MDM.
@@ -324,7 +317,6 @@ To connect your devices to MDM using deep links:
## Manage connections
-
To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection.
@@ -333,11 +325,11 @@ To manage your work or school connections, select **Settings** > **Accounts** >
The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios:
-- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured.
-- Connecting your device to a work or school account that has auto-enroll into MDM configured.
-- Connecting your device to MDM.
+- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured.
+- Connecting your device to a work or school account that has auto-enroll into MDM configured.
+- Connecting your device to MDM.
-Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed.
+Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You'll be able to view your organization's support information (if configured) on this page. You'll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed.
Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot.
@@ -350,24 +342,16 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a
The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality:
-- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
-- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device.
+- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
+- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device.
> [!WARNING]
> Disconnecting might result in the loss of data on the device.
## Collecting diagnostic logs
-
You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files.
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here.
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md
index 32f8e9cbb9..efa9cb8b51 100644
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@@ -10,11 +10,11 @@ author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
appliesto:
- - ✅ Windows 10 and later
- - ✅ Windows 11 and later
+- ✅ Windows 11
+- ✅ Windows 10
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
---
# Mobile Device Management overview
diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md
index aa0fa503b7..c70b4ab1a5 100644
--- a/windows/client-management/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md
@@ -1,10 +1,7 @@
---
title: What's new in MDM enrollment and management
description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
-MS-HAID:
- - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview'
- - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management'
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -13,6 +10,9 @@ ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/16/2022
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# What's new in mobile device enrollment and management
@@ -145,7 +145,7 @@ A production ready deployment must have the appropriate certificate details as p
EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
-- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
+- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
For information about EAP Settings, see .
@@ -281,28 +281,28 @@ Alternatively you can use the following procedure to create an EAP Configuration
1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md).
-2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
+1. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
:::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png":::
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
-3. Click the **Properties** button underneath the drop-down menu.
+1. Click the **Properties** button underneath the drop-down menu.
-4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
+1. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
:::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png":::
-5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
+1. In the **Configure Certificate Selection** menu, adjust the filters as needed.
:::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png":::
-6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
+1. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
-7. Close the rasphone dialog box.
+1. Close the rasphone dialog box.
-8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
+1. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
@@ -332,17 +332,16 @@ No. Only one MDM is allowed.
### How do I set the maximum number of Azure Active Directory-joined devices per user?
1. Sign in to the portal as tenant admin: https://portal.azure.com.
-2. Select Active Directory on the left pane.
-3. Choose your tenant.
-4. Select **Configure**.
-5. Set quota to unlimited.
+1. Select Active Directory on the left pane.
+1. Choose your tenant.
+1. Select **Configure**.
+1. Set quota to unlimited.
:::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png":::
### What is dmwappushsvc?
Entry | Description
---------------- | --------------------
-What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+--------------- | -------------------- What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 0adc1b4483..30d0863228 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -10,16 +10,13 @@ ms.localizationpriority: medium
ms.date: 09/15/2021
ms.topic: reference
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# New policies for Windows 10
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004.
@@ -41,7 +38,6 @@ The following Group Policy settings were added in Windows 10, version 1903:
- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold
- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems
-
**Windows Components**
- Windows Components\App Privacy\Let Windows apps activate with voice
@@ -180,7 +176,7 @@ The following Group Policy settings were added in Windows 10, version 1809:
- Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans
- Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard
-- Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user’s device
+- Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device
- Windows Components\Windows Defender Application Guard\Configure additional sources for untrusted files in Windows Defender Application Guard
- Windows Components\Windows Hello for Business\Use Windows Hello for Business certificates as smart card certificates
- Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes
@@ -238,7 +234,6 @@ The following Group Policy settings were added in Windows 10, version 1809:
- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network
-
## New Group Policy settings in Windows 10, version 1803
The following Group Policy settings were added in Windows 10, version 1803:
@@ -278,7 +273,6 @@ The following Group Policy settings were added in Windows 10, version 1803:
- Windows Components\Windows Defender Security Center\Device security\Hide the Secure boot area
- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area
-
## New Group Policy settings in Windows 10, version 1709
The following Group Policy settings were added in Windows 10, version 1709:
@@ -347,7 +341,6 @@ The following Group Policy settings were added in Windows 10, version 1709:
- Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections
- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update
-
## New Group Policy settings in Windows 10, version 1703
The following Group Policy settings were added in Windows 10, version 1703:
@@ -473,34 +466,33 @@ The following Group Policy settings were added in Windows 10, version 1703:
- Windows Components\Windows Update\Turn on recommended updates via Automatic Updates
- Windows Components\Shutdown Options\Turn off legacy remote shutdown interface
-
For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627).
## New MDM policies
Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education include previous Windows Phone settings, and new or enhanced settings for Windows 10, such as:
-- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
+- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
-- Enhanced Bluetooth policies
+- Enhanced Bluetooth policies
-- Passport and Hello
+- Passport and Hello
-- Device update
+- Device update
-- Hardware-based device health attestation
+- Hardware-based device health attestation
-- [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout
+- [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout
-- Security
+- Security
-- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management
+- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management
-- Certificate management
+- Certificate management
-- Windows Tips
+- Windows Tips
-- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
+- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md).
diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md
index d87cd9db0c..1c8a92786b 100644
--- a/windows/client-management/oma-dm-protocol-support.md
+++ b/windows/client-management/oma-dm-protocol-support.md
@@ -9,9 +9,11 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
-
# OMA DM protocol support
The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf).
@@ -32,7 +34,6 @@ The following table shows the OMA DM standards that Windows uses.
|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.|
|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
-
## OMA DM protocol common elements
@@ -68,26 +69,27 @@ A short DM session can be summarized as:
A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents.
A DM session can be divided into two phases:
-1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
-2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
+
+1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
+1. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
The following information shows the sequence of events during a typical DM session.
-1. DM client is invoked to call back to the management server
Enterprise scenario – The device task schedule invokes the DM client.
+1. DM client is invoked to call back to the management server
Enterprise scenario - The device task schedule invokes the DM client.
The MO server sends a server trigger message to invoke the DM client.
The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
-2. The device sends a message, over an IP connection, to initiate the session.
+1. The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
-3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any.
+1. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any.
-4. The device responds to server management commands. This message includes the results of performing the specified device management operations.
+1. The device responds to server management commands. This message includes the results of performing the specified device management operations.
-5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated.
+1. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated.
The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
@@ -97,7 +99,6 @@ If a request includes credentials and the response code to the request is 200, t
For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM_Security-V1_2_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM_Protocol-V1_2_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/).
-
## User targeted vs. Device targeted configuration
For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1.
@@ -130,7 +131,6 @@ The following LocURL shows a per user CSP node configuration: `./user/vendor/MSF
The following LocURL shows a per device CSP node configuration: `./device/vendor/MSFT/RemoteWipe/DoWipe`
-
## SyncML response status codes
diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md
index daf5a628d7..95dce3e717 100644
--- a/windows/client-management/on-premise-authentication-device-enrollment.md
+++ b/windows/client-management/on-premise-authentication-device-enrollment.md
@@ -9,11 +9,14 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# On-premises authentication device enrollment
-This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
+This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
## In this topic
@@ -23,7 +26,7 @@ This section provides an example of the mobile device enrollment protocol using
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
-For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
+For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service
@@ -32,7 +35,7 @@ The discovery web service provides the configuration information necessary for a
> [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
-The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
+The device's automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain "enterpriseenrollment" to the domain of the email address, and by appending the path "/EnrollmentServer/Discovery.svc". For example, if the email address is "sample@contoso.com", the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
The first request is a standard HTTP GET request.
@@ -72,10 +75,10 @@ After the device gets a response from the server, the device sends a POST reques
The following logic is applied:
-1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails.
-2. If that fails, the device tries HTTP to see whether it is redirected:
- - If the device is not redirected, it prompts the user for the server address.
- - If the device is redirected, it prompts the user to allow the redirect.
+1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails.
+1. If that fails, the device tries HTTP to see whether it is redirected:
+ - If the device is not redirected, it prompts the user for the server address.
+ - If the device is redirected, it prompts the user to allow the redirect.
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address:
@@ -124,9 +127,9 @@ If a domain and user name are provided by the user instead of an email address,
The discovery response is in the XML format and includes the following fields:
-- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
-- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
-- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
+- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
+- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
+- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> [!NOTE]
> The HTTP server response must not be chunked; it must be sent as one message.
@@ -462,7 +465,7 @@ The following example shows the encoded provisioning XML.
-
+
@@ -505,7 +508,7 @@ The following example shows the encoded provisioning XML.
-
+
diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md
index 5e90998e48..efc700f21d 100644
--- a/windows/client-management/push-notification-windows-mdm.md
+++ b/windows/client-management/push-notification-windows-mdm.md
@@ -1,10 +1,7 @@
---
title: Push notification support for device management
description: The DMClient CSP supports the ability to configure push-initiated device management sessions.
-MS-HAID:
- - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management'
- - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm'
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -12,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/22/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Push notification support for device management
@@ -33,7 +33,7 @@ The following restrictions are related to push notifications and WNS:
- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support.
- On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel.
- To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue.
+ To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they're already running Windows 10, there should be an update available that they can install that should fix the issue.
- On Windows 10, version 1511, we use the following retry logic for the DMClient:
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index 4e59e30993..cd051cbaee 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -10,11 +10,11 @@ ms.author: vinpa
manager: aaroncz
ms.reviewer: pmadrigal
appliesto:
- - ✅ Windows 10 and later
- - ✅ Windows 11 and later
+- ✅ Windows 11
+- ✅ Windows 10
ms.collection:
- - highpri
- - tier1
+- highpri
+- tier1
ms.date: 03/06/2023
---
diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md
index c0a307103f..30f628af50 100644
--- a/windows/client-management/server-requirements-windows-mdm.md
+++ b/windows/client-management/server-requirements-windows-mdm.md
@@ -1,9 +1,6 @@
---
title: Server requirements for using OMA DM to manage Windows devices
description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
-MS-HAID:
- - 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm'
- - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@@ -12,29 +9,25 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Server requirements for using OMA DM to manage Windows devices
The following list shows the general server requirements for using OMA DM to manage Windows devices:
-- The OMA DM server must support the OMA DM v1.1.2 or later protocol.
+- The OMA DM server must support the OMA DM v1.1.2 or later protocol.
-- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store.
+- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store.
-- To authenticate the client at the application level, you must use either Basic or MD5 client authentication.
+- To authenticate the client at the application level, you must use either Basic or MD5 client authentication.
-- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session.
+- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session.
-- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash.
+- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash.
For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900).
-- The server must support HTTPS.
-
-
-
-
-
-
-
+- The server must support HTTPS.
diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md
index 5e5008f0eb..b3724368d3 100644
--- a/windows/client-management/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md
@@ -9,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Structure of OMA DM provisioning files
@@ -65,17 +68,16 @@ The following example shows the general structure of the XML document sent by th
SyncHdr includes the following information:
-- Document Type Definition (DTD) and protocol version numbers
+- Document Type Definition (DTD) and protocol version numbers
-- Session and message identifiers. Each message in the same DM session must have a different MsgID.
+- Session and message identifiers. Each message in the same DM session must have a different MsgID.
-- Message source and destination Uniform Resource Identifiers (URIs)
+- Message source and destination Uniform Resource Identifiers (URIs)
-- Credentials for authentication
+- Credentials for authentication
This information is used to by the client device to properly manage the DM session.
-
**Code example**
The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only.
@@ -83,7 +85,7 @@ The following example shows the header component of a DM message. In this case,
> [!NOTE]
> The `` node value for the `` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](mdm/devinfo-csp.md).
-
+
```xml
diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md
index 344d0eb5a7..1dd76ad9e8 100644
--- a/windows/client-management/understanding-admx-backed-policies.md
+++ b/windows/client-management/understanding-admx-backed-policies.md
@@ -1,6 +1,6 @@
---
title: Understanding ADMX policies
-description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
+description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
@@ -9,6 +9,9 @@ author: vinaypamnani-msft
ms.date: 03/23/2020
ms.reviewer:
manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Understanding ADMX policies
@@ -23,6 +26,7 @@ In addition to standard MDM policies, the Policy CSP can also handle selected se
ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC.
Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor:
+
- OS settings: Computer Configuration/Administrative Templates
- Application settings: User Configuration/Administrative Templates
@@ -33,7 +37,7 @@ An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policy
Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](mdm/policy-configuration-service-provider.md).
-
+
## ADMX files and the Group Policy Editor
@@ -42,6 +46,7 @@ To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrat
The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category.
Group Policy option button setting:
+
- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur:
- The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data.
- The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition.
@@ -82,12 +87,10 @@ Appv.admx file:
```
-
## ADMX policy examples
The following SyncML examples describe how to set an MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. The functionality that this Group Policy manages isn't important; it's used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. The payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
### Enabling a policy
**Payload**
@@ -233,7 +236,7 @@ This section describes sample SyncML for the various ADMX elements like Text, Mu
### How a Group Policy policy category path and name are mapped to an MDM area and policy name
-Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
+Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
`./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//`
@@ -306,7 +309,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit
### MultiText Element
-The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``)
+The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``)
```XML
Windows 11
+- ✅ Windows 10
---
# Using PowerShell scripting with the WMI Bridge Provider
This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
-
## Configuring per-device policy settings
This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system").
@@ -84,15 +86,15 @@ class MDM_Policy_User_Config01_Authentication02
};
```
-> **Note** If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt.
+> **Note** If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt.
-
+
If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets.
-> **Note** All commands must executed under local system.
+> **Note** All commands must executed under local system.
-
+
A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001.
@@ -220,5 +222,3 @@ catch [Exception]
## Related topics
[WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
-
-
\ No newline at end of file
diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md
index 830640d4c2..b07babe5e8 100644
--- a/windows/client-management/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md
@@ -9,16 +9,19 @@ author: vinaypamnani-msft
ms.date: 03/23/2020
ms.reviewer:
manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Win32 and Desktop Bridge app ADMX policy Ingestion
## In this section
-- [Overview](#overview)
-- [Ingesting an app ADMX file](#ingesting-an-app-admx-file)
-- [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy)
-- [ADMX app policy examples](#admx-backed-app-policy-examples)
+- [Overview](#overview)
+- [Ingesting an app ADMX file](#ingesting-an-app-admx-file)
+- [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy)
+- [ADMX app policy examples](#admx-backed-app-policy-examples)
- [Enabling an app policy](#enabling-an-app-policy)
- [Disabling an app policy](#disabling-an-app-policy)
- [Setting an app policy to not configured](#setting-an-app-policy-to-not-configured)
@@ -57,7 +60,7 @@ When the ADMX policies are ingested, the registry keys to which each policy is w
- software\Microsoft\Edge
- Software\Microsoft\EdgeUpdate\
-> [!Warning]
+> [!WARNING]
> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined.
> [!NOTE]
@@ -409,6 +412,7 @@ The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}.
{CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3.
Therefore, from the example:
+
- Class: User
- Policy name: L_PolicyPreventRun_1
- Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3
diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md
index 89b5f46cfd..bc71a7b58e 100644
--- a/windows/client-management/windows-libraries.md
+++ b/windows/client-management/windows-libraries.md
@@ -10,17 +10,20 @@ ms.topic: article
author: vinaypamnani-msft
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
ms.date: 09/15/2021
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Windows libraries
-> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
-
-Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
+Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
## Features for Users
Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
+
- Aggregate content from multiple storage locations into a single, unified presentation.
- Enable users to stack and group library contents based on metadata.
- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu.
@@ -30,6 +33,7 @@ Windows libraries are backed by full content search and rich metadata. Libraries
## Features for Administrators
Administrators can configure and control Windows libraries in the following methods:
+
- Create custom libraries by creating and deploying Library Description (*.library-ms) files.
- Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.)
- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
@@ -48,6 +52,7 @@ Including a folder in a library doesn't physically move or change the storage lo
### Default Libraries and Known Folders
The default libraries include:
+
- Documents
- Music
- Pictures
@@ -64,16 +69,17 @@ Users or administrators can hide or delete the default libraries, though the lib
Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location.
If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails.
-### Indexing Requirements and “Basic” Libraries
+### Indexing Requirements and "Basic" Libraries
Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality:
+
- No support for metadata browsing via **Arrange By** views.
- Grep-only searches.
- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**.
- No support for searching from the Start menu. Start menu searches don't return files from basic libraries.
- No previews of file snippets for search results returned in Content mode.
-To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally.
+To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder "Always available offline" creates a local copy of the folder's files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally.
For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations).
@@ -81,7 +87,7 @@ If your environment doesn't support caching files locally, you should enable the
### Folder Redirection
-While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
+While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the "My Documents" folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
### Supported storage locations
@@ -90,7 +96,7 @@ The following table shows which locations are supported in Windows libraries.
|Supported Locations|Unsupported Locations|
|---|---|
|Fixed local volumes (NTFS/FAT)|Removable drives|
-|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)
Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
+|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)
Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed
Network Attached Storage (NAS) devices|
||Other data sources: SharePoint, Exchange, etc.|
@@ -104,6 +110,7 @@ The following table shows which locations are supported in Windows libraries.
### Library Attributes
The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms):
+
- Name
- Library locations
- Order of library locations
@@ -127,4 +134,4 @@ See the [Library Description Schema](/windows/win32/shell/library-schema-entry)
### Other resources
- [Folder Redirection, Offline Files, and Roaming User Profiles](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11))
-- [Library Description Schema](/windows/win32/shell/library-schema-entry)
\ No newline at end of file
+- [Library Description Schema](/windows/win32/shell/library-schema-entry)
diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md
index c773fbc2ea..7c99b0cc81 100644
--- a/windows/client-management/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/windows-mdm-enterprise-settings.md
@@ -1,9 +1,6 @@
---
title: Enterprise settings, policies, and app management
description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow.
-MS-HAID:
- - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management'
- - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@@ -12,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Enterprise settings, policies, and app management
@@ -26,7 +26,6 @@ The following diagram shows the work flow between server and client.
-
## Management workflow
This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure.
@@ -37,15 +36,7 @@ The DM client configuration, company policy enforcement, business application ma
Here's a summary of the DM tasks supported for enterprise management:
-- Company policy management: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage.
-- Enterprise application management: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service.
-- Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates.
-- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service.
-
-
-
-
-
-
-
-
+- Company policy management: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage.
+- Enterprise application management: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service.
+- Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates.
+- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service.
diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md
index 0ca2a86f1e..e75721336d 100644
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@@ -1,10 +1,7 @@
---
title: What version of Windows am I running?
description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
-keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 04/30/2018
@@ -12,13 +9,17 @@ ms.reviewer:
manager: aaroncz
ms.topic: troubleshooting
ms.technology: itpro-manage
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# What version of Windows am I running?
-To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them.
+To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them.
## System Properties
+
Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
You'll now see **Edition**, **Version**, and **OS Build** information. Something like this:
@@ -26,17 +27,19 @@ You'll now see **Edition**, **Version**, and **OS Build** information. Something
## Using Keyword Search
+
You can type the following in the search bar and press **ENTER** to see version details for your device.
-**“winver”**
+**"winver"**
-**“msinfo”** or **"msinfo32"** to open **System Information**:
+**"msinfo"** or **"msinfo32"** to open **System Information**:
## Using Command Prompt or PowerShell
+
At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER**
@@ -47,6 +50,6 @@ At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER
## What does it all mean?
-The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that the LTSC model is primarily for specialized devices.
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn't contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It's important to remember that the LTSC model is primarily for specialized devices.
-In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
\ No newline at end of file
+In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md
index 3d701812c0..1441ff5fcd 100644
--- a/windows/client-management/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/wmi-providers-supported-in-windows.md
@@ -1,9 +1,6 @@
---
title: WMI providers supported in Windows 10
description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI).
-MS-HAID:
- - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview'
- - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@@ -12,11 +9,14 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# WMI providers supported in Windows 10
-Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10.
+Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10.
> [!NOTE]
> Applications installed using WMI classes are not removed when the MDM account is removed from device.
@@ -53,7 +53,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
## MDM WMI classes
-|Class|Test completed in Windows 10 for desktop|
+|Class|Test completed in Windows 10 for desktop|
|--- |--- |
|[**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob)|Currently testing.|
|[**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application)|Currently testing.|
@@ -92,7 +92,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
### Parental control WMI classes
-| Class | Test completed in Windows 10 for desktop |
+| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
@@ -105,11 +105,9 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
-
-
### Win32 WMI classes
-| Class | Test completed in Windows 10 for desktop |
+| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
@@ -180,10 +178,10 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** |
-
## Related topics
[Configuration service provider reference](mdm/index.yml)
## Related Links
+
[CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller)