deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Set appliesto

Browse Source
This commit is contained in:
Vinay Pamnani 2023-04-04 17:46:00 -04:00
parent b813bf46d4
commit a44ba87186
42 changed files with 920 additions and 987 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -9,18 +9,16 @@ ms.localizationpriority: medium
ms.date: 03/28/2022 ms.date: 03/28/2022
ms.topic: article ms.topic: article
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Windows Tools/Administrative Tools # Windows Tools/Administrative Tools
**Applies to**
- Windows 11
- Windows 10
**Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users. **Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users.
## Windows Tools folder (Windows 11) ## Windows Tools folder (Windows 11)

3
windows/client-management/appv-deploy-and-config.md
View File

@ -9,6 +9,9 @@ author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Deploy and configure App-V apps using MDM # Deploy and configure App-V apps using MDM

23
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -9,9 +9,12 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
ms.date: 12/31/2017 ms.date: 12/31/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Azure Active Directory integration with MDM # Azure Active Directory integration with MDM
@ -50,7 +53,7 @@ Once a user has an Azure AD account added to Windows and enrolled in MDM, the en
Azure AD MDM enrollment is a two-step process: Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. 1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
2. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. 1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**. To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
@ -143,8 +146,8 @@ The pages rendered by the MDM in the integrated enrollment process must use Wind
There are three distinct scenarios: There are three distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE. 1. MDM enrollment as part of Azure AD Join in Windows OOBE.
2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. 1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). 1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
These scenarios support Windows Pro, Enterprise, and Education. These scenarios support Windows Pro, Enterprise, and Education.
@ -183,7 +186,7 @@ The following parameters are passed in the query string:
Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format: Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw **Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw...
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint: The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
@ -333,7 +336,7 @@ Alert sample:
<Data>UserToken inserted here</Data> <Data>UserToken inserted here</Data>
</Item> </Item>
</Alert> </Alert>
… other XML tags … ... other XML tags ...
</SyncBody> </SyncBody>
``` ```
@ -362,7 +365,7 @@ Here's an example.
<Data>user</Data> <Data>user</Data>
</Item> </Item>
</Alert> </Alert>
… other XML tags … ... other XML tags ...
</SyncBody> </SyncBody>
``` ```
@ -386,7 +389,7 @@ The following sample REST API call illustrates how an MDM can use the Microsoft
Sample Graph API Request: Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
Authorization: Bearer eyJ0eXAiO……… Authorization: Bearer eyJ0eXAiO.........
Accept: application/json Accept: application/json
Content-Type: application/json Content-Type: application/json
{ "isManaged":true, { "isManaged":true,
@ -398,7 +401,7 @@ Where:
- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined. - **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD. - **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. - **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. - **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested. - **api-version** - Use this parameter to specify which version of the graph API is being requested.

7
windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
View File

@ -9,6 +9,9 @@ author: vinaypamnani-msft
ms.date: 12/18/2020 ms.date: 12/18/2020
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center # Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center
@ -21,8 +24,8 @@ Microsoft Intune can be accessed directly using its own admin center. For more i
If you use the Azure portal, then you can access Intune using the following steps: If you use the Azure portal, then you can access Intune using the following steps:
1. Go to your Azure AD Blade. 1. Go to your Azure AD Blade.
2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. 1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
3. Select **Microsoft Intune** and configure the blade. 1. Select **Microsoft Intune** and configure the blade.
![How to get to the Blade.](images/azure-mdm-intune.png) ![How to get to the Blade.](images/azure-mdm-intune.png)

68
windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
View File

@ -1,9 +1,6 @@
--- ---
title: Bulk enrollment title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11. description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -12,11 +9,14 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Bulk enrollment # Bulk enrollment
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases ## Typical use cases
@ -31,6 +31,7 @@ On the desktop, you can create an Active Directory account, such as "enrollment@
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
> [!NOTE] > [!NOTE]
>
> - Bulk-join is not supported in Azure Active Directory Join. > - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone environment. > - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. > - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
@ -53,16 +54,16 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool. 1. Open the WCD tool.
2. Select **Advanced Provisioning**. 1. Select **Advanced Provisioning**.
![icd start page.](images/bulk-enrollment7.png) ![icd start page.](images/bulk-enrollment7.png)
3. Enter a project name and select **Next**. 1. Enter a project name and select **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. 1. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
5. Skip **Import a provisioning package (optional)** and select **Finish**. 1. Skip **Import a provisioning package (optional)** and select **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**. 1. Expand **Runtime settings** &gt; **Workplace**.
7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. 1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. 1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings: Here's the list of available settings:
- **AuthPolicy** - Select **OnPremise**. - **AuthPolicy** - Select **OnPremise**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
@ -73,32 +74,32 @@ Using the WCD, create a provisioning package using the enrollment information re
Here's the screenshot of the WCD at this point. Here's the screenshot of the WCD at this point.
![bulk enrollment screenshot.](images/bulk-enrollment.png) ![bulk enrollment screenshot.](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**). 1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you're done adding all the settings, on the **File** menu, select **Save**. 1. When you're done adding all the settings, on the **File** menu, select **Save**.
11. On the main menu, select **Export** &gt; **Provisioning package**. 1. On the main menu, select **Export** &gt; **Provisioning package**.
![icd menu for export.](images/bulk-enrollment2.png) ![icd menu for export.](images/bulk-enrollment2.png)
12. Enter the values for your package and specify the package output location. 1. Enter the values for your package and specify the package output location.
![enter package information.](images/bulk-enrollment3.png) ![enter package information.](images/bulk-enrollment3.png)
![enter additional information for package information.](images/bulk-enrollment4.png) ![enter additional information for package information.](images/bulk-enrollment4.png)
![specify file location.](images/bulk-enrollment6.png) ![specify file location.](images/bulk-enrollment6.png)
13. Select **Build**. 1. Select **Build**.
![icb build window.](images/bulk-enrollment5.png) ![icb build window.](images/bulk-enrollment5.png)
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
15. Apply the package to your devices. 1. Apply the package to your devices.
## Create and apply a provisioning package for certificate authentication ## Create and apply a provisioning package for certificate authentication
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool. 1. Open the WCD tool.
2. Select **Advanced Provisioning**. 1. Select **Advanced Provisioning**.
3. Enter a project name and select **Next**. 1. Enter a project name and select **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. 1. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
5. Skip **Import a provisioning package (optional)** and select **Finish**. 1. Skip **Import a provisioning package (optional)** and select **Finish**.
6. Specify the certificate. 1. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**. 1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
2. Enter a **CertificateName** and then select **Add**. 2. Enter a **CertificateName** and then select **Add**.
3. Enter the **CertificatePasword**. 3. Enter the **CertificatePasword**.
@ -107,7 +108,7 @@ Using the WCD, create a provisioning package using the enrollment information re
6. For **KeyLocation**, select **Software only**. 6. For **KeyLocation**, select **Software only**.
![icd certificates section.](images/bulk-enrollment8.png) ![icd certificates section.](images/bulk-enrollment8.png)
7. Specify the workplace settings. 1. Specify the workplace settings.
1. Got to **Workplace** &gt; **Enrollments**. 1. Got to **Workplace** &gt; **Enrollments**.
2. Enter the **UPN** for the enrollment and then select **Add**. 2. Enter the **UPN** for the enrollment and then select **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
@ -119,11 +120,11 @@ Using the WCD, create a provisioning package using the enrollment information re
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - the certificate thumbprint. - **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**). 1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
9. When you're done adding all the settings, on the **File** menu, select **Save**. 1. When you're done adding all the settings, on the **File** menu, select **Save**.
10. Export and build the package (steps 10-13 in the procedure above). 1. Export and build the package (steps 10-13 in the procedure above).
11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
12. Apply the package to your devices. 1. Apply the package to your devices.
## Apply a provisioning package ## Apply a provisioning package
@ -136,13 +137,13 @@ Here's the list of articles about applying a provisioning package:
## Apply a package from the Settings menu ## Apply a package from the Settings menu
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**. 1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Select **Add or remove a provisioning package**. 1. Select **Add or remove a provisioning package**.
3. Select **Add a package**. 1. Select **Add a package**.
## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied ## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**. 1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Select **Add or remove a provisioning package**. 1. Select **Add or remove a provisioning package**.
You should see your package listed. You should see your package listed.
## Retry logic if there's a failure ## Retry logic if there's a failure
@ -161,4 +162,3 @@ Here are links to step-by-step provisioning articles:
- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) - [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) - [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)

26
windows/client-management/certificate-authentication-device-enrollment.md
View File

@ -9,13 +9,16 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Certificate authentication device enrollment # Certificate authentication device enrollment
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
> [!Note] > [!NOTE]
> To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
## In this topic ## In this topic
@ -24,7 +27,7 @@ This section provides an example of the mobile device enrollment protocol using
- [Enrollment policy web service](#enrollment-policy-web-service) - [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service) - [Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery Service ## Discovery Service
@ -135,7 +138,7 @@ Cache-Control: no-cache
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To> </a:To>
<wsse:Security s:mustUnderstand="1"> <wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType="X509v3” wsse:Id="mytoken wsse:EncodingType= <wsse:BinarySecurityToken wsse:ValueType="X509v3" wsse:Id="mytoken" wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken B64EncodedSampleBinarySecurityToken
@ -296,14 +299,13 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns= xmlns=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
wsu:Id=”29801C2F-F26B-46AD-984B-AFAEFB545FF8”> wsu:Id="29801C2F-F26B-46AD-984B-AFAEFB545FF8">
B64EncodedSampleBinarySecurityToken B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> <!X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference --> </wsse:BinarySecurityToken> <!-X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference -->
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" <ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- 1.0.xsd">
1.0.xsd”>
<ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1/> <ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
<ds:Reference URI="#envelop"> <ds:Reference URI="#envelop">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
@ -312,13 +314,13 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol
</ds:Reference> </ds:Reference>
</ds:SignedInfo> </ds:SignedInfo>
<ds:SignatureValue>SignedMessageBlob/ds:SignatureValue> <ds:SignatureValue>SignedMessageBlob/ds:SignatureValue>
<!-- Digest value of message signed with the users private key using RSA-SHA256 --> <!-- Digest value of message signed with the user's private key using RSA-SHA256 -->
<ds:KeyInfo> <ds:KeyInfo>
<wsse:SecurityTokenReference> <wsse:SecurityTokenReference>
<wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8" <wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8"
ValueType="http://docs.oasis-open.org/wss/2004/01/ ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509"/> oasis-200401-wss-x509-token-profile-1.0#X509"/>
<!-— References BinarySecurityToken that contains public key to verify signature --> <!-- References BinarySecurityToken that contains public key to verify signature -->
</wsse:SecurityTokenReference> </wsse:SecurityTokenReference>
</ds:KeyInfo> </ds:KeyInfo>
</ds:Signature> </ds:Signature>
@ -443,7 +445,7 @@ The following example shows the encoded provisioning XML.
</characteristic> </characteristic>
<characteristic type="WSTEP"> <characteristic type="WSTEP">
<characteristic type="Renew"> <characteristic type="Renew">
<!If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. --> <!-If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/> <parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/> <parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/> <parm name="RetryInterval" value="4" datatype="integer"/>
@ -487,7 +489,7 @@ The following example shows the encoded provisioning XML.
<parm name="NumberOfSecondRetries" value="5" datatype="integer" /> <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" /> <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" /> <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.--> <!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedule's retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" /> <parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" /> <parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic> </characteristic>

30
windows/client-management/certificate-renewal-windows-mdm.md
View File

@ -1,9 +1,6 @@
--- ---
title: Certificate Renewal title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates. description: Learn how to find all the resources that you need to provide continuous access to client certificates.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -12,29 +9,32 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Certificate Renewal # Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> [!Note] > [!NOTE]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. > Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
## Automatic certificate renewal request ## Automatic certificate renewal request
Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal. Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal.
> [!Note] > [!NOTE]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. > Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate. Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSPs](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
With automatic renewal, the PKCS\#7 message content isnt b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content. With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used. During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
@ -94,28 +94,28 @@ The following example shows the details of an automatic renewal request.
## Certificate renewal schedule configuration ## Certificate renewal schedule configuration
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired. In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider. For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week. Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week.
> [!Note] > [!NOTE]
> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. > For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
## Certificate renewal response ## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
- The signature of the PKCS\#7 BinarySecurityToken is correct - The signature of the PKCS\#7 BinarySecurityToken is correct
- The clients certificate is in the renewal period - The client's certificate is in the renewal period
- The certificate was issued by the enrollment service - The certificate was issued by the enrollment service
- The requester is the same as the requester for initial enrollment - The requester is the same as the requester for initial enrollment
- For standard clients request, the client hasnt been blocked - For standard client's request, the client hasn't been blocked
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> [!Note] > [!NOTE]
> The HTTP server response must not be chunked; it must be sent as one message. > The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of a certificate renewal response. The following example shows the details of a certificate renewal response.
@ -145,7 +145,7 @@ The following example shows the details of a certificate renewal response.
</wap-provisioningdoc> </wap-provisioningdoc>
``` ```
> [!Note] > [!NOTE]
> The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. > The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
## Configuration service providers supported during MDM enrollment and certificate renewal ## Configuration service providers supported during MDM enrollment and certificate renewal

22
windows/client-management/change-default-removal-policy-external-storage-media.md
View File

@ -7,13 +7,15 @@ ms.author: vinpa
ms.date: 11/25/2020 ms.date: 11/25/2020
ms.topic: article ms.topic: article
ms.custom: ms.custom:
- CI 111493 - CI 111493
- CI 125140 - CI 125140
- CSSTroubleshooting - CSSTroubleshooting
audience: ITPro
ms.localizationpriority: medium ms.localizationpriority: medium
manager: kaushika manager: kaushika
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Change in default removal policy for external storage media in Windows 10, version 1809 # Change in default removal policy for external storage media in Windows 10, version 1809
@ -39,20 +41,20 @@ You can use the storage device policy setting to change the manner in which Wind
To change the policy for an external storage device: To change the policy for an external storage device:
1. Connect the device to the computer. 1. Connect the device to the computer.
2. Right-click **Start**, then select **File Explorer**. 1. Right-click **Start**, then select **File Explorer**.
3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**). 1. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
4. Right-click **Start**, then select **Disk Management**. 1. Right-click **Start**, then select **Disk Management**.
5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**. 1. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png) ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png)
6. Select **Policies**. 1. Select **Policies**.
> [!NOTE] > [!NOTE]
> Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box.
> >
> If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available. > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available.
7. Select the policy that you want to use. 1. Select the policy that you want to use.
![Policy options for disk management.](./images/change-def-rem-policy-2.png) ![Policy options for disk management.](./images/change-def-rem-policy-2.png)

6
windows/client-management/config-lock.md
View File

@ -8,14 +8,12 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 05/24/2022 ms.date: 05/24/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
--- ---
# Secured-core PC configuration lock # Secured-core PC configuration lock
**Applies to**
- Windows 11
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC. Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.

8
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -9,11 +9,11 @@ ms.date: 01/18/2022
manager: aaroncz manager: aaroncz
ms.topic: article ms.topic: article
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
ms.technology: itpro-manage ms.technology: itpro-manage
--- ---

313
windows/client-management/device-update-management.md
View File

@ -10,8 +10,11 @@ ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 11/15/2017 ms.date: 11/15/2017
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Mobile device management (MDM) for device updates # Mobile device management (MDM) for device updates
@ -19,24 +22,24 @@ ms.collection:
>[!TIP] >[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
In particular, Windows 10 provides APIs to enable MDMs to: In particular, Windows 10 provides APIs to enable MDMs to:
- Ensure machines stay up to date by configuring Automatic Update policies. - Ensure machines stay up to date by configuring Automatic Update policies.
- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout. - Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine. - Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10. This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to: In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
- Configure automatic update policies to ensure devices stay up to date. - Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed). - Get device compliance information (the list of updates that are needed but not yet installed).
- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested. - Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs. - Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the updates title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](mdm/update-csp.md) and the update policy area of the [Policy CSP](mdm/policy-configuration-service-provider.md). For more information about the CSPs, see [Update CSP](mdm/update-csp.md) and the update policy area of the [Policy CSP](mdm/policy-configuration-service-provider.md).
@ -61,7 +64,7 @@ This section describes this setup. The following diagram shows the server-server
MSDN provides much information about the Server-Server sync protocol. In particular: MSDN provides much information about the Server-Server sync protocol. In particular:
- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. - It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. - You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights: Some important highlights:
@ -70,28 +73,27 @@ Some important highlights:
- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). - For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> [!NOTE] > [!NOTE]
> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number). > On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn't affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions ## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions
The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below: The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below:
- **UpdateID** The unique identifier for an update - **UpdateID** - The unique identifier for an update
- **RevisionNumber** Revision number for the update in case the update was modified. - **RevisionNumber** - Revision number for the update in case the update was modified.
- **CreationDate** the date on which this update was created. - **CreationDate** - the date on which this update was created.
- **UpdateType** The type of update, which could include the following: - **UpdateType** - The type of update, which could include the following:
- **Detectoid** if this update identity represents a compatibility logic - **Detectoid** - if this update identity represents a compatibility logic
- **Category** This element could represent either of the following: - **Category** - This element could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office, and so on. - A Product category the update belongs to. For example, Windows, MS office, and so on.
- The classification the update belongs to. For example, drivers, security, and so on. - The classification the update belongs to. For example, drivers, security, and so on.
- **Software** If the update is a software update. - **Software** - If the update is a software update.
- **Driver** if the update is a driver update. - **Driver** - if the update is a driver update.
- **LocalizedProperties** represents the language the update is available in, title and description of the update. It has the following fields: - **LocalizedProperties** - represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** The language code identifier (LCID). For example, en or es. - **Language** - The language code identifier (LCID). For example, en or es.
- **Title** Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)” - **Title** - Title of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)"
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed. - **Description** - Description of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed."
- **KBArticleID** The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`. - **KBArticleID** - The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol ## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol
@ -103,13 +105,12 @@ First some background:
- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about. - A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device. - The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
The following procedure describes a basic algorithm for a metadata sync service: The following procedure describes a basic algorithm for a metadata sync service:
- Initialization uses the following steps: - Initialization uses the following steps:
a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. a. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
- Sync periodically (we recommend once every 2 hours - no more than once/hour). - Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and: 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB. - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
@ -129,14 +130,14 @@ An MDM can manage updates via OMA DM. The details of how to use and integrate an
The following list describes a suggested model for applying updates. The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group". 1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow. 1. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues. 1. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
Updates are configured using a combination of the [Update CSP](mdm/update-csp.md), and the update portion of the [Policy CSP](mdm/policy-configuration-service-provider.md). Updates are configured using a combination of the [Update CSP](mdm/update-csp.md), and the update portion of the [Policy CSP](mdm/policy-configuration-service-provider.md).
### Update policies ### Update policies
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP. The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following information shows the Update policies in a tree format. The following information shows the Update policies in a tree format.
@ -181,13 +182,12 @@ Policy
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd** <a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time. Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE] > [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article. > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
@ -195,9 +195,9 @@ The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange** <a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
Supported values are 8-18. Supported values are 8-18.
@ -205,13 +205,12 @@ The default value is 18 (hours).
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart** <a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE] > [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article. > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
@ -219,8 +218,7 @@ The default value is 8 (8 AM).
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate** <a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
@ -228,35 +226,32 @@ Supported operations are Get and Replace.
The following list shows the supported values: The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. - 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. - 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. - 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. - 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. - 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates. - 5 - Turn off automatic updates.
> [!IMPORTANT] > [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. > This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
If the policy isn't configured, end users get the default behavior (Auto install and restart). If the policy isn't configured, end users get the default behavior (Auto install and restart).
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService** <a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
The following list shows the supported values: The following list shows the supported values:
- 0 Not allowed or not configured. - 0 - Not allowed or not configured.
- 1 Allowed. Accepts updates received through Microsoft Update. - 1 - Allowed. Accepts updates received through Microsoft Update.
<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate** <a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
@ -264,15 +259,14 @@ Supported operations are Get and Replace.
The following list shows the supported values: The following list shows the supported values:
- 0 Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. - 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer. - 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService** <a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
@ -282,19 +276,17 @@ Enabling this policy will disable that functionality, and may cause connection t
The following list shows the supported values: The following list shows the supported values:
- 0 Update service isn't allowed. - 0 - Update service isn't allowed.
- 1 (default) Update service is allowed. - 1 (default) - Update service is allowed.
> [!NOTE] > [!NOTE]
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. > This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule** <a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
Supported values are 15, 30, 60, 120, and 240 (minutes). Supported values are 15, 30, 60, 120, and 240 (minutes).
@ -302,51 +294,47 @@ The default value is 15 (minutes).
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal** <a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
The following list shows the supported values: The following list shows the supported values:
- 1 (default) Auto Dismissal. - 1 (default) - Auto Dismissal.
- 2 User Dismissal. - 2 - User Dismissal.
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel** <a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
The following list shows the supported values: The following list shows the supported values:
- 16 (default) User gets all applicable upgrades from Current Branch (CB). - 16 (default) - User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB). - 32 - User gets upgrades from Current Branch for Business (CBB).
<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays** <a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
Supported values are 0-180. Supported values are 0-180.
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays** <a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
Supported values are 0-30. Supported values are 0-30.
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod** <a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> >
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to four weeks. Allows IT Admins to specify update delays for up to four weeks.
@ -383,10 +371,9 @@ If the **Allow Telemetry** policy is enabled and the Options value is set to 0,
<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod** <a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
> >
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to enter more upgrade delays for up to eight months. Allows IT Admins to enter more upgrade delays for up to eight months.
@ -398,10 +385,9 @@ If the **Allow Telemetry** policy is enabled and the Options value is set to 0,
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline** <a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
Supported values are 2-30 days. Supported values are 2-30 days.
@ -409,10 +395,9 @@ The default value is 0 days (not specified).
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule** <a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
Supported values are 1-3 days. Supported values are 1-3 days.
@ -420,10 +405,9 @@ The default value is three days.
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule** <a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Supported values are 2-30 days. Supported values are 2-30 days.
@ -431,70 +415,67 @@ The default value is seven days.
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate** <a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) Allow Windows Update drivers. - 0 (default) - Allow Windows Update drivers.
- 1 Exclude Windows Update drivers. - 1 - Exclude Windows Update drivers.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit** <a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING] > [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators. > Setting this policy might cause devices to incur costs from MO operators.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) Don't ignore MO download limit for apps and their updates. - 0 (default) - Don't ignore MO download limit for apps and their updates.
- 1 Ignore MO download limit (allow unlimited downloading) for apps and their updates. - 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates.
To validate this policy: To validate this policy:
1. Enable the policy ensure the device is on a cellular network. 1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: 1. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused. 1. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit** <a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING] > [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators. > Setting this policy might cause devices to incur costs from MO operators.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) Don't ignore MO download limit for OS updates. - 0 (default) - Don't ignore MO download limit for OS updates.
- 1 Ignore MO download limit (allow unlimited downloading) for OS updates. - 1 - Ignore MO download limit (allow unlimited downloading) for OS updates.
To validate this policy: To validate this policy:
1. Enable the policy and ensure the device is on a cellular network. 1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: 1. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused. 1. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals** <a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> >
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) Deferrals aren't paused. - 0 (default) - Deferrals aren't paused.
- 1 Deferrals are paused. - 1 - Deferrals are paused.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
@ -502,51 +483,48 @@ If the **Allow Telemetry** policy is enabled and the Options value is set to 0,
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates** <a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) Feature Updates aren't paused. - 0 (default) - Feature Updates aren't paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - 1 - Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates** <a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) Quality Updates aren't paused. - 0 (default) - Quality Updates aren't paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade** <a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> >
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to CBB train. Allows the IT admin to set a device to CBB train.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) User gets upgrades from Current Branch. - 0 (default) - User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business. - 1 - User gets upgrades from Current Branch for Business.
<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval** <a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<br> <br>
> [!NOTE] > [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved. Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
@ -554,15 +532,14 @@ Supported operations are Get and Replace.
The following list shows the supported values: The following list shows the supported values:
- 0 Not configured. The device installs all applicable updates. - 0 - Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment. - 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning** <a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
Supported values are 15, 30, or 60 (minutes). Supported values are 15, 30, or 60 (minutes).
@ -570,8 +547,7 @@ The default value is 15 (minutes).
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay** <a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the day of the update installation. Enables the IT admin to schedule the day of the update installation.
@ -581,19 +557,18 @@ Supported operations are Add, Delete, Get, and Replace.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) Every day - 0 (default) - Every day
- 1 Sunday - 1 - Sunday
- 2 Monday - 2 - Monday
- 3 Tuesday - 3 - Tuesday
- 4 Wednesday - 4 - Wednesday
- 5 Thursday - 5 - Thursday
- 6 Friday - 6 - Friday
- 7 Saturday - 7 - Saturday
<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime** <a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the time of the update installation. Enables the IT admin to schedule the time of the update installation.
@ -607,10 +582,9 @@ The default value is 3.
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning** <a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
Supported values are 2, 4, 8, 12, or 24 (hours). Supported values are 2, 4, 8, 12, or 24 (hours).
@ -618,21 +592,20 @@ The default value is 4 (hours).
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable** <a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
The following list shows the supported values: The following list shows the supported values:
- 0 (default) Enabled - 0 (default) - Enabled
- 1 Disabled - 1 - Disabled
<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl** <a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!Important] > [!IMPORTANT]
> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise. > Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet. Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
@ -665,7 +638,7 @@ Example
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate** <a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
> [!NOTE] > [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
@ -675,7 +648,7 @@ To use this setting, you must set two server name values: the server from which
Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet. Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note] > [!NOTE]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. > If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates. > If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. > This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
@ -731,9 +704,7 @@ The MDM must first present the EULA to IT and have them accept it before the upd
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> [!NOTE] > [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added. > For the Windows 10 build, the client may need to reboot after additional updates are added.
Supported operations are Get and Add. Supported operations are Get and Add.
@ -834,10 +805,9 @@ Upgrades deferred until the next period.
Supported operation is Get. Supported operation is Get.
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management ## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices. Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd - Update/ActiveHoursEnd
- Update/ActiveHoursStart - Update/ActiveHoursStart
@ -854,15 +824,15 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
|GPO key|Type|Value| |GPO key|Type|Value|
|--- |--- |--- | |--- |--- |--- |
|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train<br><br>32: systems take Feature Updates on the Current Branch for Business<br><br>Other value or absent: receive all applicable updates (CB)| |BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train<br><br>32: systems take Feature Updates on the Current Branch for Business<br><br>Other value or absent: receive all applicable updates (CB)|
|DeferQualityUpdates|REG_DWORD|1: defer quality updates<br><br>Other value or absent: dont defer quality updates| |DeferQualityUpdates|REG_DWORD|1: defer quality updates<br><br>Other value or absent: don't defer quality updates|
|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates| |DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates|
|PauseQualityUpdates|REG_DWORD|1: pause quality updates<br><br>Other value or absent: dont pause quality updates| |PauseQualityUpdates|REG_DWORD|1: pause quality updates<br><br>Other value or absent: don't pause quality updates|
|DeferFeatureUpdates|REG_DWORD|1: defer feature updates<br><br>Other value or absent: dont defer feature updates| |DeferFeatureUpdates|REG_DWORD|1: defer feature updates<br><br>Other value or absent: don't defer feature updates|
|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates| |DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
|PauseFeatureUpdates|REG_DWORD|1: pause feature updates<br><br>Other value or absent: dont pause feature updates| |PauseFeatureUpdates|REG_DWORD|1: pause feature updates<br><br>Other value or absent: don't pause feature updates|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers<br><br>Other value or absent: offer Windows Update drivers| |ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers<br><br>Other value or absent: offer Windows Update drivers|
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade - Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod - Update/DeferUpgradePeriod
@ -877,7 +847,6 @@ The following screenshots of the administrator console show the list of update t
![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png) ![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png)
## <a href="" id="syncmlexample"></a>SyncML example ## <a href="" id="syncmlexample"></a>SyncML example
Set auto update to notify and defer. Set auto update to notify and defer.

41
windows/client-management/diagnose-mdm-failures-in-windows-10.md
View File

@ -10,8 +10,11 @@ ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/25/2018 ms.date: 06/25/2018
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Diagnose MDM failures in Windows 10 # Diagnose MDM failures in Windows 10
@ -70,22 +73,22 @@ In this location, the **Admin** channel logs events by default. However, if you
### Collect admin logs ### Collect admin logs
1. Right click on the **Admin** node. 1. Right click on the **Admin** node.
2. Select **Save all events as**. 1. Select **Save all events as**.
3. Choose a location and enter a filename. 1. Choose a location and enter a filename.
4. Click **Save**. 1. Click **Save**.
5. Choose **Display information for these languages** and then select **English**. 1. Choose **Display information for these languages** and then select **English**.
6. Click **Ok**. 1. Click **Ok**.
For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**. For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**.
### Collect debug logs ### Collect debug logs
1. Right click on the **Debug** node. 1. Right click on the **Debug** node.
2. Select **Save all events as**. 1. Select **Save all events as**.
3. Choose a location and enter a filename. 1. Choose a location and enter a filename.
4. Click **Save**. 1. Click **Save**.
5. Choose **Display information for these languages** and then select **English**. 1. Choose **Display information for these languages** and then select **English**.
6. Click **Ok**. 1. Click **Ok**.
You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update.
@ -240,32 +243,32 @@ After the logs are collected on the device, you can retrieve the files through t
For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected. For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected.
1. Open eventvwr.msc. 1. Open eventvwr.msc.
2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. 1. Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
![event viewer screenshot.](images/diagnose-mdm-failures9.png) ![event viewer screenshot.](images/diagnose-mdm-failures9.png)
3. Navigate to the etl file that you got from the device and then open the file. 1. Navigate to the etl file that you got from the device and then open the file.
4. Click **Yes** when prompted to save it to the new log format. 1. Click **Yes** when prompted to save it to the new log format.
![event viewer prompt.](images/diagnose-mdm-failures10.png) ![event viewer prompt.](images/diagnose-mdm-failures10.png)
![diagnose mdm failures.](images/diagnose-mdm-failures11.png) ![diagnose mdm failures.](images/diagnose-mdm-failures11.png)
5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. 1. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
![event viewer actions.](images/diagnose-mdm-failures12.png) ![event viewer actions.](images/diagnose-mdm-failures12.png)
6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. 1. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
![event filter for Device Management.](images/diagnose-mdm-failures13.png) ![event filter for Device Management.](images/diagnose-mdm-failures13.png)
7. Now you're ready to start reviewing the logs. 1. Now you're ready to start reviewing the logs.
![event viewer review logs.](images/diagnose-mdm-failures14.png) ![event viewer review logs.](images/diagnose-mdm-failures14.png)
## Collect device state data ## Collect device state data
Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
```xml ```xml
<?xml version="1.0"?> <?xml version="1.0"?>

30
windows/client-management/disconnecting-from-mdm-unenrollment.md
View File

@ -1,9 +1,6 @@
--- ---
title: Disconnecting from the management infrastructure (unenrollment) title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
MS-HAID:
- 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_'
- 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -12,12 +9,15 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Disconnecting from the management infrastructure (unenrollment) # Disconnecting from the management infrastructure (unenrollment)
The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account.
The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after theyve left the company or because the device is regularly failing to comply with the organizations security settings policy. The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy.
During disconnection, the client executes the following tasks: During disconnection, the client executes the following tasks:
@ -27,16 +27,14 @@ During disconnection, the client executes the following tasks:
- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. - Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure.
- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. - Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort.
## In this topic ## In this topic
- [User-initiated disconnection](#user-initiated-disconnection) - [User-initiated disconnection](#user-initiated-disconnection)
- [Server-initiated disconnection](#server-initiated-disconnection) - [Server-initiated disconnection](#server-initiated-disconnection)
- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page) - [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page)
- [IT adminrequested disconnection](#it-admin-requested-disconnection) - [IT admin-requested disconnection](#it-admin-requested-disconnection)
- [Unenrollment from Azure Active Directory Join](#dataloss) - [Unenrollment from Azure Active Directory Join](#dataloss)
## User-initiated disconnection ## User-initiated disconnection
In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device.
@ -44,9 +42,9 @@ In Windows, after the user confirms the account deletion command and before the
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> [!NOTE] > [!NOTE]
> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). > The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
 
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
@ -100,7 +98,6 @@ The following sample shows an OMA DM first package that contains a generic alert
After the previous package is sent, the unenrollment process begins. After the previous package is sent, the unenrollment process begins.
## Server-initiated disconnection ## Server-initiated disconnection
When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1. When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1.
@ -119,7 +116,6 @@ When the server initiates disconnection, all undergoing sessions for the enrollm
</Alert> </Alert>
``` ```
<a href="" id="work-access"></a> <a href="" id="work-access"></a>
## Unenrollment from Work Access settings page ## Unenrollment from Work Access settings page
@ -130,7 +126,6 @@ You can only use the Work Access page to unenroll under the following conditions
- Enrollment was done using bulk enrollment. - Enrollment was done using bulk enrollment.
- Enrollment was created using the Work Access page. - Enrollment was created using the Work Access page.
<a href="" id="dataloss"></a> <a href="" id="dataloss"></a>
## Unenrollment from Azure Active Directory Join ## Unenrollment from Azure Active Directory Join
@ -145,15 +140,8 @@ Before remotely unenrolling corporate devices, you must ensure that there is at
In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device. In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device.
<a href="" id="it-admin-requested-disconnection"></a> <a href="" id="it-admin-requested-disconnection"></a>
## IT adminrequested disconnection ## IT admin-requested disconnection
The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service providers Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic.
When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management. When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management.
 

13
windows/client-management/enable-admx-backed-policies-in-mdm.md
View File

@ -10,16 +10,19 @@ ms.localizationpriority: medium
ms.date: 11/01/2017 ms.date: 11/01/2017
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Enable ADMX policies in MDM # Enable ADMX policies in MDM
Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy: Summary of steps to enable a policy:
- Find the policy from the list ADMX policies. - Find the policy from the list ADMX policies.
- Find the Group Policy related information from the MDM policy description. - Find the Group Policy related information from the MDM policy description.
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
@ -41,7 +44,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
- GP ADMX file name - GP ADMX file name
- GP path - GP path
2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc 1. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
1. Click **Start**, then in the text box type **gpedit**. 1. Click **Start**, then in the text box type **gpedit**.
@ -61,7 +64,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
![Enable App-V client.](images/admx-appv-enableapp-vclient.png) ![Enable App-V client.](images/admx-appv-enableapp-vclient.png)
3. Create the SyncML to enable the policy that doesn't require any parameter. 1. Create the SyncML to enable the policy that doesn't require any parameter.
In this example, you configure **Enable App-V Client** to **Enabled**. In this example, you configure **Enable App-V Client** to **Enabled**.
@ -89,10 +92,8 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
</SyncML> </SyncML>
``` ```
## Enable a policy that requires parameters ## Enable a policy that requires parameters
1. Create the SyncML to enable the policy that requires parameters. 1. Create the SyncML to enable the policy that requires parameters.
In this example, the policy is in **Administrative Templates > System > App-V > Publishing**. In this example, the policy is in **Administrative Templates > System > App-V > Publishing**.
@ -113,7 +114,6 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
4. Search for GP name **Publishing_Server2_policy**. 4. Search for GP name **Publishing_Server2_policy**.
5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. 5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
Here's the snippet from appv.admx: Here's the snippet from appv.admx:
@ -263,7 +263,6 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
</SyncML> </SyncML>
``` ```
## Disable a policy ## Disable a policy
The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2. The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.

79
windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -10,22 +10,21 @@ ms.date: 04/30/2022
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Enroll a Windows 10 device automatically using Group Policy # Enroll a Windows 10 device automatically using Group Policy
**Applies to:**
- Windows 11
- Windows 10
Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
Requirements: Requirements:
- Active Directory-joined PC running Windows 10, version 1709 or later - Active Directory-joined PC running Windows 10, version 1709 or later
- The enterprise has configured a mobile device management (MDM) service - The enterprise has configured a mobile device management (MDM) service
- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad) - The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
@ -34,11 +33,12 @@ Requirements:
> [!TIP] > [!TIP]
> For more information, see the following topics: > For more information, see the following topics:
>
> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) > - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) > - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) > - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure ADregistered. The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered.
> [!NOTE] > [!NOTE]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
@ -58,7 +58,7 @@ The following steps demonstrate required settings using the Intune service:
:::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). 1. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
@ -67,9 +67,9 @@ The following steps demonstrate required settings using the Intune service:
> >
> For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later. 1. Verify that the device OS version is Windows 10, version 1709 or later.
4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. 1. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
@ -83,21 +83,21 @@ The following steps demonstrate required settings using the Intune service:
![Azure AD device list.](images/azure-ad-device-list.png) ![Azure AD device list.](images/azure-ad-device-list.png)
5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc 1. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png)
6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. 1. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
:::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: :::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. 1. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully. You may contact your domain administrators to verify if the group policy has been deployed successfully.
8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal). 1. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal).
9. Verify that Microsoft Intune should allow enrollment of Windows devices. 1. Verify that Microsoft Intune should allow enrollment of Windows devices.
:::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png"::: :::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png":::
@ -106,6 +106,7 @@ You may contact your domain administrators to verify if the group policy has bee
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
Requirements: Requirements:
- AD-joined PC running Windows 10, version 1709 or later - AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured - Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD - Enterprise AD must be registered with Azure AD
@ -114,17 +115,17 @@ Requirements:
![GPEdit desktop app search result.](images/autoenrollment-gpedit.png) ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png)
2. Under **Best match**, select **Edit group policy** to launch it. 1. Under **Best match**, select **Edit group policy** to launch it.
3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. 1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
:::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png"::: :::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png":::
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**. 1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**.
:::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. 1. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
> [!NOTE] > [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**.
@ -138,28 +139,27 @@ Requirements:
![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
> [!Tip] > [!TIP]
> You can avoid this behavior by using Conditional Access Policies in Azure AD. > You can avoid this behavior by using Conditional Access Policies in Azure AD.
Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account. 1. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.
7. Select **Info** to see the MDM enrollment information. 1. Select **Info** to see the MDM enrollment information.
![Work School Settings.](images/autoenrollment-settings-work-school.png) ![Work School Settings.](images/autoenrollment-settings-work-school.png)
If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app). If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app).
### Task Scheduler app ### Task Scheduler app
1. Select **Start**, then in the text box type `task scheduler`. 1. Select **Start**, then in the text box type `task scheduler`.
![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png) ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png)
2. Under **Best match**, select **Task Scheduler** to launch it. 1. Under **Best match**, select **Task Scheduler** to launch it.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. 1. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: :::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
@ -173,6 +173,7 @@ Requirements:
## Configure the auto-enrollment for a group of devices ## Configure the auto-enrollment for a group of devices
Requirements: Requirements:
- AD-joined PC running Windows 10, version 1709 or later - AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured (with Intune or a third-party service provider) - Enterprise has MDM service already configured (with Intune or a third-party service provider)
- Enterprise AD must be integrated with Azure AD. - Enterprise AD must be integrated with Azure AD.
@ -203,9 +204,9 @@ Requirements:
- 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
2. Install the package on the Domain Controller. 1. Install the package on the Domain Controller.
3. Navigate, depending on the version to the folder: 1. Navigate, depending on the version to the folder:
- 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**
@ -227,23 +228,23 @@ Requirements:
- 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)**
4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. 1. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. 1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. 1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
This procedure will work for any future version as well. This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs. 1. Create a Security Group for the PCs.
3. Link the GPO. 1. Link the GPO.
4. Filter using Security Groups. 1. Filter using Security Groups.
## Troubleshoot auto-enrollment of devices ## Troubleshoot auto-enrollment of devices
@ -253,12 +254,12 @@ To collect Event Viewer logs:
1. Open Event Viewer. 1. Open Event Viewer.
2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**. 1. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**.
> [!Tip] > [!TIP]
> For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: 1. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:
:::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: :::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
@ -276,7 +277,7 @@ To collect Event Viewer logs:
:::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: :::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
> [!Note] > [!NOTE]
> This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs:
@ -313,8 +314,8 @@ To collect Event Viewer logs:
- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684) - [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353) - [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)
### Useful Links ### Useful Links
- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124) - [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)

53
windows/client-management/enterprise-app-management.md
View File

@ -1,6 +1,6 @@
--- ---
title: Enterprise app management title: Enterprise app management
description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -9,15 +9,18 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 10/04/2021 ms.date: 10/04/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Enterprise app management # Enterprise app management
This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps. This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals ## Application management goals
Windows 10 offers the ability for management servers to: Windows 10 offers the ability for management servers to:
- Install apps directly from the Microsoft Store for Business - Install apps directly from the Microsoft Store for Business
- Deploy offline Store apps and licenses - Deploy offline Store apps and licenses
@ -25,12 +28,12 @@ Windows 10 offers the ability for management servers to:
- Inventory all apps for a user (Store and non-Store apps) - Inventory all apps for a user (Store and non-Store apps)
- Inventory all apps for a device (Store and non-Store apps) - Inventory all apps for a device (Store and non-Store apps)
- Uninstall all apps for a user (Store and non-Store apps) - Uninstall all apps for a user (Store and non-Store apps)
- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) - Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Remove the provisioned app on the device running Windows 10 for desktop editions - Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps ## Inventory your apps
Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications: Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business - Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
- nonStore - Apps that weren't acquired from the Microsoft Store. - nonStore - Apps that weren't acquired from the Microsoft Store.
@ -285,11 +288,11 @@ Here are some examples.
### Unlock the device for developer mode ### Unlock the device for developer mode
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP. Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device. AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](mdm/policy-configuration-service-provider.md). For more information about the AllowDeveloperUnlock policy, see [Policy CSP](mdm/policy-configuration-service-provider.md).
@ -358,11 +361,11 @@ Here are some examples.
Here are the changes from the previous release: Here are the changes from the previous release:
1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool. 1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
2. The value for flags can be "0" or "1" 1. The value for flags can be "0" or "1"
When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. 1. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user ### Deploy an offline license to a user
@ -461,8 +464,8 @@ Here's an example of an app installation with dependencies.
<Data> <Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" DeploymentOptions="0" > <Application PackageUri="\\server\share\HelloWorld10.appx" DeploymentOptions="0" >
<Dependencies> <Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” /> <Dependency PackageUri="\\server\share\HelloWorldFramework.appx" />
<Dependency PackageUri=”\\server2\share\HelloMarsFramework.appx” /> <Dependency PackageUri="\\server2\share\HelloMarsFramework.appx" />
</Dependencies> </Dependencies>
</Application> </Application>
</Data> </Data>
@ -495,13 +498,13 @@ Here's an example of an app installation with dependencies and optional packages
<Data> <Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" DeploymentOptions="0" > <Application PackageUri="\\server\share\HelloWorld10.appx" DeploymentOptions="0" >
<Dependencies> <Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” /> <Dependency PackageUri="\\server\share\HelloWorldFramework.appx" />
<Dependency PackageUri=”\\server2\share\HelloMarsFramework.appx” /> <Dependency PackageUri="\\server2\share\HelloMarsFramework.appx" />
</Dependencies> </Dependencies>
<OptionalPackages> <OptionalPackages>
<Package PackageUri=”\\server\share\OptionalPackage1.appx” <Package PackageUri="\\server\share\OptionalPackage1.appx"
PackageFamilyName="/{PackageFamilyName}" /> PackageFamilyName="/{PackageFamilyName}" />
<Package PackageUri=”\\server2\share\OptionalPackage2.appx” <Package PackageUri="\\server2\share\OptionalPackage2.appx"
PackageFamilyName="/{PackageFamilyName}" /> PackageFamilyName="/{PackageFamilyName}" />
</OptionalPackages> </OptionalPackages>
</Application> </Application>
@ -531,7 +534,7 @@ To provision app for all users of a device from a hosted location, the managemen
Here's an example of app installation. Here's an example of app installation.
> [!NOTE] > [!NOTE]
> This is only supported in Windows 10 for desktop editions. > This is only supported in Windows 10 for desktop editions.
```xml ```xml
<!-- Add PackageFamilyName --> <!-- Add PackageFamilyName -->
@ -568,7 +571,7 @@ The DeploymentOptions parameter is only available in the user context.
Here's an example of app installation with dependencies. Here's an example of app installation with dependencies.
> [!NOTE] > [!NOTE]
> This is only supported in Windows 10 for desktop editions. > This is only supported in Windows 10 for desktop editions.
```xml ```xml
<!-- Add PackageFamilyName --> <!-- Add PackageFamilyName -->
@ -593,7 +596,7 @@ Here's an example of app installation with dependencies.
<Data> <Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" /> <Application PackageUri="\\server\share\HelloWorld10.appx" />
<Dependencies> <Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” /> <Dependency PackageUri="\\server\share\HelloWorldFramework.appx" />
<Dependency PackageUri="\\server2\share\HelloMarsFramework.appx"/> <Dependency PackageUri="\\server2\share\HelloMarsFramework.appx"/>
</Dependencies> </Dependencies>
</Application> </Application>
@ -677,10 +680,9 @@ The Data field value of 0 (zero) indicates success. Otherwise it's an error code
> [!NOTE] > [!NOTE]
> At this time, the alert for Store app installation isn't yet available. > At this time, the alert for Store app installation isn't yet available.
## Uninstall your apps ## Uninstall your apps
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. - AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
- nonStore - These apps that weren't acquired from the Microsoft Store. - nonStore - These apps that weren't acquired from the Microsoft Store.
@ -723,13 +725,12 @@ You can remove provisioned apps from a device for a specific version, or for all
> [!NOTE] > [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1. > You can only remove an app that has an inventory value IsProvisioned = 1.
Removing provisioned app occurs in the device context. Removing provisioned app occurs in the device context.
Here's an example for removing a provisioned app from a device. Here's an example for removing a provisioned app from a device.
```xml ```xml
<! Remove Provisioned App for a Package Family--> <!- Remove Provisioned App for a Package Family-->
<Delete> <Delete>
<CmdID>1</CmdID> <CmdID>1</CmdID>
<Item> <Item>
@ -821,7 +822,7 @@ To update an app from Microsoft Store, the device requires contact with the stor
Here's an example of an update scan. Here's an example of an update scan.
```xml ```xml
<! Initiate a update scan for a user--> <!- Initiate a update scan for a user-->
<Exec> <Exec>
<CmdID>1</CmdID> <CmdID>1</CmdID>
<Item> <Item>
@ -835,7 +836,7 @@ Here's an example of an update scan.
Here's an example of a status check. Here's an example of a status check.
```xml ```xml
<! Get last error related to the update scan--> <!- Get last error related to the update scan-->
<Get> <Get>
<CmdID>1</CmdID> <CmdID>1</CmdID>
<Item> <Item>
@ -863,7 +864,7 @@ Turning off updates only applies to updates from the Microsoft Store at the devi
Here's an example. Here's an example.
```xml ```xml
<! Prevent app from being automatically updated--> <!- Prevent app from being automatically updated-->
<Replace> <Replace>
<CmdID>1</CmdID> <CmdID>1</CmdID>
<Item> <Item>

4
windows/client-management/esim-enterprise-management.md
View File

@ -8,11 +8,15 @@ ms.author: vinpa
ms.topic: conceptual ms.topic: conceptual
ms.technology: itpro-manage ms.technology: itpro-manage
ms.date: 12/31/2017 ms.date: 12/31/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# How Mobile Device Management Providers support eSIM Management on Windows # How Mobile Device Management Providers support eSIM Management on Windows
The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
- Onboard to Azure Active Directory - Onboard to Azure Active Directory
- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: - Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
- [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)

28
windows/client-management/federated-authentication-device-enrollment.md
View File

@ -9,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 07/28/2017 ms.date: 07/28/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Federated authentication device enrollment # Federated authentication device enrollment
@ -34,7 +37,7 @@ The discovery web service provides the configuration information necessary for a
> [!NOTE] > [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. > The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain "enterpriseenrollment" to the domain of the email address, and by appending the path "/EnrollmentServer/Discovery.svc". For example, if the email address is "sample@contoso.com", the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The first request is a standard HTTP GET request. The first request is a standard HTTP GET request.
@ -75,7 +78,7 @@ After the device gets a response from the server, the device sends a POST reques
The following logic is applied: The following logic is applied:
1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. 1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails.
2. If that fails, the device tries HTTP to see whether it's redirected: 1. If that fails, the device tries HTTP to see whether it's redirected:
- If the device isn't redirected, it prompts the user for the server address. - If the device isn't redirected, it prompts the user for the server address.
- If the device is redirected, it prompts the user to allow the redirect. - If the device is redirected, it prompts the user to allow the redirect.
@ -123,31 +126,32 @@ The following example shows the discovery service request.
The discovery response is in the XML format and includes the following fields: The discovery response is in the XML format and includes the following fields:
- Enrollment service URL (EnrollmentServiceUrl) Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. - Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
- Authentication policy (AuthPolicy) Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. - Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. - In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> [!Note] > [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
> [!Note] > [!NOTE]
> Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance: > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
>
> - Parse the OS version from the data sent up during the discovery request. > - Parse the OS version from the data sent up during the discovery request.
> - Append the OS version as a parameter in the AuthenticationServiceURL. > - Append the OS version as a parameter in the AuthenticationServiceURL.
> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. > - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
> [!Note] > [!NOTE]
> The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented. > The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
The following are the explicit requirements for the server. The following are the explicit requirements for the server.
- The `<DiscoveryResponse>``<AuthenticationServiceUrl>` element must support HTTPS. - The `<DiscoveryResponse>``<AuthenticationServiceUrl>` element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. - The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesnt support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. - WP doesn't support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
The enrollment client issues an HTTPS request as follows: The enrollment client issues an HTTPS request as follows:
@ -386,7 +390,7 @@ The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.
The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
> [!Note] > [!NOTE]
> The policy service and the enrollment service must be on the same server; that is, they must have the same host name. > The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
The following example shows the enrollment web service request for federated authentication. The following example shows the enrollment web service request for federated authentication.
@ -474,7 +478,7 @@ The following example shows the enrollment web service request for federated aut
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR). After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
> [!Note] > [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate. Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate.
@ -558,7 +562,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
</characteristic> </characteristic>
<characteristic type="WSTEP"> <characteristic type="WSTEP">
<characteristic type="Renew"> <characteristic type="Renew">
<!If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. --> <!-If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/> <parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/> <parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/> <parm name="RetryInterval" value="4" datatype="integer"/>
@ -602,7 +606,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
<parm name="NumberOfSecondRetries" value="5" datatype="integer" /> <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" /> <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" /> <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.--> <!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedule's retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" /> <parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" /> <parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic> </characteristic>

12
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -10,15 +10,13 @@ manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: troubleshooting ms.topic: troubleshooting
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions # Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
**Applies to**
- Windows 10
- Windows 11
In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education.
| Policy name | Policy path | Comments | | Policy name | Policy path | Comments |
@ -34,7 +32,3 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). |
| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) | | **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | | **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |

5
windows/client-management/implement-server-side-mobile-application-management.md
View File

@ -10,11 +10,10 @@ ms.date: 08/03/2022
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Support for mobile application management on Windows # Support for mobile application management on Windows
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.

21
windows/client-management/manage-corporate-devices.md
View File

@ -1,40 +1,34 @@
--- ---
title: Manage corporate devices title: Manage corporate devices
description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones.
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
keywords: [MDM, device management]
ms.prod: windows-client ms.prod: windows-client
author: vinaypamnani-msft author: vinaypamnani-msft
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 09/14/2021 ms.date: 09/14/2021
ms.topic: article ms.topic: article
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Manage corporate devices # Manage corporate devices
You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11.
**Applies to**
- Windows 10
- Windows 11
You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11.
## In this section ## In this section
| Topic | Description | | Topic | Description |
| --- | --- | | --- | --- |
| [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment | | [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment |
| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | | [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
| [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | | [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
| [New policies for Windows 10 (and Windows 11)](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | | [New policies for Windows 10 (and Windows 11)](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
| [Group Policies that apply only to Windows Enterprise and Windows Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | | [Group Policies that apply only to Windows Enterprise and Windows Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations | | [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations |
## Learn more ## Learn more
@ -47,4 +41,3 @@ You can use the same management tools to manage all device types running Windows
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) [Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/) Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/)

253
windows/client-management/manage-device-installation-with-group-policy.md
View File

@ -9,16 +9,14 @@ manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.topic: article
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
--- ---
# Manage Device Installation with Group Policy # Manage Device Installation with Group Policy
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2022
## Summary ## Summary
By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
@ -26,6 +24,7 @@ By using Windows operating systems, administrators can determine what devices ca
## Introduction ## Introduction
### General ### General
This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it. - Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.
@ -72,7 +71,7 @@ Group Policy guides:
### Scenario #1: Prevent installation of all printers ### Scenario #1: Prevent installation of all printers
In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the prevent/allow functionality of Device Installation policies in Group Policy. In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy.
### Scenario #2: Prevent installation of a specific printer ### Scenario #2: Prevent installation of a specific printer
@ -84,11 +83,11 @@ In this scenario, you'll combine what you learned from both scenario #1 and scen
### Scenario #4: Prevent installation of a specific USB device ### Scenario #4: Prevent installation of a specific USB device
This scenario, although similar to scenario #2, brings another layer of complexity how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. This scenario, although similar to scenario #2, brings another layer of complexity - how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the prevent functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
## Technology Review ## Technology Review
@ -107,7 +106,7 @@ The four types of identifiers are:
- Device Instance ID - Device Instance ID
- Device ID - Device ID
- Device setup classes - Device setup classes
- Removable Devices device type - 'Removable Devices' device type
#### Device Instance ID #### Device Instance ID
@ -146,12 +145,12 @@ For more information, see [Device Setup Classes](/windows-hardware/drivers/insta
This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
The following two links provide the complete list of Device Setup Classes. System Use classes are mostly referred to devices that come with a computer/machine from the factory, while Vendor classes are mostly referred to devices that could be connected to an existing computer/machine: The following two links provide the complete list of Device Setup Classes. 'System Use' classes are mostly referred to devices that come with a computer/machine from the factory, while 'Vendor' classes are mostly referred to devices that could be connected to an existing computer/machine:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
#### Removable Device Device type #### 'Removable Device' Device type
Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
@ -164,7 +163,7 @@ Device Installation section in Group Policy is a set of policies that control wh
The following passages are brief descriptions of the Device Installation policies that are used in this guide. The following passages are brief descriptions of the Device Installation policies that are used in this guide.
> [!NOTE] > [!NOTE]
> Device Installation control is applied only to machines (computer configuration) and not users (user configuration) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. > Device Installation control is applied only to machines ('computer configuration') and not users ('user configuration') by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
#### Allow administrators to override Device Installation Restriction policies #### Allow administrators to override Device Installation Restriction policies
@ -219,22 +218,22 @@ To complete each of the scenarios, ensure you have:
- A client computer running Windows. - A client computer running Windows.
- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
- A USB/network printer pre-installed on the machine. - A USB/network printer pre-installed on the machine.
- Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps. - Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps.
### Understanding implications of applying Prevent policies retroactive ### Understanding implications of applying 'Prevent' policies retroactive
All Prevent policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones. For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones.
This option is a powerful tool, but as such it has to be used carefully. This option is a powerful tool, but as such it has to be used carefully.
> [!IMPORTANT] > [!IMPORTANT]
> Applying the Prevent retroactive option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all Disk Drives could block the access to the disk on which the OS boots with; Preventing retroactive all Net could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. > Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
## Determine device identification strings ## Determine device identification strings
@ -249,19 +248,19 @@ To find device identification strings using Device Manager
1. Make sure your printer is plugged in and installed. 1. Make sure your printer is plugged in and installed.
2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. 1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. 1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
4. Find the “Printers” section and find the target printer 1. Find the "Printers" section and find the target printer
![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_ ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
5. Double-click the printer and move to the Details tab. 1. Double-click the printer and move to the 'Details' tab.
![Details tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the Details tab to look for the device identifiers_ !['Details' tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the 'Details' tab to look for the device identifiers_
6. From the Value window, copy the most detailed Hardware ID we'll use this value in the policies. 1. From the 'Value' window, copy the most detailed Hardware ID - we'll use this value in the policies.
![HWID.](images/device-installation-dm-printer-hardware-ids.png) ![HWID.](images/device-installation-dm-printer-hardware-ids.png)
@ -311,24 +310,24 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section. 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, except Apply layered order of evaluationalthough the policy is disabled in default, this policy is recommended to be enabled in most practical applications. 1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters 1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters
4. Have a USB/network printer available to test the policy with 1. Have a USB/network printer available to test the policy with
### Scenario steps preventing installation of prohibited devices ### Scenario steps - preventing installation of prohibited devices
Getting the right device identifier to prevent it from being installed: Getting the right device identifier to prevent it from being installed:
1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID). 1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID).
2. If you dont have such device installed on your system or know the name of the class, you can check the following two links: 1. If you don't have such device installed on your system or know the name of the class, you can check the following two links:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: 1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
> Printers\ > Printers\
> Class = Printer\ > Class = Printer\
@ -340,40 +339,40 @@ Getting the right device identifier to prevent it from being installed:
Creating the policy to prevent all printers from being installed: Creating the policy to prevent all printers from being installed:
1. Open Group Policy Object Editoreither click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. 1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page: 1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled (recommended to keep applied layered order of evaluation policy enabled). 1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled).
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button. 1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block. 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318} 1. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_ ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
7. Click OK. 1. Click 'OK'.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future printer installations, but doesnt apply to existing installs. 1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
9. Optional if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed 1. Optional - if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
> [!IMPORTANT] > [!IMPORTANT]
> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using Disk Drive class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. > Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
### Testing the scenario ### Testing the scenario
1. If you haven't completed step #9 follow these steps: 1. If you haven't completed step #9 - follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
1. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app. 1. For USB printer - unplug and plug back the cable; for network device - make a search for the printer in the Windows Settings app.
1. You shouldn't be able to reinstall the printer. 1. You shouldn't be able to reinstall the printer.
2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. 1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
## Scenario #2: Prevent installation of a specific printer ## Scenario #2: Prevent installation of a specific printer
@ -385,39 +384,39 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section. 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Ensure all previous Device Installation policies are disabled except Apply layered order of evaluation (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. 1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
### Scenario steps preventing installation of a specific device ### Scenario steps - preventing installation of a specific device
Getting the right device identifier to prevent it from being installed: Getting the right device identifier to prevent it from being installed:
1. Get your printers Hardware ID in this example we'll use the identifier we found previously 1. Get your printer's Hardware ID - in this example we'll use the identifier we found previously
![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_ ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
2. Write down the device ID (in this case Hardware ID) WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers 1. Write down the device ID (in this case Hardware ID) - WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
Creating the policy to prevent a single printer from being installed: Creating the policy to prevent a single printer from being installed:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. 1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page: 1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Open **Prevent installation of devices that match any of these device IDs** policy and select the Enable radio button. 1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
4. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to block. 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block.
5. Enter the printer device ID you found above WSDPRINT\CanonMX920_seriesC1A0 1. Enter the printer device ID you found above - WSDPRINT\CanonMX920_seriesC1A0
![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_ ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
6. Click OK. 1. Click 'OK'.
7. Click Apply on the bottom right of the policys window. This option pushes the policy and blocks the target printer in future installations, but doesnt apply to an existing install. 1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install.
8. Optional if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed. 1. Optional - if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'.
### Testing the scenario ### Testing the scenario
@ -425,12 +424,11 @@ If you completed step #8 above and restarted the machine, look for your printer
If you haven't completed step #8, follow these steps: If you haven't completed step #8, follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
2. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app. 1. For USB printer - unplug and plug back the cable; for network device - make a search for the printer in the Windows Settings app.
3. You shouldn't be able to reinstall the printer.
1. You shouldn't be able to reinstall the printer.
## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
@ -442,67 +440,66 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section. 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, and enable Apply layered order of evaluation. 1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters. 1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
4. Have a USB/network printer available to test the policy with. 1. Have a USB/network printer available to test the policy with.
### Scenario steps preventing installation of an entire class while allowing a specific printer ### Scenario steps - preventing installation of an entire class while allowing a specific printer
Getting the device identifier for both the Printer Class and a specific printer following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: Getting the device identifier for both the Printer Class and a specific printer - following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
- ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318} - ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}
- Hardware ID = WSDPRINT\CanonMX920_seriesC1A0 - Hardware ID = WSDPRINT\CanonMX920_seriesC1A0
First create a Prevent Class policy and then create Allow Device one: First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. 1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page: 1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled 1. Make sure all policies are disabled
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button. 1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block. 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318} 1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_ ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
7. Click OK. 1. Click 'OK'.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future printer installations, but doesnt apply to existing installs. 1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
9. To complete the coverage of all future and existing printers Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed and click OK 1. To complete the coverage of all future and existing printers - Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'
10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it this policy will enable you to override the wide coverage of the Prevent policy with a specific device. 1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it - this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png) ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_ ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the Enable radio button. 1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
10. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to allow. 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. 1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_ ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
12. Click OK. 1. Click 'OK'.
13. Click Apply on the bottom right of the policys window this option pushes the policy and allows the target printer to be installed (or stayed installed). 1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and allows the target printer to be installed (or stayed installed).
## Testing the scenario ## Testing the scenario
1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. 1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document.
2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer you shouldn't be bale to print anything or able to access the printer at all. 1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer - you shouldn't be bale to print anything or able to access the printer at all.
## Scenario #4: Prevent installation of a specific USB device ## Scenario #4: Prevent installation of a specific USB device
@ -514,67 +511,65 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section 1. Open Group Policy Editor and navigate to the Device Installation Restriction section
2. Ensure all previous Device Installation policies are disabled except Apply layered order of evaluation (this prerequisite is optional to be On/Off this scenario) although the policy is disabled in default, it's recommended to be enabled in most practical applications. 1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario) - although the policy is disabled in default, it's recommended to be enabled in most practical applications.
### Scenario steps preventing installation of a specific device ### Scenario steps - preventing installation of a specific device
Getting the right device identifier to prevent it from being installed and its location in the PnP tree: Getting the right device identifier to prevent it from being installed and its location in the PnP tree:
1. Connect a USB thumb drive to the machine 1. Connect a USB thumb drive to the machine
2. Open Device Manager 1. Open Device Manager
3. Find the USB thumb-drive and select it. 1. Find the USB thumb-drive and select it.
![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_ ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
4. Change View (in the top menu) to Devices by connections. This view represents the way devices are installed in the PnP tree. 1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree.
![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_ ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
> [!NOTE] > [!NOTE]
> When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked. > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked.
![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_ ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
5. Double-click the USB thumb-drive and move to the Details tab. 1. Double-click the USB thumb-drive and move to the 'Details' tab.
6. From the Value window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_ ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
Creating the policy to prevent a single USB thumb-drive from being installed: Creating the policy to prevent a single USB thumb-drive from being installed:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. 1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page: 1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Open **Prevent installation of devices that match any of these device IDs** policy and select the Enable radio button. 1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
4. In the lower left side, in the Options window, click the Show box. This option will take you to a table where you can enter the device identifier to block. 1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block.
5. Enter the USB thumb-drive device ID you found above USBSTOR\DiskGeneric_Flash_Disk______8.07 1. Enter the USB thumb-drive device ID you found above - USBSTOR\DiskGeneric_Flash_Disk______8.07
![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_ ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
6. Click OK. 1. Click 'OK'.
7. Click Apply on the bottom right of the policys window this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesnt apply to an existing install. 1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install.
8. Optional if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the Options window, mark the checkbox that says also apply to matching devices that are already installed
1. Optional - if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'
### Testing the scenario ### Testing the scenario
1. If you haven't completed step #8 follow these steps: 1. If you haven't completed step #8 - follow these steps:
- Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”. - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device".
- You shouldn't be able to reinstall the device. - You shouldn't be able to reinstall the device.
2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. 1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
@ -586,15 +581,15 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section. 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, and **enable** Apply layered order of evaluation. 1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters. 1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
4. Have a USB thumb-drive available to test the policy with. 1. Have a USB thumb-drive available to test the policy with.
### Scenario steps preventing installation of all USB devices while allowing only an authorized USB thumb-drive ### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive
Getting the device identifier for both the USB Classes and a specific USB thumb-drive following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: Getting the device identifier for both the USB Classes and a specific USB thumb-drive - following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
- USB Bus Devices (hubs and host controllers) - USB Bus Devices (hubs and host controllers)
- Class = USB - Class = USB
@ -610,16 +605,16 @@ Getting the device identifier for both the USB Classes and a specific USB thumb-
As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
- “Intel(R) USB 3.0 eXtensible Host Controller 1.0 (Microsoft)” -> PCI\CC_0C03 - "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03
- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 - "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30
- “Generic USB Hub” -> USB\USB20_HUB - "Generic USB Hub" -> USB\USB20_HUB
![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_ ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine. These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine.
> [!IMPORTANT] > [!IMPORTANT]
> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an Allow list in such cases. See below for the list: > Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list:
> >
> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
> USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
@ -629,49 +624,49 @@ These devices are internal devices on the machine that define the USB port conne
> >
> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.
First create a Prevent Class policy and then create Allow Device one: First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. 1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
2. Navigate to the Device Installation Restriction page: 1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled 1. Make sure all policies are disabled
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button. 1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block. 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
6. Enter both USB classes GUID you found above with the curly braces: 1. Enter both USB classes GUID you found above with the curly braces:
> {36fc9e60-c465-11cf-8056-444553540000}/ > {36fc9e60-c465-11cf-8056-444553540000}/
> {88BAE032-5A81-49f0-BC3D-A4FF138216D6} > {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
7. Click OK. 1. Click 'OK'.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future USB device installations, but doesnt apply to existing installs. 1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs.
> [!IMPORTANT] > [!IMPORTANT]
> The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice. > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it this policy will enable you to override the wide coverage of the Prevent policy with a specific device. 1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it - this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_ ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the Enable radio button. 1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
11. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to allow. 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation USBSTOR\DiskGeneric_Flash_Disk______8.07 1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation - USBSTOR\DiskGeneric_Flash_Disk______8.07
![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_ ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
13. Click OK. 1. Click 'OK'.
14. Click Apply on the bottom right of the policys window. 1. Click 'Apply' on the bottom right of the policy's window.
15. To apply the Prevent coverage of all currently installed USB devices Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed and click OK. 1. To apply the 'Prevent' coverage of all currently installed USB devices - Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'.
### Testing the scenario ### Testing the scenario

12
windows/client-management/manage-settings-app-with-group-policy.md
View File

@ -9,20 +9,18 @@ manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.topic: article
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
--- ---
# Manage the Settings app with Group Policy # Manage the Settings app with Group Policy
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.
>[!Note] >[!NOTE]
>Each server that you want to manage access to the Settings App must be patched. >Each server that you want to manage access to the Settings App must be patched.
If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).

4
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -11,8 +11,8 @@ manager: aaroncz
ms.topic: overview ms.topic: overview
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Manage Windows devices in your organization - transitioning to modern management # Manage Windows devices in your organization - transitioning to modern management

15
windows/client-management/mandatory-user-profile.md
View File

@ -9,18 +9,16 @@ ms.reviewer:
manager: aaroncz manager: aaroncz
ms.topic: article ms.topic: article
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Create mandatory user profiles # Create mandatory user profiles
**Applies to**
- Windows 10
- Windows 11
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
@ -60,7 +58,7 @@ First, you create a default user profile with the customizations that you want,
> [!NOTE] > [!NOTE]
> Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on users profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. 1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10). 1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10).
@ -88,7 +86,6 @@ First, you create a default user profile with the customizations that you want,
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
![Example of User Profiles UI.](images/copy-to.png) ![Example of User Profiles UI.](images/copy-to.png)
1. In **Copy To**, under **Permitted to use**, click **Change**. 1. In **Copy To**, under **Permitted to use**, click **Change**.

128
windows/client-management/mdm-enrollment-of-windows-devices.md
View File

@ -1,9 +1,6 @@
--- ---
title: MDM enrollment of Windows 10-based devices title: MDM enrollment of Windows 10-based devices
description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organizations resources. description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organizations resources.
MS-HAID:
- 'p\_phdevicemgmt.enrollment\_ui'
- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -12,27 +9,30 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
ms.date: 12/31/2017 ms.date: 12/31/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# MDM enrollment of Windows 10-based devices # MDM enrollment of Windows 10-based devices
In todays cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organizations resources, such as apps, the corporate network, and email. In today's cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email.
> [!NOTE] > [!NOTE]
> When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device. > When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device.
## Connect corporate-owned Windows 10-based devices ## Connect corporate-owned Windows 10-based devices
You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) ![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png)
### Connect your device to an Active Directory domain (join a domain) ### Connect your device to an Active Directory domain (join a domain)
Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app. Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app.
> [!NOTE] > [!NOTE]
> Mobile devices can't be connected to an Active Directory domain. > Mobile devices can't be connected to an Active Directory domain.
@ -45,11 +45,11 @@ Joining your device to an Active Directory domain during the out-of-box-experien
![oobe creation of a local account](images/unifiedenrollment-rs1-2.png) ![oobe creation of a local account](images/unifiedenrollment-rs1-2.png)
2. Next, select **Join a domain**. 1. Next, select **Join a domain**.
![select domain or azure-ad](images/unifiedenrollment-rs1-3.png) ![select domain or azure-ad](images/unifiedenrollment-rs1-3.png)
3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue. 1. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
![create pc account.](images/unifiedenrollment-rs1-4.png) ![create pc account.](images/unifiedenrollment-rs1-4.png)
@ -61,23 +61,23 @@ To create a local account and connect the device:
![windows settings screen](images/unifiedenrollment-rs1-5.png) ![windows settings screen](images/unifiedenrollment-rs1-5.png)
2. Next, select **Accounts**. 1. Next, select **Accounts**.
![windows settings accounts chosen](images/unifiedenrollment-rs1-6.png) ![windows settings accounts chosen](images/unifiedenrollment-rs1-6.png)
3. Navigate to **Access work or school**. 1. Navigate to **Access work or school**.
![choose access work or school](images/unifiedenrollment-rs1-7.png) ![choose access work or school](images/unifiedenrollment-rs1-7.png)
4. Select **Connect**. 1. Select **Connect**.
![connect to work or to school](images/unifiedenrollment-rs1-8.png) ![connect to work or to school](images/unifiedenrollment-rs1-8.png)
5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**. 1. Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
![join account to active directory domain.](images/unifiedenrollment-rs1-9.png) ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png)
6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials. 1. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
![type in domain name.](images/unifiedenrollment-rs1-10.png) ![type in domain name.](images/unifiedenrollment-rs1-10.png)
@ -89,10 +89,8 @@ There are a few instances where your device can't be connected to an Active Dire
|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. | | Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. |
| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | | Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. |
| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. Youll need to switch to an administrator account to continue. | | You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You'll need to switch to an administrator account to continue. |
| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
### Connect your device to an Azure AD domain (join Azure AD) ### Connect your device to an Azure AD domain (join Azure AD)
@ -106,15 +104,15 @@ To join a domain:
![oobe - local account creation](images/unifiedenrollment-rs1-11.png) ![oobe - local account creation](images/unifiedenrollment-rs1-11.png)
2. Select **Join Azure AD**, and then select **Next.** 1. Select **Join Azure AD**, and then select **Next.**
![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png) ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png)
3. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. 1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services.
If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organizations Azure AD domain. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization's Azure AD domain.
![azure ad signin.](images/unifiedenrollment-rs1-13.png) ![azure ad signin.](images/unifiedenrollment-rs1-13.png)
@ -126,33 +124,33 @@ To create a local account and connect the device:
![screen displaying windows settings](images/unifiedenrollment-rs1-14.png) ![screen displaying windows settings](images/unifiedenrollment-rs1-14.png)
2. Next, navigate to **Accounts**. 1. Next, navigate to **Accounts**.
![choose windows settings accounts](images/unifiedenrollment-rs1-15.png) ![choose windows settings accounts](images/unifiedenrollment-rs1-15.png)
3. Navigate to **Access work or school**. 1. Navigate to **Access work or school**.
![choose option of access work or school](images/unifiedenrollment-rs1-16.png) ![choose option of access work or school](images/unifiedenrollment-rs1-16.png)
4. Select **Connect**. 1. Select **Connect**.
![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png)
5. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. 1. Under **Alternate Actions**, select **Join this device to Azure Active Directory**.
![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png)
6. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. 1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
![azure ad sign in.](images/unifiedenrollment-rs1-19.png) ![azure ad sign in.](images/unifiedenrollment-rs1-19.png)
7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. 1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM.
After you reach the end of the flow, your device should be connected to your organizations Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username.
![corporate sign in screen](images/unifiedenrollment-rs1-20.png) ![corporate sign in screen](images/unifiedenrollment-rs1-20.png)
@ -165,20 +163,17 @@ There are a few instances where your device can't be connected to an Azure AD do
| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | | Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. |
| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | | Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. |
| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | | Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. |
| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. Youll need to switch to an administrator account to continue. | | You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You'll need to switch to an administrator account to continue. |
| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | | Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. |
| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
## Connect personally owned devices ## Connect personally owned devices
Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school.
Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school.
### Connect to a work or school account ### Connect to a work or school account
All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps.
### Use the Settings app ### Use the Settings app
@ -188,19 +183,19 @@ To create a local account and connect the device:
![screen of windows settings](images/unifiedenrollment-rs1-21-b.png) ![screen of windows settings](images/unifiedenrollment-rs1-21-b.png)
2. Navigate to **Access work or school**. 1. Navigate to **Access work or school**.
![user's option of access work or school](images/unifiedenrollment-rs1-23-b.png) ![user's option of access work or school](images/unifiedenrollment-rs1-23-b.png)
3. Select **Connect**. 1. Select **Connect**.
![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png)
4. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. 1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png)
5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. 1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
@ -210,13 +205,13 @@ To create a local account and connect the device:
![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png)
6. After you complete the flow, your Microsoft account will be connected to your work or school account. 1. After you complete the flow, your Microsoft account will be connected to your work or school account.
![account successfully added.](images/unifiedenrollment-rs1-27.png) ![account successfully added.](images/unifiedenrollment-rs1-27.png)
### Connect to MDM on a desktop (enrolling in device management) ### Connect to MDM on a desktop (enrolling in device management)
All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app. All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app.
### Use the Settings app ### Use the Settings app
@ -226,29 +221,29 @@ To create a local account and connect the device:
![screen that displays windows settings](images/unifiedenrollment-rs1-28.png) ![screen that displays windows settings](images/unifiedenrollment-rs1-28.png)
2. Next, navigate to **Accounts**. 1. Next, navigate to **Accounts**.
![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png)
3. Navigate to **Access work or school**. 1. Navigate to **Access work or school**.
![access work or school.](images/unifiedenrollment-rs1-30.png) ![access work or school.](images/unifiedenrollment-rs1-30.png)
4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). 1. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
![connect to work or school screen](images/unifiedenrollment-rs1-31.png) ![connect to work or school screen](images/unifiedenrollment-rs1-31.png)
5. Type in your work email address. 1. Type in your work email address.
![set up work or school account screen](images/unifiedenrollment-rs1-32.png) ![set up work or school account screen](images/unifiedenrollment-rs1-32.png)
6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, youll be presented with a new window that will ask you for more authentication information. 1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen.
![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png)
After you complete the flow, your device will be connected to your organizations MDM. After you complete the flow, your device will be connected to your organization's MDM.
### Help with connecting personally owned devices ### Help with connecting personally owned devices
@ -256,25 +251,23 @@ There are a few instances where your device may not be able to connect to work.
| Error Message | Description | | Error Message | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Your device is already connected to your organizations cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | | Your device is already connected to your organization's cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. |
| We couldn't find your identity in your organizations cloud. | The username you entered wasn't found on your Azure AD tenant. | | We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. |
| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | | Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. |
| You dont have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | | You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
| We couldnt auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | | We couldn't auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
## Connect your Windows 10-based device to work using a deep link ## Connect your Windows 10-based device to work using a deep link
Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience.
Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience. In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory.
In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory.
The deep link used for connecting your device to work will always use the following format. The deep link used for connecting your device to work will always use the following format.
**ms-device-enrollment:?mode={mode\_name}** **ms-device-enrollment:?mode={mode\_name}**
| Parameter | Description | Supported Value for Windows 10| | Parameter | Description | Supported Value for Windows 10|
|-----------|--------------------------------------------------------------|----------------------------------------------| |-----------|--------------------------------------------------------------|----------------------------------------------|
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | | mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. |
|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
@ -297,9 +290,9 @@ The deep link used for connecting your device to work will always use the follow
To connect your devices to MDM using deep links: To connect your devices to MDM using deep links:
1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: 1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**:
(This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
- IT admins can add this link to a welcome email that users can select to enroll into MDM. - IT admins can add this link to a welcome email that users can select to enroll into MDM.
@ -310,13 +303,13 @@ To connect your devices to MDM using deep links:
- IT admins can also add this link to an internal web page that users refer to enrollment instructions. - IT admins can also add this link to an internal web page that users refer to enrollment instructions.
2. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511). 1. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511).
Type in your work email address. Type in your work email address.
![set up a work or school account screen](images/deeplinkenrollment3.png) ![set up a work or school account screen](images/deeplinkenrollment3.png)
3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, youll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. 1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
After you complete the flow, your device will be connected to your organization's MDM. After you complete the flow, your device will be connected to your organization's MDM.
@ -324,7 +317,6 @@ To connect your devices to MDM using deep links:
## Manage connections ## Manage connections
To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection. To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection.
![managing work or school account.](images/unifiedenrollment-rs1-34-b.png) ![managing work or school account.](images/unifiedenrollment-rs1-34-b.png)
@ -337,7 +329,7 @@ The **Info** button can be found on work or school connections involving MDM. Th
- Connecting your device to a work or school account that has auto-enroll into MDM configured. - Connecting your device to a work or school account that has auto-enroll into MDM configured.
- Connecting your device to MDM. - Connecting your device to MDM.
Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. Youll be able to view your organizations support information (if configured) on this page. Youll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You'll be able to view your organization's support information (if configured) on this page. You'll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed.
Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot.
@ -358,16 +350,8 @@ The **Disconnect** button can be found on all work connections. Generally, selec
## Collecting diagnostic logs ## Collecting diagnostic logs
You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files. You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files.
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here. Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here.
![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png)

8
windows/client-management/mdm-overview.md
View File

@ -10,11 +10,11 @@ author: vinaypamnani-msft
ms.author: vinpa ms.author: vinpa
manager: aaroncz manager: aaroncz
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
--- ---
# Mobile Device Management overview # Mobile Device Management overview

33
windows/client-management/new-in-windows-mdm-enrollment-management.md
View File

@ -1,9 +1,6 @@
--- ---
title: What's new in MDM enrollment and management title: What's new in MDM enrollment and management
description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
MS-HAID:
- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview'
- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -13,6 +10,9 @@ ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 09/16/2022 ms.date: 09/16/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# What's new in mobile device enrollment and management # What's new in mobile device enrollment and management
@ -145,7 +145,7 @@ A production ready deployment must have the appropriate certificate details as p
EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile. - For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. - For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>. For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
@ -281,28 +281,28 @@ Alternatively you can use the following procedure to create an EAP Configuration
1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md). 1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md).
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.). 1. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
:::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png":::
> [!NOTE] > [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure. > For PEAP or TTLS, select the appropriate method and continue following this procedure.
3. Click the **Properties** button underneath the drop-down menu. 1. Click the **Properties** button underneath the drop-down menu.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. 1. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
:::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png":::
5. In the **Configure Certificate Selection** menu, adjust the filters as needed. 1. In the **Configure Certificate Selection** menu, adjust the filters as needed.
:::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png":::
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. 1. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
7. Close the rasphone dialog box. 1. Close the rasphone dialog box.
8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. 1. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE] > [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). > You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
@ -332,17 +332,16 @@ No. Only one MDM is allowed.
### How do I set the maximum number of Azure Active Directory-joined devices per user? ### How do I set the maximum number of Azure Active Directory-joined devices per user?
1. Sign in to the portal as tenant admin: https://portal.azure.com. 1. Sign in to the portal as tenant admin: https://portal.azure.com.
2. Select Active Directory on the left pane. 1. Select Active Directory on the left pane.
3. Choose your tenant. 1. Choose your tenant.
4. Select **Configure**. 1. Select **Configure**.
5. Set quota to unlimited. 1. Set quota to unlimited.
:::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png"::: :::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png":::
### What is dmwappushsvc? ### What is dmwappushsvc?
Entry | Description Entry | Description
--------------- | -------------------- --------------- | -------------------- What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|

16
windows/client-management/new-policies-for-windows-10.md
View File

@ -10,16 +10,13 @@ ms.localizationpriority: medium
ms.date: 09/15/2021 ms.date: 09/15/2021
ms.topic: reference ms.topic: reference
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# New policies for Windows 10 # New policies for Windows 10
**Applies to**
- Windows 10
- Windows 11
As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference". As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004. For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004.
@ -41,7 +38,6 @@ The following Group Policy settings were added in Windows 10, version 1903:
- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold - System\Storage Sense\Configure Storage Sense Downloads cleanup threshold
- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems - System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems
**Windows Components** **Windows Components**
- Windows Components\App Privacy\Let Windows apps activate with voice - Windows Components\App Privacy\Let Windows apps activate with voice
@ -180,7 +176,7 @@ The following Group Policy settings were added in Windows 10, version 1809:
- Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans - Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans
- Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard - Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard - Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the users device - Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device
- Windows Components\Windows Defender Application Guard\Configure additional sources for untrusted files in Windows Defender Application Guard - Windows Components\Windows Defender Application Guard\Configure additional sources for untrusted files in Windows Defender Application Guard
- Windows Components\Windows Hello for Business\Use Windows Hello for Business certificates as smart card certificates - Windows Components\Windows Hello for Business\Use Windows Hello for Business certificates as smart card certificates
- Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes - Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes
@ -238,7 +234,6 @@ The following Group Policy settings were added in Windows 10, version 1809:
- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network - Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network
## New Group Policy settings in Windows 10, version 1803 ## New Group Policy settings in Windows 10, version 1803
The following Group Policy settings were added in Windows 10, version 1803: The following Group Policy settings were added in Windows 10, version 1803:
@ -278,7 +273,6 @@ The following Group Policy settings were added in Windows 10, version 1803:
- Windows Components\Windows Defender Security Center\Device security\Hide the Secure boot area - Windows Components\Windows Defender Security Center\Device security\Hide the Secure boot area
- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area - Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area
## New Group Policy settings in Windows 10, version 1709 ## New Group Policy settings in Windows 10, version 1709
The following Group Policy settings were added in Windows 10, version 1709: The following Group Policy settings were added in Windows 10, version 1709:
@ -347,7 +341,6 @@ The following Group Policy settings were added in Windows 10, version 1709:
- Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections - Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections
- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update - Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update
## New Group Policy settings in Windows 10, version 1703 ## New Group Policy settings in Windows 10, version 1703
The following Group Policy settings were added in Windows 10, version 1703: The following Group Policy settings were added in Windows 10, version 1703:
@ -473,7 +466,6 @@ The following Group Policy settings were added in Windows 10, version 1703:
- Windows Components\Windows Update\Turn on recommended updates via Automatic Updates - Windows Components\Windows Update\Turn on recommended updates via Automatic Updates
- Windows Components\Shutdown Options\Turn off legacy remote shutdown interface - Windows Components\Shutdown Options\Turn off legacy remote shutdown interface
For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627). For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627).
## New MDM policies ## New MDM policies

20
windows/client-management/oma-dm-protocol-support.md
View File

@ -9,9 +9,11 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# OMA DM protocol support # OMA DM protocol support
The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf).
@ -32,7 +34,6 @@ The following table shows the OMA DM standards that Windows uses.
|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.| |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.|
|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| |Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
<a href="" id="protocol-common-elements"></a> <a href="" id="protocol-common-elements"></a>
## OMA DM protocol common elements ## OMA DM protocol common elements
@ -68,26 +69,27 @@ A short DM session can be summarized as:
A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents. A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents.
A DM session can be divided into two phases: A DM session can be divided into two phases:
1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. 1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. 1. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
The following information shows the sequence of events during a typical DM session. The following information shows the sequence of events during a typical DM session.
1. DM client is invoked to call back to the management server<br><br>Enterprise scenario The device task schedule invokes the DM client. 1. DM client is invoked to call back to the management server<br><br>Enterprise scenario - The device task schedule invokes the DM client.
The MO server sends a server trigger message to invoke the DM client. The MO server sends a server trigger message to invoke the DM client.
The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.<br><br>Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS. The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.<br><br>Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
2. The device sends a message, over an IP connection, to initiate the session. 1. The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. 1. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any.
4. The device responds to server management commands. This message includes the results of performing the specified device management operations. 1. The device responds to server management commands. This message includes the results of performing the specified device management operations.
5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. 1. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated.
The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
@ -97,7 +99,6 @@ If a request includes credentials and the response code to the request is 200, t
For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM_Security-V1_2_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM_Protocol-V1_2_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/). For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM_Security-V1_2_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM_Protocol-V1_2_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/).
## User targeted vs. Device targeted configuration ## User targeted vs. Device targeted configuration
For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1. For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1.
@ -130,7 +131,6 @@ The following LocURL shows a per user CSP node configuration: `./user/vendor/MSF
The following LocURL shows a per device CSP node configuration: `./device/vendor/MSFT/RemoteWipe/DoWipe` The following LocURL shows a per device CSP node configuration: `./device/vendor/MSFT/RemoteWipe/DoWipe`
<a href="" id="syncml-response-codes"></a> <a href="" id="syncml-response-codes"></a>
## SyncML response status codes ## SyncML response status codes

19
windows/client-management/on-premise-authentication-device-enrollment.md
View File

@ -9,11 +9,14 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# On-premises authentication device enrollment # On-premises authentication device enrollment
This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
## In this topic ## In this topic
@ -23,7 +26,7 @@ This section provides an example of the mobile device enrollment protocol using
- [Enrollment policy web service](#enrollment-policy-web-service) - [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service) - [Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service ## Discovery service
@ -32,7 +35,7 @@ The discovery web service provides the configuration information necessary for a
> [!NOTE] > [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. > The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The devices automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc The device's automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain "enterpriseenrollment" to the domain of the email address, and by appending the path "/EnrollmentServer/Discovery.svc". For example, if the email address is "sample@contoso.com", the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
The first request is a standard HTTP GET request. The first request is a standard HTTP GET request.
@ -73,7 +76,7 @@ After the device gets a response from the server, the device sends a POST reques
The following logic is applied: The following logic is applied:
1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. 1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails.
2. If that fails, the device tries HTTP to see whether it is redirected: 1. If that fails, the device tries HTTP to see whether it is redirected:
- If the device is not redirected, it prompts the user for the server address. - If the device is not redirected, it prompts the user for the server address.
- If the device is redirected, it prompts the user to allow the redirect. - If the device is redirected, it prompts the user to allow the redirect.
@ -124,8 +127,8 @@ If a domain and user name are provided by the user instead of an email address,
The discovery response is in the XML format and includes the following fields: The discovery response is in the XML format and includes the following fields:
- Enrollment service URL (EnrollmentServiceUrl) Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. - Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
- Authentication policy (AuthPolicy) Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. - Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. - Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> [!NOTE] > [!NOTE]
@ -462,7 +465,7 @@ The following example shows the encoded provisioning XML.
</characteristic> </characteristic>
<characteristic type="WSTEP"> <characteristic type="WSTEP">
<characteristic type="Renew"> <characteristic type="Renew">
<!If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. --> <!-If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/> <parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/> <parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/> <parm name="RetryInterval" value="4" datatype="integer"/>
@ -505,7 +508,7 @@ The following example shows the encoded provisioning XML.
<parm name="NumberOfSecondRetries" value="5" datatype="integer" /> <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" /> <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" /> <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.--> <!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedule's retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" /> <parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" /> <parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic> </characteristic>

8
windows/client-management/push-notification-windows-mdm.md
View File

@ -1,9 +1,6 @@
--- ---
title: Push notification support for device management title: Push notification support for device management
description: The DMClient CSP supports the ability to configure push-initiated device management sessions. description: The DMClient CSP supports the ability to configure push-initiated device management sessions.
MS-HAID:
- 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management'
- 'p\_phDeviceMgmt.push\_notification\_windows\_mdm'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -12,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 09/22/2017 ms.date: 09/22/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Push notification support for device management # Push notification support for device management
@ -33,7 +33,7 @@ The following restrictions are related to push notifications and WNS:
- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. - WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support.
- On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel. - On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel.
To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If theyre already running Windows 10, there should be an update available that they can install that should fix the issue. To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they're already running Windows 10, there should be an update available that they can install that should fix the issue.
- On Windows 10, version 1511, we use the following retry logic for the DMClient: - On Windows 10, version 1511, we use the following retry logic for the DMClient:

8
windows/client-management/quick-assist.md
View File

@ -10,11 +10,11 @@ ms.author: vinpa
manager: aaroncz manager: aaroncz
ms.reviewer: pmadrigal ms.reviewer: pmadrigal
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection: ms.collection:
- highpri - highpri
- tier1 - tier1
ms.date: 03/06/2023 ms.date: 03/06/2023
--- ---

13
windows/client-management/server-requirements-windows-mdm.md
View File

@ -1,9 +1,6 @@
--- ---
title: Server requirements for using OMA DM to manage Windows devices title: Server requirements for using OMA DM to manage Windows devices
description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
MS-HAID:
- 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm'
- 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -12,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Server requirements for using OMA DM to manage Windows devices # Server requirements for using OMA DM to manage Windows devices
@ -31,10 +31,3 @@ The following list shows the general server requirements for using OMA DM to man
For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900).
- The server must support HTTPS. - The server must support HTTPS.
 

6
windows/client-management/structure-of-oma-dm-provisioning-files.md
View File

@ -9,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Structure of OMA DM provisioning files # Structure of OMA DM provisioning files
@ -75,7 +78,6 @@ SyncHdr includes the following information:
This information is used to by the client device to properly manage the DM session. This information is used to by the client device to properly manage the DM session.
**Code example** **Code example**
The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only. The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only.
@ -83,7 +85,7 @@ The following example shows the header component of a DM message. In this case,
> [!NOTE] > [!NOTE]
> The `<LocURI>` node value for the `<Source>` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](mdm/devinfo-csp.md). > The `<LocURI>` node value for the `<Source>` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](mdm/devinfo-csp.md).
 
```xml ```xml
<SyncHdr> <SyncHdr>

13
windows/client-management/understanding-admx-backed-policies.md
View File

@ -1,6 +1,6 @@
--- ---
title: Understanding ADMX policies title: Understanding ADMX policies
description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.topic: article
ms.prod: windows-client ms.prod: windows-client
@ -9,6 +9,9 @@ author: vinaypamnani-msft
ms.date: 03/23/2020 ms.date: 03/23/2020
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Understanding ADMX policies # Understanding ADMX policies
@ -23,6 +26,7 @@ In addition to standard MDM policies, the Policy CSP can also handle selected se
ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC.
Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor:
- OS settings: Computer Configuration/Administrative Templates - OS settings: Computer Configuration/Administrative Templates
- Application settings: User Configuration/Administrative Templates - Application settings: User Configuration/Administrative Templates
@ -42,6 +46,7 @@ To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrat
The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category.
Group Policy option button setting: Group Policy option button setting:
- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: - If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur:
- The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data.
- The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition.
@ -82,12 +87,10 @@ Appv.admx file:
<text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/> <text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/>
``` ```
## <a href="" id="admx-backed-policy-examples"></a>ADMX policy examples ## <a href="" id="admx-backed-policy-examples"></a>ADMX policy examples
The following SyncML examples describe how to set an MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. The functionality that this Group Policy manages isn't important; it's used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. The payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). The following SyncML examples describe how to set an MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. The functionality that this Group Policy manages isn't important; it's used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. The payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
### <a href="" id="enabling-a-policy"></a>Enabling a policy ### <a href="" id="enabling-a-policy"></a>Enabling a policy
**Payload** **Payload**
@ -233,7 +236,7 @@ This section describes sample SyncML for the various ADMX elements like Text, Mu
### <a href="" id="how-a-group-policy-policy-category-path-and-name-are-mapped-to-a-mdm-area-and-policy-name"></a>How a Group Policy policy category path and name are mapped to an MDM area and policy name ### <a href="" id="how-a-group-policy-policy-category-path-and-name-are-mapped-to-a-mdm-area-and-policy-name"></a>How a Group Policy policy category path and name are mapped to an MDM area and policy name
Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
`./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]/<area>/<policy>` `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]/<area>/<policy>`
@ -306,7 +309,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit
### <a href="" id="multitext-element"></a>MultiText Element ### <a href="" id="multitext-element"></a>MultiText Element
The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc.  It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: `&#xF000;`) The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: `&#xF000;`)
```XML ```XML
<policy name="Virtualization_JITVAllowList" class="Machine" displayName="$(string.Virtualization_JITVAllowList)" <policy name="Virtualization_JITVAllowList" class="Machine" displayName="$(string.Virtualization_JITVAllowList)"

14
windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
View File

@ -9,13 +9,15 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Using PowerShell scripting with the WMI Bridge Provider # Using PowerShell scripting with the WMI Bridge Provider
This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
## Configuring per-device policy settings ## Configuring per-device policy settings
This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system"). This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system").
@ -84,15 +86,15 @@ class MDM_Policy_User_Config01_Authentication02
}; };
``` ```
> **Note**  If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt. > **Note** If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt.
 
If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets. If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets.
> **Note**   All commands must executed under local system. > **Note** All commands must executed under local system.
 
A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001. A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001.
@ -220,5 +222,3 @@ catch [Exception]
## Related topics ## Related topics
[WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
 

6
windows/client-management/win32-and-centennial-app-policy-configuration.md
View File

@ -9,6 +9,9 @@ author: vinaypamnani-msft
ms.date: 03/23/2020 ms.date: 03/23/2020
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Win32 and Desktop Bridge app ADMX policy Ingestion # Win32 and Desktop Bridge app ADMX policy Ingestion
@ -57,7 +60,7 @@ When the ADMX policies are ingested, the registry keys to which each policy is w
- software\Microsoft\Edge - software\Microsoft\Edge
- Software\Microsoft\EdgeUpdate\ - Software\Microsoft\EdgeUpdate\
> [!Warning] > [!WARNING]
> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined. > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined.
> [!NOTE] > [!NOTE]
@ -409,6 +412,7 @@ The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}.
{CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3. {CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3.
Therefore, from the example: Therefore, from the example:
- Class: User - Class: User
- Policy name: L_PolicyPreventRun_1 - Policy name: L_PolicyPreventRun_1
- Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 - Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3

21
windows/client-management/windows-libraries.md
View File

@ -10,17 +10,20 @@ ms.topic: article
author: vinaypamnani-msft author: vinaypamnani-msft
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
ms.date: 09/15/2021 ms.date: 09/15/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
--- ---
# Windows libraries # Windows libraries
> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
Libraries are virtual containers for users content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
## Features for Users ## Features for Users
Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users: Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
- Aggregate content from multiple storage locations into a single, unified presentation. - Aggregate content from multiple storage locations into a single, unified presentation.
- Enable users to stack and group library contents based on metadata. - Enable users to stack and group library contents based on metadata.
- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu. - Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu.
@ -30,6 +33,7 @@ Windows libraries are backed by full content search and rich metadata. Libraries
## Features for Administrators ## Features for Administrators
Administrators can configure and control Windows libraries in the following methods: Administrators can configure and control Windows libraries in the following methods:
- Create custom libraries by creating and deploying Library Description (*.library-ms) files. - Create custom libraries by creating and deploying Library Description (*.library-ms) files.
- Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.) - Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.)
- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. - Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
@ -48,6 +52,7 @@ Including a folder in a library doesn't physically move or change the storage lo
### Default Libraries and Known Folders ### Default Libraries and Known Folders
The default libraries include: The default libraries include:
- Documents - Documents
- Music - Music
- Pictures - Pictures
@ -64,16 +69,17 @@ Users or administrators can hide or delete the default libraries, though the lib
Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location.
If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails. If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails.
### Indexing Requirements and “Basic” Libraries ### Indexing Requirements and "Basic" Libraries
Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality: Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality:
- No support for metadata browsing via **Arrange By** views. - No support for metadata browsing via **Arrange By** views.
- Grep-only searches. - Grep-only searches.
- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**. - Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**.
- No support for searching from the Start menu. Start menu searches don't return files from basic libraries. - No support for searching from the Start menu. Start menu searches don't return files from basic libraries.
- No previews of file snippets for search results returned in Content mode. - No previews of file snippets for search results returned in Content mode.
To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folders files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder "Always available offline" creates a local copy of the folder's files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally.
For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations). For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations).
@ -81,7 +87,7 @@ If your environment doesn't support caching files locally, you should enable the
### Folder Redirection ### Folder Redirection
While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the "My Documents" folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
### Supported storage locations ### Supported storage locations
@ -90,7 +96,7 @@ The following table shows which locations are supported in Windows libraries.
|Supported Locations|Unsupported Locations| |Supported Locations|Unsupported Locations|
|---|---| |---|---|
|Fixed local volumes (NTFS/FAT)|Removable drives| |Fixed local volumes (NTFS/FAT)|Removable drives|
|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster| |Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices| |Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices|
||Other data sources: SharePoint, Exchange, etc.| ||Other data sources: SharePoint, Exchange, etc.|
@ -104,6 +110,7 @@ The following table shows which locations are supported in Windows libraries.
### Library Attributes ### Library Attributes
The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms): The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms):
- Name - Name
- Library locations - Library locations
- Order of library locations - Order of library locations

15
windows/client-management/windows-mdm-enterprise-settings.md
View File

@ -1,9 +1,6 @@
--- ---
title: Enterprise settings, policies, and app management title: Enterprise settings, policies, and app management
description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow.
MS-HAID:
- 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management'
- 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -12,6 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Enterprise settings, policies, and app management # Enterprise settings, policies, and app management
@ -26,7 +26,6 @@ The following diagram shows the work flow between server and client.
![windows client and server mdm diagram.](images/enterprise-workflow.png) ![windows client and server mdm diagram.](images/enterprise-workflow.png)
## Management workflow ## Management workflow
This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure. This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure.
@ -41,11 +40,3 @@ Here's a summary of the DM tasks supported for enterprise management:
- Enterprise application management: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. - Enterprise application management: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service.
- Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. - Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates.
- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. - Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service.
 

17
windows/client-management/windows-version-search.md
View File

@ -1,10 +1,7 @@
--- ---
title: What version of Windows am I running? title: What version of Windows am I running?
description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build
ms.prod: windows-client ms.prod: windows-client
ms.mktglfcycl: manage
ms.sitesec: library
author: vinaypamnani-msft author: vinaypamnani-msft
ms.author: vinpa ms.author: vinpa
ms.date: 04/30/2018 ms.date: 04/30/2018
@ -12,13 +9,17 @@ ms.reviewer:
manager: aaroncz manager: aaroncz
ms.topic: troubleshooting ms.topic: troubleshooting
ms.technology: itpro-manage ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# What version of Windows am I running? # What version of Windows am I running?
To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so its useful to learn about all of them. To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them.
## System Properties ## System Properties
Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: You'll now see **Edition**, **Version**, and **OS Build** information. Something like this:
@ -26,17 +27,19 @@ You'll now see **Edition**, **Version**, and **OS Build** information. Something
![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) ![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png)
## Using Keyword Search ## Using Keyword Search
You can type the following in the search bar and press **ENTER** to see version details for your device. You can type the following in the search bar and press **ENTER** to see version details for your device.
**“winver”** **"winver"**
![screenshot of the About Windows display text.](images/winver.png) ![screenshot of the About Windows display text.](images/winver.png)
**“msinfo”** or **"msinfo32"** to open **System Information**: **"msinfo"** or **"msinfo32"** to open **System Information**:
![screenshot of the System Information display text.](images/msinfo32.png) ![screenshot of the System Information display text.](images/msinfo32.png)
## Using Command Prompt or PowerShell ## Using Command Prompt or PowerShell
At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER**
![screenshot of system information display text.](images/refcmd.png) ![screenshot of system information display text.](images/refcmd.png)
@ -47,6 +50,6 @@ At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER
## What does it all mean? ## What does it all mean?
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesnt contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Its important to remember that the LTSC model is primarily for specialized devices. The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn't contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It's important to remember that the LTSC model is primarily for specialized devices.
In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.

18
windows/client-management/wmi-providers-supported-in-windows.md
View File

@ -1,9 +1,6 @@
--- ---
title: WMI providers supported in Windows 10 title: WMI providers supported in Windows 10
description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI).
MS-HAID:
- 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview'
- 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows'
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -12,11 +9,14 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# WMI providers supported in Windows 10 # WMI providers supported in Windows 10
Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10. Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10.
> [!NOTE] > [!NOTE]
> Applications installed using WMI classes are not removed when the MDM account is removed from device. > Applications installed using WMI classes are not removed when the MDM account is removed from device.
@ -53,7 +53,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
## MDM WMI classes ## MDM WMI classes
|Class|Test completed in Windows 10 for desktop| |Class|Test completed in Windows 10 for desktop|
|--- |--- | |--- |--- |
|[**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob)|Currently testing.| |[**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob)|Currently testing.|
|[**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application)|Currently testing.| |[**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application)|Currently testing.|
@ -92,7 +92,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
### Parental control WMI classes ### Parental control WMI classes
| Class | Test completed in Windows 10 for desktop | | Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------| |--------------------------------------------------------------------------|------------------------------------------|
| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | | [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | | [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
@ -105,11 +105,9 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | | [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | | [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
### Win32 WMI classes ### Win32 WMI classes
| Class | Test completed in Windows 10 for desktop | | Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------| |--------------------------------------------------------------------------|------------------------------------------|
[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
@ -180,10 +178,10 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** | **Win32\_WindowsUpdateAgentVersion** |
## Related topics ## Related topics
[Configuration service provider reference](mdm/index.yml) [Configuration service provider reference](mdm/index.yml)
## Related Links ## Related Links
[CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller) [CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller)