diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 5b224029ba..359a00110d 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,5 +1,100 @@
{
"redirections": [
+ {
+ "source_path": "windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/deviceinstanceservice-csp.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/cm-proxyentries-csp.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/bootstrap-csp.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-textinput.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-shell.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-rcspresence.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-otherassets.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-nfc.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-multivariant.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-modemconfigurations.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-messaging.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-internetexplorer.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-initialsetup.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-deviceinfo.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-calling.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-callandmessagingenhancement.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-automatictime.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-theme.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/configuration/wcd/wcd-embeddedlockdownprofiles.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 1f83558533..226a90d32e 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,8 +2,11 @@
-## Week of April 26, 2021
+## Week of October 25, 2021
| Published On |Topic title | Change |
|------|------------|--------|
+| 10/28/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 10/28/2021 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
+| 10/28/2021 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified |
diff --git a/smb/includes/smb-content-updates.md b/smb/includes/smb-content-updates.md
index 1f83558533..4cebea6e8c 100644
--- a/smb/includes/smb-content-updates.md
+++ b/smb/includes/smb-content-updates.md
@@ -2,8 +2,10 @@
-## Week of April 26, 2021
+## Week of October 25, 2021
| Published On |Topic title | Change |
|------|------------|--------|
+| 10/28/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified |
+| 10/28/2021 | [Windows 10/11 for small to midsize businesses](/windows/smb/index) | modified |
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 392ba61769..2431493b6c 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -35,16 +35,16 @@ You should read and understand the following information before reading this doc
- [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760)
-**Note**
-Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk * review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
+> [!Note]
+> Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk `*`, review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
-To help determine what information is relevant to your environment you should review each section’s brief overview and applicability checklist.
+To help determine what information is relevant to your environment, you should review each section’s brief overview and applicability checklist.
## App-V in stateful\* non-persistent deployments
-This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. A number of conditions must be met and steps followed to provide the optimal user experience.
+This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
Use the information in the following section for more information:
@@ -72,199 +72,97 @@ Use the information in the following section for more information:
### Applicability Checklist
-Deployment Environment
+|Checklist|Deployment Environment|
+|--- |--- |
+||Non-Persistent VDI or RDSH.|
+||User Experience Virtualization (UE-V), other UPM solutions or User Profile Disks (UPD).|
-
-
-
-
-
-
-
-
-
Non-Persistent VDI or RDSH.
-
-
-
-
User Experience Virtualization (UE-V), other UPM solutions or User Profile Disks (UPD).
-
-
-
+|Checklist|Expected Configuration|
+|--- |--- |
+||User Experience Virtualization (UE-V) with the App-V user state template enabled or User Profile Management (UPM) software. Non-UE-V UPM software must be capable of triggering on Login or Process/Application Start and Logoff.|
+||App-V Shared Content Store (SCS) is configured or can be configured.|
-
-Expected Configuration
-
-
-
-
-
-
-
-
-
-
User Experience Virtualization (UE-V) with the App-V user state template enabled or User Profile Management (UPM) software. Non-UE-V UPM software must be capable of triggering on Login or Process/Application Start and Logoff.
-
-
-
-
App-V Shared Content Store (SCS) is configured or can be configured.
-
-
-
-
-
-
-IT Administration
-
-
-
-
-
-
-
-
-
-
Admin may need to update the VM base image regularly to ensure optimal performance or Admin may need to manage multiple images for different user groups.
-
-
-
-
-
+|Checklist|IT Administration|
+|--- |--- |
+||Admin may need to update the VM base image regularly to ensure optimal performance or Admin may need to manage multiple images for different user groups.|
### Usage Scenarios
As you review the two scenarios, keep in mind that these approach the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both.
-
-
-
-
-
-
-
-
Optimized for Performance
-
Optimized for Storage
-
-
-
-
-
To provide the most optimal user experience, this approach leverages the capabilities of a UPM solution and requires additional image preparation and can incur some additional image management overhead.
The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in very costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.
+- **Performance**: To provide the most optimal user experience, this approach uses the capabilities of a UPM solution and requires extra image preparation and can incur some more image management overhead.
-
+ The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article).
+
+- **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.
+
+ The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) (in this article).
### Preparing your Environment
-The following table displays the required steps to prepare the base image and the UE-V or another UPM solution for the approach.
+The following information displays the required steps to prepare the base image and the UE-V or another UPM solution for the approach.
-**Prepare the Base Image**
+#### Prepare the Base Image
-
Configure Preserve User Integrations on Login Registry DWORD.
-
Pre-configure all global-targeted packages for example, Add-AppvClientPackage.
-
Pre-configure all global-targeted connection groups for example, Add-AppvClientConnectionGroup.
-
Pre-publish all global-targeted packages.
-
-
-
-
-
+- **Performance**:
-
+ - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
+ - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
+ - Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
+ - Configure Preserve User Integrations on Login Registry DWORD.
+ - Pre-configure all user and global-targeted packages, for example, **Add-AppvClientPackage**.
+ - Pre-configure all user- and global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**.
+ - Pre-publish all global-targeted packages. Or:
+ - Perform a global publishing/refresh.
+ - Perform a user publishing/refresh.
+ - Unpublish all user-targeted packages.
+ - Delete the following user-Virtual File System (VFS) entries:
-**Configurations** - For critical App-V Client configurations and for a little more context and how-to, review the following information:
+ - `AppData\Local\Microsoft\AppV\Client\VFS`
+ - `AppData\Roaming\Microsoft\AppV\Client\VFS`
-
When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM).
-
This helps to conserve local storage and minimize disk I/O per second (IOPS).
-
This is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN.
-
-
-
PreserveUserIntegrationsOnLogin
-
-
Configure in the Registry under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ AppV \ Client \ Integration.
-
Create the DWORD value PreserveUserIntegrationsOnLogin with a value of 1.
-
Restart the App-V client service or restart the computer running the App-V Client.
-
-
If you have not pre-configured (Add-AppvClientPackage) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then re-integrate*.
-
For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
-
If you don’t plan to pre-configure every available user package in the base image, use this setting.
-
-
-
MaxConcurrentPublishingRefresh
-
-
Configure in the Registry under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ AppV \ Client \ Publishing.
-
Create the DWORD value MaxConcurrentPublishingrefresh with the desired maximum number of concurrent publishing refreshes.
-
The App-V client service and computer do not need to be restarted.
-
-
This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit.
-
Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.
-
If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time.
-
-
-
+- **Storage**:
-
+ - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
+ - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
+ - Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the
+ App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
+ - Configure Preserve User Integrations on Login Registry DWORD.
+ - Pre-configure all global-targeted packages, for example, **Add-AppvClientPackage**.
+ - Pre-configure all global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**.
+ - Pre-publish all global-targeted packages.
+
+#### Configurations
+
+For critical App-V Client configurations and for a little more context and how-to, review the following configuration settings:
+
+- **Shared Content Store (SCS) Mode**: When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM). This helps to conserve local storage and minimize disk I/O per second (IOPS).
+
+ This setting is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN.
+
+ - Configurable in Windows PowerShell: `Set-AppvClientConfiguration -SharedContentStoreMode 1`
+ - Configurable with Group Policy: See [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
+
+- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*.
+
+ For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
+
+ If you don’t plan to pre-configure every available user package in the base image, use this setting.
+
+ - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Integration`.
+ - Create the DWORD value **PreserveUserIntegrationsOnLogin** with a value of 1.
+ - Restart the App-V client service or restart the computer running the App-V Client.
+
+- **MaxConcurrentPublishingRefresh**: This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit.
+
+ Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.
+
+ If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time.
+
+ - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing`.
+ - Create the DWORD value **MaxConcurrentPublishingrefresh** with the desired maximum number of concurrent publishing refreshes.
+ - The App-V client service and computer do not need to be restarted.
### Configure UE-V solution for App-V Approach
@@ -278,8 +176,8 @@ For more information, see:
In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows).
-**Note**
-Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
+> [!Note]
+> Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V would not currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
@@ -287,12 +185,10 @@ UE-V will only support removing the .lnk file type from the exclusion list in th
- If a user has an application installed on one device but not another with .lnk files enabled.
-**Important**
-This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
+> [!Important]
+> This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
-
-
-Using the Microsoft Registry Editor (regedit.exe), navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **UEV** \\ **Agent** \\ **Configuration** \\ **ExcludedFileTypes** and remove **.lnk** from the excluded file types.
+Using the Microsoft Registry Editor (regedit.exe), navigate to `HKEY\_LOCAL\_MACHINE\Software\Microsoft\UEV\Agent\Configuration\ExcludedFileTypes` and remove `.lnk` from the excluded file types.
## Configure other User Profile Management (UPM) solutions for App-V Approach
@@ -308,12 +204,11 @@ To enable an optimized login experience, for example the App-V approach for the
- Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations.
- **Note**
- App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
-
- App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
-
-
+ > [!Note]
+ >
+ > App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
+ >
+ > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
- Capturing changes to the locations, which constitute the user integrations, prior to session logoff.
@@ -355,84 +250,62 @@ Registry – HKEY\_CURRENT\_USER
This following is a step-by-step walk-through of the App-V and UPM operations and the expectations users should expect.
-
-
-
-
-
-
-
-
Optimized for Performance
-
Optimized for Storage
-
-
-
-
-
After implementing this approach in the VDI/RDSH environment, on first login,
-
-
(Operation) A user-publishing/refresh is initiated. (Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh.
-
(Operation) After the publishing/refresh, the UPM solution captures the user integrations. (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
-
-
On subsequent logins:
-
-
(Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
-
(Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away.
-
(Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements. (Expectation) If there are no entitlement changes, publishing1 will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity* of virtual applications
-
(Operation) UPM solution will capture user integrations again at logoff. (Expectation) Same as previous.
-
-
¹ The publishing operation (Publish-AppVClientPackage) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.
-
After implementing this approach in the VDI/RDSH environment, on first login,
-
-
(Operation) A user-publishing/refresh is initiated. (Expectation)
-
-
If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh.
-
First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).
-
-
-
(Operation) After the publishing/refresh, the UPM solution captures the user integrations. (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state
-
-
On subsequent logins:
-
-
(Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
-
(Operation) Add/refresh must pre-configure all user targeted applications. (Expectation)
-
-
This may increase the time to application availability significantly (on the order of 10’s of seconds).
-
This will increase the publishing refresh time relative to the number and complexity* of virtual applications.
-
-
-
(Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements.
-
-
-
-
+- **Performance**: After implementing this approach in the VDI/RDSH environment, on first login,
+ - (Operation) A user-publishing/refresh is initiated.
+ (Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh.
+
+- (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
+
+ (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
+ **On subsequent logins**:
-
-
-
-
-
-
-
-
Outcome
-
Outcome
-
-
-
-
-
-
-
Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login.
-
The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience.
-
-
Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
-
-
-
+ - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
+ (Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away.
+
+ - (Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements.
+ (Expectation) If there are no entitlement changes, publishing will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity of virtual applications
+ The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.
+
+ - (Operation) UPM solution will capture user integrations again at logoff.
+
+ (Expectation) Same as previous.
+
+ **Outcome**:
+
+ - Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login.
+ - The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience.
+
+- **Storage**: After implementing this approach in the VDI/RDSH environment, on first login
+
+ - (Operation) A user-publishing/refresh is initiated.
+
+ (Expectation):
+
+ - If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh.
+ - First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).
+
+ - (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
+
+ (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
+
+ **On subsequent logins**:
+
+ - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
+ - (Operation) Add/refresh must pre-configure all user targeted applications.
+
+ - (Expectation):
+ - This may increase the time to application availability significantly (on the order of 10’s of seconds).
+ - This will increase the publishing refresh time relative to the number and complexity* of virtual applications.
+
+ - (Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements.
+
+ **Outcome**: Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
+
### Impact to Package Life Cycle
Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (un-published) virtual application packages, it is recommended you update the base image to reflect these changes. To understand why review the following section:
@@ -489,36 +362,9 @@ Server Performance Tuning Guidelines for
Several App-V features facilitate new scenarios or enable new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations.
-
-
-
-
-
-
-
-
-
-
Step
-
Consideration
-
Benefits
-
Tradeoffs
-
-
-
-
-
No Feature Block 1 (FB1, also known as Primary FB)
-
No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
-
-
Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
-
Delay launch until the entire FB1 has been streamed.
-
-
Stream faulting decreases the launch time.
-
Virtual application packages with FB1 configured will need to be re-sequenced.
-
-
-
-
-
+|Step|Consideration|Benefits|Tradeoffs|
+|--- |--- |--- |--- |
+|No Feature Block 1 (FB1, also known as Primary FB)|No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
Delay launch until the entire FB1 has been streamed.|Stream faulting decreases the launch time.|Virtual application packages with FB1 configured will need to be re-sequenced.|
### Removing FB1
@@ -554,37 +400,13 @@ Removing FB1 does not require the original application installer. After completi
"C:\\UpgradedPackages"
- **Note**
- This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
+ > [!Note]
+ > This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
-
+|Step|Considerations|Benefits|Tradeoffs|
+|--- |--- |--- |--- |
+|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies will not install at publishing time.|SxS Assembly dependencies must be pre-installed.|
-
-
-
-
-
-
-
-
-
-
Step
-
Considerations
-
Benefits
-
Tradeoffs
-
-
-
-
-
No SXS Install at Publish (Pre-Install SxS assemblies)
-
Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.
-
The SxS Assembly dependencies will not install at publishing time.
-
SxS Assembly dependencies must be pre-installed.
-
-
-
-
-
### Creating a new virtual application package on the sequencer
@@ -594,33 +416,9 @@ If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is ins
When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
-
-
-
-
-
-
-
-
-
-
Step
-
Considerations
-
Benefits
-
Tradeoffs
-
-
-
-
-
Selectively Employ Dynamic Configuration files
-
The App-V client must parse and process these Dynamic Configuration files.
-
Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.
-
Numerous virtual application packages may already have User- or computer–specific dynamic configurations files.
-
Publishing times will improve if these files are used selectively or not at all.
-
Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.
-
-
-
-
+|Step|Considerations|Benefits|Tradeoffs|
+|--- |--- |--- |--- |
+|Selectively Employ Dynamic Configuration files|The App-V client must parse and process these Dynamic Configuration files.
Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.
Numerous virtual application packages may already have User- or computer–specific dynamic configurations files.|Publishing times will improve if these files are used selectively or not at all.|Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.|
### Disabling a Dynamic Configuration by using Windows PowerShell
@@ -639,39 +437,10 @@ For documentation on How to Apply a Dynamic Configuration, see:
- [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
-
-
-
-
-
-
-
-
-
-
Step
-
Considerations
-
Benefits
-
Tradeoffs
-
-
-
-
-
Account for Synchronous Script Execution during Package Lifecycle.
-
If script collateral is embedded in the package, Add cmdlets may be significantly slower.
-
Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.
-
Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.
-
This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.
-
-
-
Remove Extraneous Virtual Fonts from Package.
-
The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.
Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.
-
-
-
-
-
+|Step|Considerations|Benefits|Tradeoffs|
+|--- |--- |--- |--- |
+|Account for Synchronous Script Execution during Package Lifecycle.|If script collateral is embedded in the package, Add cmdlets may be significantly slower. Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.|Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.|This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.|
+|Remove Extraneous Virtual Fonts from Package.|The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.|Virtual Fonts impact publishing refresh performance.|Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.|
### Determining what virtual fonts exist in the package
@@ -681,15 +450,15 @@ For documentation on How to Apply a Dynamic Configuration, see:
- Open AppxManifest.xml and locate the following:
- ```
+ ```xml
```
- **Note** If there are fonts marked as **DelayLoad**, those will not impact first launch.
-
+ > [!Note]
+ > If there are fonts marked as **DelayLoad**, those will not impact first launch.
### Excluding virtual fonts from the package
@@ -699,7 +468,7 @@ Use the dynamic configuration file that best suits the user scope – deployment
Fonts
-```
+```xml
-->
@@ -157,9 +147,8 @@ The following example shows the details of an certificate renewal response.
```
> [!Note]
-The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
+> The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
-
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 37fa305bce..c8c467fcc9 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -70,38 +70,14 @@ CM_CellularEntries
**ConnectionType**
Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
-
-
-
-
-
-
-
-
Gprs
-
Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).
-
-
-
Cdma
-
Used for CDMA type connections (1XRTT + EVDO).
-
-
-
Lte
-
Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.
-
-
-
Legacy
-
Used for GPRS + GSM + EDGE + UMTS connections.
-
-
-
Lte_iwlan
-
Used for GPRS type connections that may be offloaded over WiFi
-
-
-
Iwlan
-
Used for connections that are implemented over WiFi offload only
-
-
-
+|Connection type|Usage|
+|--- |--- |
+|Gprs|Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).|
+|Cdma|Used for CDMA type connections (1XRTT + EVDO).|
+|Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.|
+|Legacy|Used for GPRS + GSM + EDGE + UMTS connections.|
+|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi|
+|Iwlan|Used for connections that are implemented over WiFi offload only|
@@ -295,37 +271,14 @@ Configuring a CDMA connection:
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
-
-
-
-
-
-
-
-
Element
-
Available
-
-
-
-
-
Nocharacteristic
-
Yes
-
-
-
Characteristic-query
-
Yes
-
-
-
Parm-query
-
Yes
-
-
-
+|Element|Available|
+|--- |--- |
+|Nocharacteristic|Yes|
+|Characteristic-query|Yes|
+|Parm-query|Yes|
-
## Related topics
diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md
deleted file mode 100644
index 5680e25242..0000000000
--- a/windows/client-management/mdm/cm-proxyentries-csp.md
+++ /dev/null
@@ -1,184 +0,0 @@
----
-title: CM\_ProxyEntries CSP
-description: Learn how the CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
-ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 06/26/2017
----
-
-# CM\_ProxyEntries CSP
-
-
-The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
-
-> [!NOTE]
-> CM\_ProxyEntries CSP is only supported in Windows 10 Mobile.
-
-> [!IMPORTANT]
-> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
-
-
-The following shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607.
-
-```
-./Vendor/MSFT
-CM_ProxyEntries
-----Entry
---------ConnectionName
---------BypassLocal
---------Enable
---------Exception
---------Password
---------Port
---------Server
---------Type
---------Username
-
-
-./Device/Vendor/MSFT
-Root
-
-
-./Vendor/MSFT
-./Device/Vendor/MSFT
-CM_ProxyEntries
-----Entry
---------ConnectionName
---------BypassLocal
---------Enable
---------Exception
---------Password
---------Port
---------Server
---------Type
---------Username
-```
-**entryname**
-Defines the name of the connection proxy.
-
-Each cellular entry can have only one proxy entry. For example, an Internet connection can have no more than one HTTP proxy specified but it might also have a WAP proxy. If two applications need access to the same APN but one application needs a proxy and the other application cannot have a proxy, two entries can be created with different names for the same APN.
-
-**ConnectionName**
-Specifies the name of the connection the proxy is associated with. This is the APN name of a connection configured using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md).
-
-**BypassLocal**
-Specifies if the proxy should be bypassed when local hosts are accessed by the device.
-
-A value of "0" specifies that the proxy bypass for local hosts is disabled. A value of "1" specifies that the proxy bypass for local hosts is enabled.
-
-**Enable**
-Specifies if the proxy is enabled.
-
-A value of "0" specifies that the proxy is disabled. A value of "1" specifies that the proxy is enabled.
-
-**Exception**
-Specifies a list of external hosts which should bypass the proxy when accessed.
-
-The exception list is a semi-colon delimited list of host names. For example, to bypass the proxy when either MSN or Yahoo is accessed, the value for the Exception list would be "www.msn.com;www.yahoo.com".
-
-**Password**
-Specifies the password used to connect to the proxy.
-
-Passwords are only required for WAP and SOCKS proxies and are not used for HTTP proxies. Queries of this parameter return a string composed of asterisks (\*).
-
-When setting the password, passing in the same string causes the new password to be ignored and does not change the existing password.
-
-**Port**
-Specifies the port number of the proxy server.
-
-**Server**
-Specifies the name of the proxy server.
-
-**Type**
-Specifies the type of proxy connection for this entry.
-
-The following list enumerates the values allowed for the Type parameter.
-
-- "0" = Null proxy
-
-- "1" = HTTP proxy
-
-- "2" = WAP proxy
-
-- "4" = SOCKS4 proxy
-
-- "5" = SOCKS5 proxy
-
-The Null proxy can be used to allow Connection Manager to treat one network as a super set of another network by creating a null proxy from one network to the other.
-
-**UserName**
-Specifies the username used to connect to the proxy.
-
-## Additional information
-
-
-To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection.
-
-```xml
-
-
-
-
-
-
-
-
-```
-
-## Microsoft Custom Elements
-
-
-The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
-
-
-
-
-
-
-
-
-
Element
-
Available
-
-
-
-
-
parm-query
-
Yes
-
-
-
nocharacteristic
-
Yes
-
-
-
characteristic-query
-
Yes
-
Recursive query: Yes
-
Top level query: Yes
-
-
-
-
-
-
-## Related topics
-
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index 1cac56d2f6..b4008efbaf 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -29,7 +29,7 @@ Each policy entry identifies one or more applications in combination with a host
The following shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
-```
+```console
./Vendor/MSFT
CMPolicy
----PolicyName
@@ -42,6 +42,7 @@ CMPolicy
----------------ConnectionID
----------------Type
```
+
***policyName***
Defines the name of the policy.
@@ -83,154 +84,44 @@ For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you hav
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
-
-
-
-
-
-
-
-
Connection type
-
GUID
-
-
-
-
-
GSM
-
{A05DC613-E393-40ad-AA89-CCCE04277CD9}
-
-
-
CDMA
-
{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}
-
-
-
Legacy 3GPP
-
{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}
-
-
-
LTE
-
{2378E547-8312-46A5-905E-5C581E92693B}
-
-
-
Wi-Fi
-
{8568B401-858E-4B7B-B3DF-0FD4927F131B}
-
-
-
Wi-Fi hotspot
-
{072FC7DC-1D93-40D1-9BB0-2114D7D73434}
-
-
-
+|Connection type|GUID|
+|--- |--- |
+|GSM|{A05DC613-E393-40ad-AA89-CCCE04277CD9}|
+|CDMA|{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}|
+|Legacy 3GPP|{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}|
+|LTE|{2378E547-8312-46A5-905E-5C581E92693B}|
+|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
+|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
-
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
-
-
-
-
-
-
-
-
Network type
-
GUID
-
-
-
-
-
GPRS
-
{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}
-
-
-
1XRTT
-
{B1E700AE-A62F-49FF-9BBE-B880C995F27D}
-
-
-
EDGE
-
{C347F8EC-7095-423D-B838-7C7A7F38CD03}
-
-
-
WCDMA UMTS
-
{A72F04C6-9BE6-4151-B5EF-15A53E12C482}
-
-
-
WCDMA FOMA
-
{B8326098-F845-42F3-804E-8CC3FF7B50B4}
-
-
-
1XEVDO
-
{DD42DF39-EBDF-407C-8146-1685416401B2}
-
-
-
1XEVDV
-
{61BF1BFD-5218-4CD4-949C-241CA3F326F6}
-
-
-
HSPA HSDPA
-
{047F7282-BABD-4893-AA77-B8B312657F8C}
-
-
-
HSPA HSUPA
-
{1536A1C6-A4AF-423C-8884-6BDDA3656F84}
-
-
-
LTE
-
{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}
-
-
-
EHRPD
-
{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}
-
-
-
Ethernet 10 Mbps
-
{97D3D1B3-854A-4C32-BD1C-C13069078370}
-
-
-
Ethernet 100 Mbps
-
{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}
-
-
-
Ethernet Gbps
-
{556C1E6B-B8D4-448E-836D-9451BA4CCE75}
-
-
-
-
+|Network type|GUID|
+|--- |--- |
+|GPRS|{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}|
+|1XRTT|{B1E700AE-A62F-49FF-9BBE-B880C995F27D}|
+|EDGE|{C347F8EC-7095-423D-B838-7C7A7F38CD03}|
+|WCDMA UMTS|{A72F04C6-9BE6-4151-B5EF-15A53E12C482}|
+|WCDMA FOMA|{B8326098-F845-42F3-804E-8CC3FF7B50B4}|
+|1XEVDO|{DD42DF39-EBDF-407C-8146-1685416401B2}|
+|1XEVDV|{61BF1BFD-5218-4CD4-949C-241CA3F326F6}|
+|HSPA HSDPA|{047F7282-BABD-4893-AA77-B8B312657F8C}|
+|HSPA HSUPA|{1536A1C6-A4AF-423C-8884-6BDDA3656F84}|
+|LTE|{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}|
+|EHRPD|{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}|
+|Ethernet 10 Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}|
+|Ethernet 100 Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
+|Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}|
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
-
-
-
-
-
-
-
-
Device type
-
GUID
-
-
-
-
-
Cellular device
-
{F9A53167-4016-4198-9B41-86D9522DC019}
-
-
-
Ethernet
-
{97844272-00C7-4572-B20A-D8D861C095F2}
-
-
-
Bluetooth
-
{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}
-
-
-
Virtual
-
{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}
-
-
-
+|Device type|GUID|
+|--- |--- |
+|Cellular device|{F9A53167-4016-4198-9B41-86D9522DC019}|
+|Ethernet|{97844272-00C7-4572-B20A-D8D861C095F2}|
+|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
+|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
@@ -479,36 +370,11 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
-
Top-level query: Yes|
## Related topics
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index 3a5cc913a6..38f3483fda 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -29,7 +29,8 @@ Each policy entry identifies one or more applications in combination with a host
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
-```
+
+```console
./Vendor/MSFT
CMPolicy
----PolicyName
@@ -83,156 +84,44 @@ For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you hav
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
-
-
-
-
-
-
-
-
Connection type
-
GUID
-
-
-
-
-
GSM
-
{A05DC613-E393-40ad-AA89-CCCE04277CD9}
-
-
-
CDMA
-
{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}
-
-
-
Legacy 3GPP
-
{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}
-
-
-
LTE
-
{2378E547-8312-46A5-905E-5C581E92693B}
-
-
-
Wi-Fi
-
{8568B401-858E-4B7B-B3DF-0FD4927F131B}
-
-
-
Wi-Fi hotspot
-
{072FC7DC-1D93-40D1-9BB0-2114D7D73434}
-
-
-
+|Connection type|GUID|
+|--- |--- |
+|GSM|{A05DC613-E393-40ad-AA89-CCCE04277CD9}|
+|CDMA|{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}|
+|Legacy 3GPP|{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}|
+|LTE|{2378E547-8312-46A5-905E-5C581E92693B}|
+|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
+|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
-
-
-
-
-
-
-
-
Network type
-
GUID
-
-
-
-
-
GPRS
-
{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}
-
-
-
1XRTT
-
{B1E700AE-A62F-49FF-9BBE-B880C995F27D}
-
-
-
EDGE
-
{C347F8EC-7095-423D-B838-7C7A7F38CD03}
-
-
-
WCDMA UMTS
-
{A72F04C6-9BE6-4151-B5EF-15A53E12C482}
-
-
-
WCDMA FOMA
-
{B8326098-F845-42F3-804E-8CC3FF7B50B4}
-
-
-
1XEVDO
-
{DD42DF39-EBDF-407C-8146-1685416401B2}
-
-
-
1XEVDV
-
{61BF1BFD-5218-4CD4-949C-241CA3F326F6}
-
-
-
HSPA HSDPA
-
{047F7282-BABD-4893-AA77-B8B312657F8C}
-
-
-
HSPA HSUPA
-
{1536A1C6-A4AF-423C-8884-6BDDA3656F84}
-
-
-
LTE
-
{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}
-
-
-
EHRPD
-
{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}
-
-
-
Ethernet 10Mbps
-
{97D3D1B3-854A-4C32-BD1C-C13069078370}
-
-
-
Ethernet 100Mbps
-
{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}
-
-
-
Ethernet Gbps
-
{556C1E6B-B8D4-448E-836D-9451BA4CCE75}
-
-
-
-
-
+|Network type|GUID|
+|--- |--- |
+|GPRS|{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}|
+|1XRTT|{B1E700AE-A62F-49FF-9BBE-B880C995F27D}|
+|EDGE|{C347F8EC-7095-423D-B838-7C7A7F38CD03}|
+|WCDMA UMTS|{A72F04C6-9BE6-4151-B5EF-15A53E12C482}|
+|WCDMA FOMA|{B8326098-F845-42F3-804E-8CC3FF7B50B4}|
+|1XEVDO|{DD42DF39-EBDF-407C-8146-1685416401B2}|
+|1XEVDV|{61BF1BFD-5218-4CD4-949C-241CA3F326F6}|
+|HSPA HSDPA|{047F7282-BABD-4893-AA77-B8B312657F8C}|
+|HSPA HSUPA|{1536A1C6-A4AF-423C-8884-6BDDA3656F84}|
+|LTE|{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}|
+|EHRPD|{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}|
+|Ethernet 10Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}|
+|Ethernet 100Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
+|Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}|
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
-
-
-
-
-
-
-
-
Device type
-
GUID
-
-
-
-
-
Cellular device
-
{F9A53167-4016-4198-9B41-86D9522DC019}
-
-
-
Ethernet
-
{97844272-00C7-4572-B20A-D8D861C095F2}
-
-
-
Bluetooth
-
{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}
-
-
-
Virtual
-
{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}
-
-
-
-
-
+|Device type|GUID|
+|--- |--- |
+|Cellular device|{F9A53167-4016-4198-9B41-86D9522DC019}|
+|Ethernet|{97844272-00C7-4572-B20A-D8D861C095F2}|
+|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
+|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
@@ -479,36 +368,11 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|packageId|String||
+|contentId|String|Identifies a specific application.|
+|Location|[PackageLocation](#packagelocation)||
+|packageFullName|String||
+|packageIdentityName|String||
+|Architectures|Collection of [ProductArchitectures](#productarchitectures)||
+|packageFormat|[ProductPackageFormat](#productpackageformat)||
+|Platforms|Collection of [ProductPlatform](#productplatform)||
+|fileSize|integer-64|Size of the file.|
+|packageRank|integer-32|Optional|
## InventoryDistributionPolicy
-
-
-
-
-
-
-
-
-
Name
-
Description
-
-
-
-
-
open
-
Open distribution policy - licenses/seats can be assigned/consumed without limit
-
-
-
restricted
-
Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count
-
-
-
-
-
+|Name|Description|
+|--- |--- |
+|Open|Open distribution policy - licenses/seats can be assigned/consumed without limit|
+|Restricted|Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count|
## InventoryEntryDetails
-
-
Identifier used on subsequent requests to get additional content including product descriptions, offline license, and download URLs.
-
-
-
seatCapacity
-
integer-64
-
Total number of seats that have been purchased for an application.
-
-
-
availableSeats
-
integer-64
-
Number of available seats remaining for an application.
-
-
-
lastModified
-
dateTime
-
Specifies the last modified date for an application. Modifications for an application includes updated product details, updates to an application, and updates to the quantity of an application.
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.|
+|seatCapacity|integer-64|Total number of seats that have been purchased for an application.|
+|availableSeats|integer-64|Number of available seats remaining for an application.|
+|lastModified|dateTime|Specifies the last modified date for an application. Modifications for an application include updated product details, updates to an application, and updates to the quantity of an application.|
+|licenseType|[LicenseType](#licensetype)|Indicates whether the set of seats for a given application supports online or offline licensing.|
+|distributionPolicy|[InventoryDistributionPolicy](#inventorydistributionpolicy)||
+|Status|[InventoryStatus](#inventorystatus)||
## InventoryResultSet
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|continuationToken|String|Only available if there is a next page.|
+|inventoryEntries|Collection of [InventoryEntryDetails](#inventoryentrydetails)||
-
## InventoryStatus
-
-
-
-
-
-
-
-
-
Name
-
Description
-
-
-
-
-
active
-
Entry is available in the organization’s inventory.
-
-
-
removed
-
Entry has been removed from the organization’s inventory.
-
-
-
-
-
+|Name|Description|
+|--- |--- |
+|Active|Entry is available in the organization’s inventory.|
+|Removed|Entry has been removed from the organization’s inventory.|
## LicenseType
-
-
-
-
-
-
-
-
-
Name
-
Description
-
-
-
-
-
online
-
Online license application.
-
-
-
offline
-
Offline license application.
-
-
-
-
-
+|Name|Description|
+|--- |--- |
+|Online|Online license application.|
+|Offline|Offline license application.|
## LocalizedProductDetail
Specifies the properties of the localized product.
-
-
-
-
-
-
-
-
-
Name
-
Type
-
Description
-
-
-
-
-
language
-
string
-
Language or fallback language if the specified language is not available.
-
-
-
displayName
-
string
-
Display name of the application.
-
-
-
description
-
string
-
App description provided by developer can be up to 10,000 characters.
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|Language|String|Language or fallback language if the specified language is not available.|
+|displayName|String|Display name of the application.|
+|Description|String|App description provided by developer can be up to 10,000 characters.|
+|Images|Collection of [ProductImage](#productimage)|Artwork and icon associated with the application.|
+|Publisher|[PublisherDetails](#publisherdetails)|Publisher of the application.|
## OfflineLicense
-
Identifies a set of seats associated with an application.
-
-
-
licenseBlob
-
string
-
Base-64 encoded offline license that can be installed via a CSP.
-
-
-
licenseInstanceId
-
string
-
Version of the license.
-
-
-
requestorId
-
string
-
Organization requesting the license.
-
-
-
contentId
-
string
-
Identifies the specific license required by an application.
-
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|productKey|[ProductKey](#productkey)|Identifies a set of seats associated with an application.|
+|licenseBlob|String|Base-64 encoded offline license that can be installed via a CSP.|
+|licenseInstanceId|String|Version of the license.|
+|requestorId|String|Organization requesting the license.|
+|contentId|String|Identifies the specific license required by an application.|
## PackageContentInfo
-
CDN location of the packages. URL expiration is based on the estimated time to download the package.
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|Url|URI|CDN location of the packages. URL expiration is based on the estimated time to download the package.|
-
## ProductArchitectures
-
-
-
-
-
-
-
-
Name
-
-
-
-
-
neutral
-
-
-
arm
-
-
-
x86
-
-
-
x64
-
-
-
-
-
+|Name|
+|--- |
+|Neutral|
+|Arm|
+|x86|
+|x64|
## ProductDetails
+|Name|Type|Description|
+|--- |--- |--- |
+|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.|
+|productType|String|Type of product.|
+|supportedLanguages|Collection of string|The set of localized languages for an application.|
+|publisherId|String|Publisher identifier.|
+|Category|String|Application category.|
+|alternateIds|Collection of [AlternateIdentifier](#alternateidentifier)|The identifiers that can be used to instantiate the installation of on online application.|
+|packageFamilyName|String||
+|supportedPlatforms|Collection of [ProductPlatform](#productplatform)||
-
-
-
## ProductImage
-
Specifies the properties of the product image.
-
-
-
-
-
-
-
-
-
Name
-
Type
-
Description
-
-
-
-
-
location
-
URI
-
Location of the download image.
-
-
-
purpose
-
string
-
Tag for the purpose of the image, e.g. "screenshot" or "logo".
-
-
-
height
-
string
-
Height of the image in pixels.
-
-
-
width
-
string
-
Width of the image in pixels.
-
-
-
caption
-
string
-
Unlimited length.
-
-
-
backgroundColor
-
string
-
Format "#RRGGBB"
-
-
-
foregroundColor
-
string
-
Format "#RRGGBB"
-
-
-
fileSize
-
integer-64
-
Size of the file.
-
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|Location|URI|Location of the download image.|
+|Purpose|String|Tag for the purpose of the image, for example "screenshot" or "logo".|
+|Height|String|Height of the image in pixels.|
+|Width|String|Width of the image in pixels.|
+|Caption|String|Unlimited length.|
+|backgroundColor|String|Format "#RRGGBB"|
+|foregroundColor|String|Format "#RRGGBB"|
+|fileSize|integer-64|Size of the file.|
## ProductKey
-
Specifies the properties of the product key.
-
-
-
-
-
-
-
-
-
Name
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Product identifier that specifies a specific SKU of an application.
-
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|productId|String|Product identifier for an application that is used by the Store for Business.|
+|skuId|String|Product identifier that specifies a specific SKU of an application.|
## ProductPackageDetails
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|frameworkDependencyPackages|Collection of [FrameworkPackageDetails](#frameworkpackagedetails)||
+|packageId|String||
+|contentId|String|Identifies a specific application.|
+|Location|[PackageLocation](#packagelocation)||
+|packageFullName|String|Example, Microsoft.BingTranslator_1.1.10917.2059_x86__8wekyb3d8bbwe|
+|packageIdentityName|String|Example, Microsoft.BingTranslator|
+|Architectures|Collection of [ProductArchitectures](#productarchitectures)|Values {x86, x64, arm, neutral}|
+|packageFormat|[ProductPackageFormat](#productpackageformat)|Extension of the package file.|
+|Platforms|Collection of [ProductPlatform](#productplatform)||
+|fileSize|integer-64|Size of the file.|
+|packageRank|integer-32|Optional|
## ProductPackageFormat
-
-
-
-
+|Name|Type|
+|--- |--- |
+|platformName|String|
+|minVersion|[VersionInfo](#versioninfo)|
+|maxTestedVersion|[VersionInfo](#versioninfo)|
## PublisherDetails
-
Specifies the properties of the publisher details.
-
-
-
-
-
-
-
-
-
Name
-
Type
-
Description
-
-
-
-
-
publisherName
-
string
-
Name of the publisher.
-
-
-
publisherWebsite
-
string
-
Website of the publisher.
-
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|publisherName|String|Name of the publisher.|
+|publisherWebsite|String|Website of the publisher.|
## SeatAction
-
+|Name|Type|
+|--- |--- |
+|Major|integer-32|
+|Minor|integer-32|
+|Build|integer-32|
+|Revision|integer-32|
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index d63708145e..9466edec32 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,6 +1,6 @@
---
title: DevDetail CSP
-description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server.
+description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server.
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.reviewer:
manager: dansimp
@@ -14,15 +14,16 @@ ms.date: 03/27/2020
# DevDetail CSP
-The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands.
+The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
+For the DevDetail CSP, you can't use the Replace command unless the node already exists.
-The following shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
-```
+The following information shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol isn't supported for this configuration service provider.
+
+```console
.
DevDetail
----URI
@@ -97,24 +98,24 @@ Required. Returns the maximum depth of the management tree that the device suppo
Supported operation is Get.
-This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
+This value is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
**URI/MaxTotLen**
Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
Supported operation is Get.
-This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
+This value is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
**URI/MaxSegLen**
Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
Supported operation is Get.
-This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
+This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
**Ext/Microsoft/MobileID**
-Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
+Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support.
Supported operation is Get.
@@ -131,7 +132,7 @@ Required. Returns the UI screen resolution of the device (example: "480x800
Supported operation is Get.
**Ext/Microsoft/CommercializationOperator**
-Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
+Required. Returns the name of the mobile operator if it exists. Otherwise, it returns 404.
Supported operation is Get.
@@ -158,7 +159,7 @@ Supported operation is Get.
**Ext/Microsoft/DeviceName**
Required. Contains the user-specified device name.
-Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
+Replace operation isn't supported in Windows client or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name doesn't take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
Value type is string.
@@ -171,23 +172,15 @@ The following are the available naming macros:
| Macro | Description | Example | Generated Name |
| -------| -------| -------| -------|
-| %RAND:<# of digits> | Generates the specified number of random digits. | Test%RAND:6% | Test123456|
-| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| Test-Device-%SERIAL% | Test-Device-456|
+| %RAND:<# of digits> | Generates the specified number of random digits. | `Test%RAND:6%` | Test123456|
+| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| `Test-Device-%SERIAL%` | Test-Device-456|
Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
-On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
-
-**Ext/Microsoft/TotalStorage**
-Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
-
-Supported operation is Get.
-
-> [!NOTE]
-> This is only supported in Windows 10 Mobile.
+On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
**Ext/Microsoft/TotalRAM**
Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
@@ -205,30 +198,30 @@ The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
Supported operation is Get.
> [!NOTE]
-> This is not supported in Windows 10 for desktop editions.
+> This isn't supported in Windows 10 for desktop editions.
**Ext/VoLTEServiceSetting**
-Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
+Returns the VoLTE service to on or off. This setting is only exposed to mobile operator OMA-DM servers.
Supported operation is Get.
**Ext/WlanIPv4Address**
-Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
+Returns the IPv4 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA DM servers.
Supported operation is Get.
**Ext/WlanIPv6Address**
-Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the IPv6 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
**Ext/WlanDnsSuffix**
-Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the DNS suffix of the active Wi-Fi connection. This suffix is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
**Ext/WlanSubnetMask**
-Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the subnet mask for the active Wi-Fi connection. This subnet mask is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
@@ -236,17 +229,10 @@ Supported operation is Get.
Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!NOTE]
-> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
+> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you can't parse the content to get any meaningful hardware information.
Supported operation is Get.
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index c4a5bf7384..b1d7b62247 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -19,24 +19,24 @@ ms.date: 11/15/2017
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
-In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
+With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
In particular, Windows 10 provides APIs to enable MDMs to:
- Ensure machines stay up to date by configuring Automatic Update policies.
-- Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device.
-- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up to date is a particular machine.
+- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
+- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
-This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10.
+This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
-- Configure automatic update policies to ensure devices stay up-to-date.
+- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed).
-- Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested.
-- Approve EULAs on behalf of the end user so update deployment can be automated even for updates with EULAs.
+- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
+- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
-The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
+The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
@@ -48,29 +48,29 @@ The diagram can be roughly divided into three areas:
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
-- The device gets updates from Microsoft Update using client/server protocol, but only downloads and installs updates that are both applicable to the device and approved by IT (right portion of the diagram).
+- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
## Getting update metadata using the Server-Server sync protocol
-The Microsoft Update Catalog is huge and contains many updates that are not needed by MDM-managed devices, including updates for legacy software (for example, updates to servers, down-level desktop operating systems, and legacy apps), and a large number of drivers. We recommend that the MDM use the Server-Server sync protocol to get update metadata for updates reported from the client.
+The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client.
-This section describes how this is done. The following diagram shows the server-server sync protocol process.
+This section describes this setup. The following diagram shows the server-server sync protocol process.
-
+:::image type="content" alt-text="mdm server-server sync." source="images/deviceupdateprocess2.png" lightbox="images/deviceupdateprocess2.png":::
MSDN provides much information about the Server-Server sync protocol. In particular:
-- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
-- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
+- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
+- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights:
-- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
-- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
-- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
+- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
+- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
+- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> [!NOTE]
-> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
+> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## Examples of update metadata XML structure and element descriptions
@@ -82,16 +82,16 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData
- **CreationDate** – the date on which this update was created.
- **UpdateType** – The type of update, which could include the following:
- **Detectoid** – if this update identity represents a compatibility logic
- - **Category** – This could represent either of the following:
- - A Product category the update belongs to. For example, Windows, MS office etc.
- - The classification the update belongs to. For example, Drivers, security etc.
+ - **Category** – This element could represent either of the following:
+ - A Product category the update belongs to. For example, Windows, MS office, and so on.
+ - The classification the update belongs to. For example, drivers, security, and so on.
- **Software** – If the update is a software update.
- **Driver** – if the update is a driver update.
- **LocalizedProperties** – represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** – The language code identifier (LCID). For example, en or es.
- **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.”
-- **KBArticleID** – The KB article number for this update that has details regarding the particular update. For example, .
+ - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.”
+- **KBArticleID** – The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
## Recommended Flow for Using the Server-Server Sync Protocol
@@ -99,46 +99,46 @@ This section describes a possible algorithm for using the server-server sync pro
First some background:
-- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it is common to all tenants.
-- A metadata sync service can then be implemented that periodically calls server-server sync to pull in metadata for the updates IT cares about.
-- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client if those updates are not already known to the device.
+- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
+- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
+- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
The following procedure describes a basic algorithm for a metadata sync service:
-- Initialization, composed of the following:
- 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about four new definition updates per day, each of which is cumulative).
+- Initialization uses the following steps:
+ a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
- - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB.
+ - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- - Remove updates from the "needed update IDs to fault in" list once they have been brought in.
+ - Remove updates from the "needed update IDs to fault in" list once they've been brought in.
-This provides an efficient way to pull in the information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time you can pull information so IT can see what updates they are approving, or for compliance reports to see what updates are needed but not yet installed.
+These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed.
## Managing updates using OMA DM
-An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented the [Mobile device management](mobile-device-enrollment.md) topic. This section focuses on how to extend that integration to support update management. The key aspects of update management include the following:
+An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information:
-- Configure automatic update policies to ensure devices stay up-to-date.
+- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed)
-- Specify a per-device update approval list to ensure devices don’t install unapproved updates that have not been tested.
-- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs
+- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
+- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow.
-3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are available. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues.
+3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
-Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates.
+Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md).
### Update policies
-The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
+The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
-The following shows the Update policies in a tree format.
+The following information shows the Update policies in a tree format.
```console
./Vendor/MSFT
@@ -184,71 +184,71 @@ Policy
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
-
The default is 17 (5 PM).
+The default is 17 (5 PM).
**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
-
Supported values are 8-18.
+Supported values are 8-18.
-
The default value is 18 (hours).
+The default value is 18 (hours).
**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
-
The default value is 8 (8 AM).
+The default value is 8 (8 AM).
**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
-- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
+- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
+- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
+- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 – Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
-
If the policy is not configured, end-users get the default behavior (Auto install and restart).
+If the policy isn't configured, end users get the default behavior (Auto install and restart).
**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not allowed or not configured.
- 1 – Allowed. Accepts updates received through Microsoft Update.
@@ -258,31 +258,31 @@ Policy
> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
-
Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.
+Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
-- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
-
This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
+Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update.
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
+Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 – Update service is not allowed.
+- 0 – Update service isn't allowed.
- 1 (default) – Update service is allowed.
> [!NOTE]
@@ -294,20 +294,20 @@ Policy
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
-
Supported values are 15, 30, 60, 120, and 240 (minutes).
+Supported values are 15, 30, 60, 120, and 240 (minutes).
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
-
The following list shows the supported values:
+The following list shows the supported values:
- 1 (default) – Auto Dismissal.
- 2 – User Dismissal.
@@ -317,9 +317,9 @@ Policy
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
-
The following list shows the supported values:
+The following list shows the supported values:
- 16 (default) – User gets all applicable upgrades from Current Branch (CB).
- 32 – User gets upgrades from Current Branch for Business (CBB).
@@ -328,18 +328,18 @@ Policy
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
-
Supported values are 0-180.
+Supported values are 0-180.
**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
-
Supported values are 0-30.
+Supported values are 0-30.
**Update/DeferUpdatePeriod**
> [!NOTE]
@@ -348,140 +348,110 @@ Policy
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
Allows IT Admins to specify update delays for up to four weeks.
+Allows IT Admins to specify update delays for up to four weeks.
-
Supported values are 0-4, which refers to the number of weeks to defer updates.
+Supported values are 0-4, which refers to the number of weeks to defer updates.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect.
-
If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
-
-
-
-
-
-
-
-
-
-
Update category
-
Maximum deferral
-
Deferral increment
-
Update type/notes
-
-
-
-
-
OS upgrade
-
8 months
-
1 month
-
Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
-
-
-
Update
-
1 month
-
1 week
-
-Note
-If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
-
+- **Update category**: OS upgrade
+ - **Maximum deferral**: 8 months
+ - **Deferral increment**: 1 month
+ - **Update type/notes**: Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
+- **Update category**: Update
+ - **Maximum deferral**: 1 month
+ - **Deferral increment**: 1 week
+ - **Update type/notes**: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
+
+ - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
+ - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
+ - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
+ - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
+ - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
+ - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
+ - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
+ - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
+
+- **Update category**: Other/cannot defer
+ - **Maximum deferral**: No deferral
+ - **Deferral increment**: No deferral
+ - **Update type/notes**: Any update category not enumerated above falls into this category.
+ - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B
**Update/DeferUpgradePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
->
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
Allows IT Admins to specify additional upgrade delays for up to eight months.
+Allows IT Admins to enter more upgrade delays for up to eight months.
-
Supported values are 0-8, which refers to the number of months to defer upgrades.
+Supported values are 0-8, which refers to the number of months to defer upgrades.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
+Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 0 days (not specified).
+The default value is 0 days (not specified).
**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
-
Supported values are 1-3 days.
+Supported values are 1-3 days.
-
The default value is three days.
+The default value is three days.
**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is seven days.
+The default value is seven days.
**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Allow Windows Update drivers.
- 1 – Exclude Windows Update drivers.
**Update/IgnoreMOAppDownloadLimit**
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Do not ignore MO download limit for apps and their updates.
+- 0 (default) – Don't ignore MO download limit for apps and their updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
-
To validate this policy:
+To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
@@ -493,20 +463,20 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
**Update/IgnoreMOUpdateDownloadLimit**
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Do not ignore MO download limit for OS updates.
+- 0 (default) – Don't ignore MO download limit for OS updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
-
To validate this policy:
+To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
@@ -519,26 +489,26 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
+Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Deferrals are not paused.
+- 0 (default) – Deferrals aren't paused.
- 1 – Deferrals are paused.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Feature Updates are not paused.
+- 0 (default) – Feature Updates aren't paused.
- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
**Update/PauseQualityUpdates**
@@ -546,11 +516,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Quality Updates are not paused.
+- 0 (default) – Quality Updates aren't paused.
- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
**Update/RequireDeferUpgrade**
@@ -560,9 +530,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
Allows the IT admin to set a device to CBB train.
+Allows the IT admin to set a device to CBB train.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – User gets upgrades from Current Branch.
- 1 – User gets upgrades from Current Branch for Business.
@@ -578,38 +548,38 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
-
Supported values are 15, 30, or 60 (minutes).
+Supported values are 15, 30, or 60 (minutes).
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Enables the IT admin to schedule the day of the update installation.
+Enables the IT admin to schedule the day of the update installation.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Every day
- 1 – Sunday
@@ -625,35 +595,35 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Enables the IT admin to schedule the time of the update installation.
+Enables the IT admin to schedule the time of the update installation.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
+Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
-
The default value is 3.
+The default value is 3.
**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
-
Supported values are 2, 4, 8, 12, or 24 (hours).
+Supported values are 2, 4, 8, 12, or 24 (hours).
-
The default value is 4 (hours).
+The default value is 4 (hours).
**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
+Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Enabled
- 1 – Disabled
@@ -663,13 +633,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!Important]
-> Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise.
+> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
-
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
+Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
@@ -677,41 +647,42 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Example
```xml
-
- $CmdID$
-
-
- chr
- text/plain
-
-
- ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
-
- http://abcd-srv:8530
-
-
+
+ $CmdID$
+
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
+
+ http://abcd-srv:8530
+
+
```
**Update/UpdateServiceUrlAlternate**
-> **Note** This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-
Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
-> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
-> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
+> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
+> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
-The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following shows the Update CSP in tree format.
+The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
```console
./Vendor/MSFT
@@ -750,15 +721,17 @@ The root node.
Supported operation is Get.
**ApprovedUpdates**
-Node for update approvals and EULA acceptance on behalf of the end-user.
+Node for update approvals and EULA acceptance for the end user.
-> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
+> [!NOTE]
+> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
-The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
+The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
-The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
+The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
-> **Note** For the Windows 10 build, the client may need to reboot after additional updates are added.
+> [!NOTE]
+> For the Windows 10 build, the client may need to reboot after additional updates are added.
@@ -788,7 +761,7 @@ Specifies the approved updates that failed to install on a device.
Supported operation is Get.
**FailedUpdates/***Failed Update Guid*
-Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
+Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
Supported operation is Get.
@@ -813,7 +786,7 @@ UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
**InstallableUpdates**
-The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
+The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved.
Supported operation is Get.
@@ -864,7 +837,7 @@ Supported operation is Get.
## Windows 10, version 1607 for update management
-Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). You should use these policies for the new Windows 10, version 1607 devices.
+Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
@@ -878,73 +851,18 @@ Here are the new policies added in Windows 10, version 1607 in [Policy CSP](pol
Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate.
-
-
-
-
-
-
-
-
-
GPO key
-
Type
-
Value
-
-
-
-
-
BranchReadinessLevel
-
REG_DWORD
-
16: systems take Feature Updates on the Current Branch (CB) train
-
32: systems take Feature Updates on the Current Branch for Business
-
Other value or absent: receive all applicable updates (CB)
-
-
-
DeferQualityUpdates
-
REG_DWORD
-
1: defer quality updates
-
Other value or absent: don’t defer quality updates
-
-
-
DeferQualityUpdatesPeriodInDays
-
REG_DWORD
-
0-30: days to defer quality updates
-
-
-
PauseQualityUpdates
-
REG_DWORD
-
1: pause quality updates
-
Other value or absent: don’t pause quality updates
-
-
-
DeferFeatureUpdates
-
REG_DWORD
-
1: defer feature updates
-
Other value or absent: don’t defer feature updates
-
-
-
DeferFeatureUpdatesPeriodInDays
-
REG_DWORD
-
0-180: days to defer feature updates
-
-
-
PauseFeatureUpdates
-
REG_DWORD
-
1: pause feature updates
-
Other value or absent: don’t pause feature updates
-
-
-
ExcludeWUDriversInQualityUpdate
-
REG_DWORD
-
1: exclude WU drivers
-
Other value or absent: offer WU drivers
-
-
-
+|GPO key|Type|Value|
+|--- |--- |--- |
+|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train
32: systems take Feature Updates on the Current Branch for Business
Other value or absent: receive all applicable updates (CB)|
+|DeferQualityUpdates|REG_DWORD|1: defer quality updates
Other value or absent: don’t defer quality updates|
+|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates|
+|PauseQualityUpdates|REG_DWORD|1: pause quality updates
Other value or absent: don’t pause quality updates|
+|DeferFeatureUpdates|REG_DWORD|1: defer feature updates
Other value or absent: don’t defer feature updates|
+|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
+|PauseFeatureUpdates|REG_DWORD|1: pause feature updates
Other value or absent: don’t pause feature updates|
+|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude WU drivers
Other value or absent: offer WU drivers|
-
-
-Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices.
+Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
@@ -1011,5 +929,16 @@ Set auto update to notify and defer.
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
-
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
deleted file mode 100644
index a7852e16cc..0000000000
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-title: DeviceInstanceService CSP
-description: Learn how the DeviceInstanceService configuration service provider (CSP) provides some device inventory information that could be useful for an enterprise.
-ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 06/26/2017
----
-
-# DeviceInstanceService CSP
-
-
-The DeviceInstanceService configuration service provider provides some device inventory information that could be useful for an enterprise. Additionally, this CSP supports querying two different phone numbers in the case of dual SIM. The URIs for SIM 1 and SIM 2 are ./Vendor/MSFT/DeviceInstanceService/Identity/Identity1 and ./Vendor/MSFT/DeviceInstanceService/Identity/Identity2 respectively.
-
-> **Note**
-Stop using DeviceInstanceService CSP and use the updated [DeviceStatus CSP](devicestatus-csp.md) instead.
-
-The DeviceInstance CSP is only supported in Windows 10 Mobile.
-
-
-
-The following shows the DeviceInstanceService configuration service provider in tree format.
-
-```console
-./Vendor/MSFT
-DeviceInstanceService
-------------Roaming
-------------PhoneNumber
-------------IMEI
-------------IMSI
-------------Identity
----------------Identity1
-------------------Roaming
-------------------PhoneNumber
-------------------IMEI
-------------------IMSI
----------------Identity2
-------------------PhoneNumber
-------------------IMEI
-------------------IMSI
-------------------Roaming
-```
-
-**Roaming**
-A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
-
-Supported operation is **Get**.
-
-Returns **True** if the device is roaming; otherwise **False**.
-
-**PhoneNumber**
-A string that represents the phone number of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
-
-Value type is chr.
-
-Supported operation is **Get**.
-
-**IMEI**
-A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
-
-Value type is chr.
-
-Supported operation is **Get**.
-
-**IMSI**
-A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
-
-Value type is chr.
-
-Supported operation is **Get**.
-
-**Identity**
-The parent node to group per SIM-specific information in dual SIM mode.
-
-**Identity1**
-The parent node to group SIM1 specific information in dual SIM mode.
-
-**Identity2**
-The parent node to group SIM2 specific information in dual SIM mode.
-
-## Examples
-
-
-The following sample shows how to query roaming status and phone number on the device.
-
-```xml
-
- 2
-
-
- ./Vendor/MSFT/DeviceInstanceService/Roaming
-
-
-
-
- ./Vendor/MSFT/DeviceInstanceService/PhoneNumber
-
-
-
-```
-
-Response from the phone.
-
-```xml
-
- 3
- 1
- 2
-
- ./Vendor/MSFT/DeviceInstanceService/Roaming
- bool
- false
-
-
- ./Vendor/MSFT/DeviceInstanceService/PhoneNumber
- +14254458055
-
-
-```
-
-## Related topics
-
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index d415155769..ac6286d7d6 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
-> **Note** The DeviceLock CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
+> [!Note]
+> For Windows 10 devices, use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
@@ -30,7 +31,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
-The following shows the DeviceLock configuration service provider in tree format.
+The following information shows the DeviceLock configuration service provider in tree format.
```console
./Vendor/MSFT
@@ -62,18 +63,19 @@ DeviceLock
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
***ProviderID***
-Optional. The node that contains the configured management server's ProviderID. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one *ProviderID* node. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
+Optional. The node that contains the configured management server's ProviderID. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
- **Add** - Add the management account to the configuration service provider tree.
- **Delete** - Delete all policies set by this account. This command could be used in enterprise unenrollment for removing policy values set by the enterprise management server.
- **Get** - Return all policies set by the management server.
-> **Note** The value cannot be changed after it is added. The **Replace** command isn't supported.
+> [!NOTE]
+> The value cannot be changed after it's added. The **Replace** command isn't supported.
***ProviderID*/DevicePasswordEnabled**
-Optional. An integer value that specifies whether device lock is enabled. Possible values are one of the following:
+Optional. An integer value that specifies whether device lock is enabled. Possible values include:
- 0 - Device lock is enabled.
- 1 (default) - Device lock not enabled.
@@ -83,7 +85,7 @@ The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/AllowSimpleDevicePassword**
-Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values for this node are one of the following:
+Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values include:
- 0 - Not allowed.
- 1 (default) - Allowed.
@@ -100,7 +102,7 @@ Supported operations are Get, Add, and Replace.
***ProviderID*/AlphanumericDevicePasswordRequired**
Optional. An integer value that specifies the complexity of the password or PIN allowed.
-Valid values are one of the following:
+Possible values include:
- 0 - Alphanumeric password required
- 1 - Users can choose a numeric or alphanumeric password
@@ -117,28 +119,28 @@ Deprecated in Windows 10.
Deprecated in Windows 10.
***ProviderID*/MaxDevicePasswordFailedAttempts**
-Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device will not be wiped regardless of the number of authentication failures.
+Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device won't be wiped, whatever the number of authentication failures.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/MaxInactivityTimeDeviceLock**
-Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it is password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
+Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it's password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/MinDevicePasswordComplexCharacters**
-Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 4 for mobile and 1 to 3 for desktop. The default value is 1.
+Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 3 for Windows client. The default value is 1.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
**DeviceValue**
-Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are actually applied to the device. The scope is permanent.
+Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are applied to the device. The scope is permanent.
Supported operation is Get.
@@ -288,31 +290,21 @@ All node values under the **ProviderID** interior node represent the policy valu
- An **Add** or **Replace** command on those nodes returns success in the following cases:
- - The value is actually applied to the device.
+ - The value is applied to the device.
- The value isn't applied to the device because the device has a more secure value set already.
- From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
+ From a security perspective, the device complies with the policy request that's at least as secure as the one requested.
- A **Get** command on those nodes returns the value the server pushes down to the device.
- If a **Replace** command fails, the node value is set back to the value that was to be replaced.
-- If an **Add** command fails, the node is not created.
+- If an **Add** command fails, the node isn't created.
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 9480172d90..592daf59ec 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -15,10 +15,11 @@ ms.date: 11/01/2017
# DMClient CSP
-The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
+The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
-The following shows the DMClient CSP in tree format.
-```
+The following information shows the DMClient CSP in tree format.
+
+```console
./Vendor/MSFT
DMClient
----Provider
@@ -72,7 +73,7 @@ All the nodes in this CSP are supported in the device context, except for the **
Root node for the CSP.
**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node.
**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@@ -85,28 +86,31 @@ Required. The root node for all settings that belong to a single management serv
Supported operation is Get.
**Provider/***ProviderID*
-Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping.
+Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesn’t require XML/URI escaping.
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDeviceName**
-Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDMID**
-Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
> [!NOTE]
-> Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
+> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
**Provider/*ProviderID*/ExchangeID**
-Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
+Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
+
+- A device that's managed by Exchange.
+- A device that's natively managed by a dedicated management server.
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
@@ -115,7 +119,7 @@ Optional. Character string that contains the unique Exchange device ID used by t
Supported operation is Get.
-The following is a Get command example.
+The following XML is a Get command example:
```xml
@@ -128,13 +132,8 @@ The following is a Get command example.
```
-**Provider/*ProviderID*/PublisherDeviceID**
-(Only for Windows 10 Mobile.) Optional. The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/<enterprise id>/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises’ applications, each enterprise is identified differently.
-
-Supported operation is Get.
-
**Provider/*ProviderID*/SignedEntDMID**
-Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
+Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
@@ -144,57 +143,61 @@ Optional. The time in OMA DM standard time format. This node is designed to redu
Supported operation is Get.
**Provider/*ProviderID*/ManagementServiceAddress**
-Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server.
+Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server.
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
-The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
+The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
-Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices.
+Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there's only a single URL, then the <> aren't required. This feature is supported on Windows client devices.
During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/UPN**
-Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
+Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
**Provider/*ProviderID*/HelpPhoneNumber**
-Optional. The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/HelpWebsite**
-Optional. The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete
**Provider/*ProviderID*/HelpEmailAddress**
-Optional. The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/RequireMessageSigning**
-Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature.
+Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature.
-Default value is false, where the device management client does not include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
+Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
-When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
+When enabled, the MDM provider should:
+
+- Validate the signature and the timestamp using the device identify certificate enrolled as part of Mobile Device Enrollment protocol (MS-MDE).
+- Ensure the certificate and time are valid.
+- Verify that the signature is trusted by the MDM provider.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/SyncApplicationVersion**
-Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
+Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0.
> [!NOTE]
> This node is only supported in Windows 10 and later.
-Once you set the value to 2.0, it will not go back to 1.0.
+Once you set the value to 2.0, it won't go back to 1.0.
@@ -208,18 +211,18 @@ When you query this node, a Windows 10 client will return 2.0 and a Windows 8.
Supported operation is Get.
**Provider/*ProviderID*/AADResourceID**
-Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
-When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
+When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending.
-To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
+To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. Send a SyncML message with a specific device alert element in the body until the client can respond back to the server with the requested information.
-Here is an example of DM message sent by the device when it is in pending state:
+Here's an example of DM message sent by the device when it's in pending state:
```xml
@@ -266,12 +269,12 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
+Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
**Provider/*ProviderID*/ManagementServerAddressList**
-Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there is only one, the angle brackets (<>) are not required.
+Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there's only one, the angle brackets (<>) aren't required.
> [!NOTE]
> The < and > should be escaped.
@@ -294,12 +297,12 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value.
-When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.
+When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
Supported operations are Get and Replace. Value type is string.
**Provider/*ProviderID*/ManagementServerToUpgradeTo**
-Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM server to upgrade to for a Mobile Application Management (MAM) enrolled device.
+Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -310,295 +313,125 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
-Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
+Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
**Provider/*ProviderID*/Poll**
-Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
+Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Supported operations are Get and Add.
-There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration.
+There are three schedules managed under the Poll node. They enable a rich polling schedule experience to provide greater flexibility in managing the way devices poll the management server. There are various ways that polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules to restore the polling schedules back to a valid configuration.
-If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
+If there's no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).**
-
-
-
-
-
-
-
-
-
Schedule name
-
Schedule set by the server
-
Actual value queried on device
-
-
-
-
-
IntervalForFirstSetOfRetries
-
15
-
15
-
-
-
NumberOfFirstRetries
-
5
-
5
-
-
-
IntervalForSecondSetOfRetries
-
60
-
60
-
-
-
NumberOfSecondRetries
-
10
-
10
-
-
-
IntervalForRemainingScheduledRetries
-
1440
-
1440
-
-
-
NumberOfRemainingScheduledRetries
-
0
-
0
-
-
-
+|Schedule name|Schedule set by the server|Actual value queried on device|
+|--- |--- |--- |
+|IntervalForFirstSetOfRetries|15|15|
+|NumberOfFirstRetries|5|5|
+|IntervalForSecondSetOfRetries|60|60|
+|NumberOfSecondRetries|10|10|
+|IntervalForRemainingScheduledRetries|1440|1440|
+|NumberOfRemainingScheduledRetries|0|0|
-
+**Valid poll schedule: initial enrollment only [no infinite schedule]**
-**Valid poll schedule: initial enrollment only \[no infinite schedule\]**
-
-
-
-
-
-
-
-
-
-
Schedule name
-
Schedule set by the server
-
Actual value queried on device
-
-
-
-
-
IntervalForFirstSetOfRetries
-
15
-
15
-
-
-
NumberOfFirstRetries
-
5
-
5
-
-
-
IntervalForSecondSetOfRetries
-
60
-
60
-
-
-
NumberOfSecondRetries
-
10
-
10
-
-
-
IntervalForRemainingScheduledRetries
-
0
-
0
-
-
-
NumberOfRemainingScheduledRetries
-
0
-
0
-
-
-
-
-
+|Schedule name|Schedule set by the server|Actual value queried on device|
+|--- |--- |--- |
+|IntervalForFirstSetOfRetries|15|15|
+|NumberOfFirstRetries|5|5|
+|IntervalForSecondSetOfRetries|60|60|
+|NumberOfSecondRetries|10|10|
+|IntervalForRemainingScheduledRetries|0|0|
+|NumberOfRemainingScheduledRetries|0|0|
**Invalid poll schedule: disable all poll schedules**
> [!NOTE]
> Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero.
+|Schedule name|Schedule set by the server|Actual value queried on device|
+|--- |--- |--- |
+|IntervalForFirstSetOfRetries|0|0|
+|NumberOfFirstRetries|0|0|
+|IntervalForSecondSetOfRetries|0|0|
+|NumberOfSecondRetries|0|0|
+|IntervalForRemainingScheduledRetries|0|0|
+|NumberOfRemainingScheduledRetries|0|0|
-
-
-
-
-
-
-
-
-
-
Schedule name
-
Schedule set by the server
-
Actual value queried on device
-
-
-
-
-
IntervalForFirstSetOfRetries
-
0
-
0
-
-
-
NumberOfFirstRetries
-
0
-
0
-
-
-
IntervalForSecondSetOfRetries
-
0
-
0
-
-
-
NumberOfSecondRetries
-
0
-
0
-
-
-
IntervalForRemainingScheduledRetries
-
0
-
0
-
-
-
NumberOfRemainingScheduledRetries
-
0
-
0
-
-
-
-
-
-
**Invalid poll schedule: two infinite schedules**
-
-
-
-
-
-
-
-
-
-
Schedule name
-
Schedule set by server
-
Actual schedule set on device
-
Actual experience
-
-
-
-
-
IntervalForFirstSetOfRetries
-
15
-
15
-
Device polls
-
-
-
NumberOfFirstRetries
-
5
-
5
-
Device polls
-
-
-
IntervalForSecondSetOfRetries
-
1440
-
1440
-
Device polls the server once in 24 hours
-
-
-
NumberOfSecondRetries
-
0
-
0
-
Device polls the server once in 24 hours
-
-
-
IntervalForRemainingScheduledRetries
-
1440
-
0
-
Third schedule is disabled
-
-
-
NumberOfRemainingScheduledRetries
-
0
-
0
-
Third schedule is disabled
-
-
-
+|Schedule name|Schedule set by server|Actual schedule set on device|Actual experience|
+|--- |--- |--- |--- |
+|IntervalForFirstSetOfRetries|15|15|Device polls|
+|NumberOfFirstRetries|5|5|Device polls|
+|IntervalForSecondSetOfRetries|1440|1440|Device polls the server once in 24 hours|
+|NumberOfSecondRetries|0|0|Device polls the server once in 24 hours|
+|IntervalForRemainingScheduledRetries|1440|0|Third schedule is disabled|
+|NumberOfRemainingScheduledRetries|0|0|Third schedule is disabled|
-
+If the device was previously enrolled in MDM with polling schedule configured using the registry key values directly, the MDM provider that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters using the DMClient CSP
-If the device was previously enrolled in MDM with polling schedule configured via registry key values directly, the MDM server that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters via DMClient CSP
-
-When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all 3 number of retry nodes to 0 because it will cause a configuration failure.
+When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure.
**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
-Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
+Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously utilized the Registry CSP.
+The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
-Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10.
+Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10.
Supported operations are Get and Replace.
-The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously utilized the Registry CSP.
+The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously used the Registry CSP.
-The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
+The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
-Optional. The waiting time (in minutes) for the second set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.
+Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `//Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously utilized the Registry CSP.
+The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
-Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
+Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Supported operations are Get and Replace.
-The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously utilized the Registry CSP.
+The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously used the Registry CSP.
The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
-Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
+Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously utilized the Registry CSP.
+The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
-Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
+Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Supported operations are Get and Replace.
-The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously utilized the Registry CSP.
+The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP.
-The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
+The RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/PollOnLogin**
-Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
-Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
@@ -609,7 +442,7 @@ Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, p
Default = Locked
> [!Note]
->If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
+>If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
**Provider/*ProviderID*/ConfigLock/Lock**
@@ -635,12 +468,12 @@ Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions
Supported operations are Add and Delete.
**Provider/*ProviderID*/Push/PFN**
-Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
+Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/Push/ChannelURI**
-Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
+Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Supported operation is Get.
@@ -651,58 +484,17 @@ Supported operation is Get.
The status error mapping is listed below.
-
-
-
-
-
-
-
-
Status
-
Description
-
-
-
-
-
0
-
Success
-
-
-
1
-
Failure: invalid PFN
-
-
-
2
-
Failure: invalid or expired device authentication with MSA
-
-
-
3
-
Failure: WNS client registration failed due to an invalid or revoked PFN
-
-
-
4
-
Failure: no Channel URI assigned
-
-
-
5
-
Failure: Channel URI has expired
-
-
-
6
-
Failure: Channel URI failed to be revoked
-
-
-
7
-
Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.
-
-
-
8
-
Unknown error
-
-
-
-
-
+|Status|Description|
+|--- |--- |
+|0|Success|
+|1|Failure: invalid PFN|
+|2|Failure: invalid or expired device authentication with MSA|
+|3|Failure: WNS client registration failed due to an invalid or revoked PFN|
+|4|Failure: no Channel URI assigned|
+|5|Failure: Channel URI has expired|
+|6|Failure: Channel URI failed to be revoked|
+|7|Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.|
+|8|Unknown error|
**Provider/*ProviderID*/CustomEnrollmentCompletePage**
Optional. Added in Windows 10, version 1703.
@@ -720,12 +512,12 @@ Optional. Added in Windows 10, version 1703. Specifies the body text of the all
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
-Optional. Added in Windows 10, version 1703. Specifies the URL that is shown at the end of the MDM enrollment flow.
+Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
-Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that is shown at the end of the MDM enrollment flow.
+Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -733,39 +525,39 @@ Supported operations are Add, Delete, Get, and Replace. Value type is string.
Optional node. Added in Windows 10, version 1709.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to provision, delimited by the character L"\xF000".
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example,
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
``` syntax
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
-This represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
+This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -775,42 +567,42 @@ Required. Added in Windows 10, version 1709. This node determines how long we wi
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
-Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
-Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
-Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
-Required. Device Only. Added in Windows 10, version 1803. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
+Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
-Required. Added in Windows 10, version 1803. This node decides whether or not the MDM progress page displays the Collect Logs button.
+Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
-Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
+Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
-Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
+Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
-Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
+Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
@@ -820,12 +612,12 @@ Required node. Added in Windows 10, version 1709.
Supported operation is Get.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
-Required. Added in Windows 10, version 1709. This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
-Required. Added in Windows 10, version 1709. This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
+Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
@@ -840,13 +632,13 @@ Required. Added in Windows 10, version 1709. The node contains the secondary cer
Supported operations are Add, Get, Replace, and Delete. Value type is string.
**Provider/*ProviderID*/Unenroll**
-Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent.
+Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent.
Supported operations are Get and Exec.
-Note that <LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility.
+<LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility.
-The following SyncML shows how to remotely unenroll the device. Note that this command should be inserted in the general DM packages sent from the server to the device.
+The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device.
```xml
@@ -864,17 +656,7 @@ The following SyncML shows how to remotely unenroll the device. Note that this c
```
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
index 8290fa7eea..1dbe4932a9 100644
--- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
+++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
@@ -25,26 +25,27 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> [!Important]
-> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses.
+> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
- Adding dynamic credentials for OMA Client Provisioning.
-- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they are sold.
+- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they're sold.
-Microsoft recommends that this function is not used to configure the following types of settings.
+Microsoft recommends that this function isn't used to configure the following types of settings:
-- Security settings that are configured by using CertificateStore, SecurityPolicy, and RemoteWipe, unless they are related to OMA DM or OMA Client Provisioning security policies.
+- Security settings that are configured using CertificateStore, SecurityPolicy, and RemoteWipe, unless they're related to OMA DM or OMA Client Provisioning security policies
- Non-cellular data connection settings (such as Hotspot settings).
-- File system files and registry settings, unless they are used for OMA DM account management, mobile operator data connection settings, or manufacturing tests.
+- File system files and registry settings, unless they're used for OMA DM account management, mobile operator data connection settings, or manufacturing tests
-- Email settings.
+- Email settings
-> **Note** The **DMProcessConfigXMLFiltered** function has full functionality in Windows 10 Mobile and Windows Phone 8.1, but it has a read-only functionality in Windows 10 desktop.
+> [!Note]
+> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@@ -63,13 +64,13 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
*pszXmlIn*
-
[in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).
+
[in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
*rgszAllowedCspNode*
-
[in] Array of WCHAR\* that specify which configuration service provider nodes are allowed to be invoked.
+
[in] Array of WCHAR\* that specify which configuration service provider nodes can be invoked.
@@ -85,54 +86,25 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
-If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document does not contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
+If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
## Return value
-Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows the additional error codes that may be returned.
+Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows more error codes that can be returned:
-
-
-
-
-
-
-
-
Return code
-
Description
-
-
-
-
-
CONFIG_E_OBJECTBUSY
-
Another instance of the configuration management service is currently running.
-
-
-
CONFIG_E_ENTRYNOTFOUND
-
No metabase entry was found.
-
-
-
CONFIG_E_CSPEXCEPTION
-
An exception occurred in one of the configuration service providers.
-
-
-
CONFIG_E_TRANSACTIONINGFAILURE
-
A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.
-
-
-
CONFIG_E_BAD_XML
-
The XML input is invalid or malformed.
-
-
-
-
-
+|Return code|Description|
+|--- |--- |
+|**CONFIG_E_OBJECTBUSY**|Another instance of the configuration management service is currently running.|
+|**CONFIG_E_ENTRYNOTFOUND**|No metabase entry was found.|
+|**CONFIG_E_CSPEXCEPTION**|An exception occurred in one of the configuration service providers.|
+|**CONFIG_E_TRANSACTIONINGFAILURE**|A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.|
+|**CONFIG_E_BAD_XML**|The XML input is invalid or malformed.|
## Remarks
-The processing of the XML is transactional; either the entire document gets processed successfully or none of the settings are processed. Therefore, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
+The processing of the XML is transactional. Either the entire document gets processed successfully, or none of the settings are processed. So, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
-The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input .provxml contains the following two settings:
+The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input `.provxml` contains the following two settings:
``` XML
@@ -163,9 +135,9 @@ LPCWSTR rgszAllowedCspNodes[] =
};
```
-This array of configuration service provider names indicates which .provxml contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* does not contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
+This array of configuration service provider names indicates which `.provxml` contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* doesn't contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
-The following code sample shows how this array would be passed in. Note that *szProvxmlContent* does not show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
+The following code sample shows how this array would be passed in. The *szProvxmlContent* doesn't show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
``` C++
WCHAR szProvxmlContent[] = L"...";
@@ -189,38 +161,14 @@ if ( bstr != NULL )
## Requirements
-
-
-
-
-
-
-
-
Minimum supported client
-
None supported
-
-
-
Minimum supported server
-
None supported
-
-
-
Minimum supported phone
-
Windows Phone 8.1
-
-
-
Header
-
Dmprocessxmlfiltered.h
-
-
-
Library
-
Dmprocessxmlfiltered.lib
-
-
-
DLL
-
Dmprocessxmlfiltered.dll
-
-
-
+|Requirement|Support|
+|--- |--- |
+|Minimum supported client|None supported|
+|Minimum supported server|None supported|
+|Minimum supported phone|Windows Phone 8.1|
+|Header|Dmprocessxmlfiltered.h|
+|Library|Dmprocessxmlfiltered.lib|
+|DLL|Dmprocessxmlfiltered.dll|
## See also
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index f3e4080512..de7b12c65f 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -17,13 +17,14 @@ ms.date: 06/26/2017
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
-On the desktop, only per user configuration is supported.
+> [!Note]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
-
+On Windows client, only per user configuration is supported.
-The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
-```
+The following information shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
+
+```console
./Vendor/MSFT
EMAIL2
----Account GUID
@@ -60,9 +61,10 @@ EMAIL2
------------8128000B
------------812C000B
```
-In Windows 10 Mobile, after the user’s out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operator’s proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
-Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords.
+After provisioning, the **Start** screen has a tile for the proprietary mail provider and there's also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
+
+Configuration data isn't encrypted when sent over the air (OTA). This is a potential security risk when sending sensitive configuration data, such as passwords.
> [!IMPORTANT]
> All Add and Replace commands need to be wrapped in an Atomic section.
@@ -73,7 +75,7 @@ The configuration service provider root node.
Supported operation is Get.
***GUID***
-Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one does not create the new account and Add command will fail in this case.
+Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case.
Supported operations are Get, Add, and Delete.
@@ -86,14 +88,14 @@ The braces {} around the GUID are required in the EMAIL2 configuration service p
**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
+The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added.
**ACCOUNTTYPE**
Required. Specifies the type of account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
Valid values are:
@@ -104,60 +106,61 @@ Valid values are:
**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**AUTHREQUIRED**
Optional. Character string that specifies whether the outgoing server requires authentication.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are one of the following:
+Value options:
-- 0 - Server authentication is not required.
+- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
-> **Note** If this value is not specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
+> [!NOTE]
+> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**DOMAIN**
Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**DWNDAY**
Optional. Character string that specifies how many days' worth of email should be downloaded from the server.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are one of the following:
+Value options:
- -1: Specifies that all email currently on the server should be downloaded.
-- 7: Specifies that 7 days’ worth of email should be downloaded.
+- 7: Specifies that seven days’ worth of email should be downloaded.
- 14: Specifies that 14 days’ worth of email should be downloaded.
- 30: Specifies that 30 days’ worth of email should be downloaded.
**INSERVER**
-Required. Character string that specifies the name of the incoming server name and port number. This is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
+Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
-Supported operations are Get, Add and Replace.
+Supported operations are Get, Add, and Replace.
**LINGER**
Optional. Character string that specifies the length of time between email send/receive updates in minutes.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are:
+Value options:
- 0 - Email updates must be performed manually.
@@ -174,16 +177,16 @@ Optional. Specifies the maximum size for a message attachment. Attachments beyon
The limit is specified in KB
-Valid values are 0, 25, 50, 125, and 250.
+Value options are 0, 25, 50, 125, and 250.
A value of 0 meaning that no limit will be enforced.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**NAME**
Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
@@ -195,14 +198,15 @@ Supported operations are Get, Add, Delete, and Replace.
**REPLYADDR**
Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
-Supported operations are Get, Add, Delete and Replace.
+Supported operations are Get, Add, Delete, and Replace.
**SERVICENAME**
Required. Character string that specifies the name of the email service to create or edit (32 characters maximum).
Supported operations are Get, Add, Replace, and Delete.
-> **Note** The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+> [!NOTE]
+> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
@@ -211,19 +215,19 @@ Required. Character string that specifies the type of email service to create or
Supported operations are Get, Add, Replace, and Delete.
-> **Note** The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+> **Note** The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
-Valid values are 512, 1024, 2048, 5120, 20480, and 51200.
+Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
**SERVERDELETEACTION**
-Optional. Character string that specifies how message is deleted on server. Valid values:
+Optional. Character string that specifies how message is deleted on server. Value options:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
@@ -238,7 +242,7 @@ Optional. If this flag is set, the account only uses the cellular network and no
Value type is string. Supported operations are Get, Add, Replace, and Delete.
**SYNCINGCONTENTTYPES**
-Required. Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar).
+Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
- Contacts (0x1)
@@ -257,12 +261,12 @@ Required. Specifies a bitmask for which content types are supported for syncing
Supported operations are Get, Add, Replace, and Delete.
**CONTACTSSERVER**
-Optional. Server for contact sync if it is different from the email server.
+Optional. Server for contact sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
**CALENDARSERVER**
-Optional. Server for calendar sync if it is different from the email server.
+Optional. Server for calendar sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
@@ -289,38 +293,38 @@ Supported operations are Get, Add, Replace, and Delete.
**SMTPALTAUTHNAME**
Optional. Character string that specifies the display name associated with the user's alternative SMTP email account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**SMTPALTDOMAIN**
Optional. Character string that specifies the domain name for the user's alternative SMTP account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**SMTPALTENABLED**
Optional. Character string that specifies if the user's alternate SMTP account is enabled.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-A value of "FALSE" specifies that the user's alternate SMTP email account is disabled. A value of "TRUE" specifies that the user's alternate SMTP email account is enabled.
+A value of "FALSE" means the user's alternate SMTP email account is disabled. A value of "TRUE" means that the user's alternate SMTP email account is enabled.
**SMTPALTPASSWORD**
Optional. Character string that specifies the password for the user's alternate SMTP account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**TAGPROPS**
Optional. Defines a group of properties with non-standard element names.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**TAGPROPS/8128000B**
Optional. Character string that specifies if the incoming email server requires SSL.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Value is one of the following:
+Value options:
-- 0 - SSL is not required.
+- 0 - SSL isn't required.
- 1 - SSL is required.
**TAGPROPS/812C000B**
@@ -328,49 +332,39 @@ Optional. Character string that specifies if the outgoing email server requires
Supported operations are Get and Replace.
-Value is one of the following:
+Value options:
-- 0 - SSL is not required.
+- 0 - SSL isn't required.
- 1 - SSL is required.
## Remarks
-When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
+When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
-For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the \\ block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
+For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \\ block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
-- If some but not all of the outgoing server credentials parameters are present then the EMAIL2 Configuration Service Provider will be considered in error.
+- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
-- Account details cannot be queried unless the account GUID is known. Currently, there is no way to perform a top-level query for account GUIDs.
+- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
-Windows 10 Mobile supports Transport Layer Security (TLS), but this cannot be explicitly enabled through this configuration service provider, and the user cannot enable TLS through the UI. If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
+If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
-3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device does not attempt another connection.
+3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
-4. If the user did not select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
+4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
-6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, the device enables TLS. TLS is not enabled on connections using SSL or non-SSL.
+6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
deleted file mode 100644
index bab52cb7fd..0000000000
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ /dev/null
@@ -1,534 +0,0 @@
----
-title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-description: Overview of how to enable offline updates using Microsoft Endpoint Configuration Manager.
-ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 06/26/2017
----
-
-# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-
-
-Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. There are also situations where network restrictions or other enterprise policies require that devices download updates from an internal location. This article describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
-
-The following table describes the update path to Windows 10 Mobile.
-
-
-
-
-
-
-
-
-
Starting SKU
-
Upgrade to Windows 10 Mobile
-
-
-
-
-
Windows Mobile 6.5
-
No
-
-
-
Windows Phone 8
-
No
-
-
-
Windows Phone 8.1
-
Yes
-
-
-
-
-
-To configure the mobile device management (MDM) service provider and enable mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps:
-
-1. Prepare a test device that can connect to the Internet to download the released update packages.
-2. After the updates are downloaded and before pressing the install button, retrieve an XML file on the device that contains all the metadata about each update package.
-3. Check the status code in the XML file.
-4. Check for registry dependencies.
-5. Using a script that we provide, parse the XML file to extract download URLs for the update packages.
-6. Download the update packages using the download URLs.
-7. Place the downloaded packages on an internal share that is accessible to devices you are updating.
-8. Create two additional XML files that define the specific updates to download and the specific locations from which to download the updates, and deploy them onto the production device.
-9. Start the update process from the devices.
-
-As a part of the update process, Windows runs data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings are automatically migrated to Windows 10 as part of the update process. If the handheld device was configured for assigned access lockdown, then this configuration is also migrated to Windows 10 as part of the update process. This includes ProductId and AumId conversion for all internal apps (including buttonremapping apps).
-
-Be aware that the migrators do not take care of the following:
-
-- Third-party apps provided by OEMs.
-- Deprecated first-party apps, such as Bing News.
-- Deprecated system or application settings, such as Microsoft.Game and Microsoft.IE.
-
-In the event of an Enterprise Reset, these migrated settings are automatically persisted.
-
-After the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
-
-1. Delete the TPK\*ppkg and push down a new ppkg with your new configuration to the persistent folder.
-2. Push down a new ppkg with your new configuration with higher priority. (Be aware that in ICD, Owner=Microsoft, Rank=0 is the lowest priority, and vice versa. With this step, the old assigned access lockdown configuration is overwritten.)
-
-**Requirements:**
-
-- The test device must be same as the other production devices that are receiving the updates.
-- The test device must be enrolled with Microsoft Endpoint Configuration Manager.
-- The test device must be connected to the Internet.
-- The test device must have an SD card with at least 0.5 GB of free space.
-- Ensure that the settings app and PhoneUpdate applet are available through Assigned Access.
-
-The following diagram shows a high-level overview of the process.
-
-
-
-## Step 1: Prepare a test device to download updates from Microsoft Update
-
-
-Define the baseline update set that you want to apply to other devices. Use a device that is running the most recent image as the test device.
-
-Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager.
-
-**Check for updates manually**
-
-1. On the device, go to **Settings** > **Phone updates** > **Check for updates**.
-2. Sync the device, go to **Settings** > **Workplace** > **Enrolled**, and then select the refresh icon. Repeat as needed.
-3. Follow the prompts to download the updates, but do not select the **Install** button.
-
-> [!NOTE]
-> There is a bug in all OS versions up to GDR2 where the Cloud Solution Provider (CSP) does not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
-
-
-**Check for updates by using Microsoft Endpoint Configuration Manager**
-
-1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
-
- 
-
-2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
-
- 
-
-3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
-
- 
-
-4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
-5. Follow the prompts for downloading the updates, but do not install the updates on the device.
-
-
-## Step 2: Retrieve the device update report XML from the device
-
-After updates are downloaded (but not installed on the device), the process generates an XML file that contains information about the packages it downloaded. You must retrieve this XML file.
-
-There are two ways to retrieve this file from the device; one pre-GDR1 and one post-GDR1.
-
-**Pre-GDR1: Parse a compliance log from the device in ConfigMgr**
-
-1. Use ConfigMgr to create a configuration item to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
-
- > [!NOTE]
- > In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml, but the process still completes even if the file is large.
-
- If the XML file is greater than 32 KB, you can also use ./Vendor/MSFT/FileSystem/<*filename*>.
-2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
-
- The dummy value is not set; it is only used for comparison.
-3. After the report XML is sent to the device, Microsoft Endpoint Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
-4. Parse this log for the report XML content.
-
-For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-manager-logs).
-
-
-**Post-GDR1: Retrieve the report xml file using an SD card**
-
-1. Use ConfigMgr to create a configuration item to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
-2. The value that you define for this configuration item is defined by the relative path to the SD card, which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
-3. Remove the SD card from device and copy the XML file to your PC.
-
-## Step 3: Check the status code in the XML file
-Make sure that the status code is set to 0000-0000 (success).
-
-## Step 4: Check for registry dependencies
-Remove any registry dependencies in the XML file.
-
-## Step 5: Extract download URLs from the report XML
-
-Use the [example PowerShell script](#example-powershell-script) to extract the download URLs from the XML file or parse it manually.
-
-## Step 6: Retrieve update packages using download URLs
-
-Use a script or manually download each update package to a PC or an internal share.
-
-## Step 7: Place the update packages on an accessible share
-
-Put all the update packages into an internal share that is accessible to all the devices that need these updates. Ensure that the internal share can support multiple devices trying to access the updates at the same time.
-
-## Step 8: Create two XML files for production devices to select updates and download locations
-
-Here are the two files.
-
-
-
-
-
-
-
-
-
Term
-
Description
-
-
-
-
-
DUControlledUpdates.xml
-
This is the same file as the report XML retrieved in Step 2 with a different name. This file tells the device the specific update packages to download. See Appendix for example
-
-
-
-
DUCustomContentUris.xml
-
This file maps the update packages in DUControlledUpdates.xml to the internal share location.
-
-
-
-
-
-
-For a walkthrough of these steps, see [Deploy controlled updates](#deploy-controlled-updates). Ensure that the Trigger Scan configuration baseline has NOT been deployed.
-
-
-
-### Deploy controlled updates
-
-The deployment process has three parts:
-
-- Create a configuration item for DUControlledUpdates.xml.
-- Create a configuration item for DUCustomContentURIs.xml.
-- Create a configuration item for approved updates.
-
-
-
-**Create a configuration item for DUControlledUpdates.xml**
-
-1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
-
- 
-
-2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
-
- 
-
-3. Select **Remediate noncompliant settings**, and then select **OK**.
-
-
-
-**Create a configuration item for DUCustomContentURIs.xml**
-
-1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
-2. Select **Remediate noncompliant settings**.
-
- 
-
-3. Select **OK**.
-
-
-
-**Create a configuration baseline for approved updates**
-
-1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
-2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
-
- 
-
-3. Deploy the configuration baseline to the appropriate device or device collection.
-
- 
-
-4. Select **OK**.
-
-## Step 7: Trigger the other devices to scan, download, and install updates
-
-Now that the other "production" or "in-store" devices have the necessary information to download updates from an internal share, the devices are ready for updates.
-
-### Update unmanaged devices
-
-If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways:
-
-- A periodic scan that the device automatically performs.
-- Manually through **Settings** > **Phone Update** > **Check for Updates**.
-
-### Update managed devices
-
-If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
-
-- Trigger the device to scan for updates through Microsoft Endpoint Configuration Manager.
-
- Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
-
- > [!NOTE]
- > Ensure that the PhoneUpdateRestriction Policy is set to a value of 0 so that the device doesn't perform an automatic scan.
-
-
-- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager.
-
-After the updates are installed, the IT Admin can use the DUReport generated in the production devices to determine whether the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
-
-
-## Example PowerShell script
-
-```powershell
-param (
-# [Parameter (Mandatory=$true, HelpMessage="Input File")]
- [String]$inputFile,
-
-# [Parameter (Mandatory=$true, HelpMessage="Download Cache Location")]
- [String]$downloadCache,
-
-# [Parameter (Mandatory=$true, HelpMessage="Local Cache URL")]
- [String]$localCacheURL
- )
-
-#DownloadFiles Function
-function DownloadFiles($inputFile, $downloadCache, $localCacheURL)
-{
- $customContentURIFileCreationError = "Not able to create Custom Content URI File"
-#Read the Input File
- $report = [xml](Get-Content $inputFile)
-
-# this is where the document will be saved
- $customContentURLFile = "$downloadCache\DUCustomContentUris.xml"
- New-Item -Path $customContentURLFile -ItemType File -force -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null
- if ($NewItemError -ne "")
- {
- PrintMessageAndExit $customContentURIFileCreationError
- }
-
-# get an XMLTextWriter to create the XML
- $XmlWriter = New-Object System.XMl.XmlTextWriter($customContentURLFile,$Null)
-
-# choose a pretty formatting:
- $xmlWriter.Formatting = 'Indented'
- $xmlWriter.Indentation = 1
- $XmlWriter.IndentChar = "`t"
-
-# write the header
- $xmlWriter.WriteStartDocument()
- $xmlWriter.WriteStartElement('CustomContentUrls')
- foreach ($update in $report.UpdateData.coreUpdateMetadata.updateSet.update)
- {
- if (!$update.destinationFilePath -or !$update.contentUrl)
- {
- continue;
- }
-
- $destFilePath = $update.destinationFilePath.Trim();
- $contentUrl = $update.contentUrl.Trim();
-
- Write-Host "Pre-Processing Line: $destFilePath#$contentUrl"
- if (($destFilePath -ne "") -and ($destFilePath.Contains("\")) -and ($contentUrl -ne "") -and ($contentUrl.Contains("/")) )
- {
- $isBundle = $update.isBundle
- $revisionId = $update.revisionId
- $updateId = $update.updateId
- $revisionNum = $update.revisionNum
-
- $fileName = $destFilePath.Substring($destFilePath.LastIndexOf("\") + 1);
-#Write-Host "Processing Line: $destFilePath#$contentUrl"
- if ($fileName -ne "")
- {
- $destination = $downloadCache + "\" + $fileName;
- Try
- {
- $wc = New-Object System.Net.WebClient
- $wc.DownloadFile($contentUrl, $destination)
- Write-Host "Successfull Download: $contentUrl#$destination";
-
- $XmlWriter.WriteStartElement('contentUrl')
- $XmlWriter.WriteAttributeString('isBundle', $isBundle)
- $XmlWriter.WriteAttributeString('revisionId', $revisionId)
- $XmlWriter.WriteAttributeString('updateId', $updateId)
- $XmlWriter.WriteAttributeString('revisionNum', $revisionNum)
- $XmlWriter.WriteRaw($localCacheURL + $fileName)
- $xmlWriter.WriteEndElement()
- }
- Catch [ArgumentNullException]
- {
- Write-Host "Content URL is null";
- }
- Catch [WebException]
- {
- Write-Host "Invalid Content URL: $contentUrl";
- }
- Catch
- {
- Write-Host "Exception in Download: $contentUrl";
- }
- }
- else
- {
- Write-Host "Ignored Input Line: $contentUrl"
- }
- }
- else
- {
- Write-Host "Ignored Input Line: $contentUrl"
- }
- }
-
-# close the "CustomContentUrls" node
- $xmlWriter.WriteEndElement()
-
-# finalize the document
- $xmlWriter.WriteEndDocument()
- $xmlWriter.Flush()
- $xmlWriter.Close()
-
- Write-Host "Successfully Created Custom Content URL File: $customContentURLFile"
-}
-
-#PrintMessage Function
-function PrintMessageAndExit($ErrorMessage)
-{
- Write-Host $ErrorMessage
- exit 1
-}
-
-#PrintMessage Function
-function PrintUsageAndExit()
-{
- Write-Host "Usage: Download.ps1 -inputFile -downloadCache -localCacheURL "
- exit 1
-}
-
-if (($inputFile -eq "") -or ($downloadCache -eq "") -or ($localCacheURL -eq ""))
-{
- PrintUsageAndExit
-}
-if (!$localCacheURL.EndsWith("/"))
-{
- $localCacheURL = $localCacheURL + "/";
-}
-$inputFileErrorString = "Input File does not exist";
-$downloadCacheErrorString = "Download Cache does not exist";
-$downloadCacheAddError = "Access Denied in creating the Download Cache Folder";
-$downloadCacheRemoveError = "Not able to delete files from Download Cache"
-$downloadCacheClearWarningString = "Download Cache not empty. Do you want to Clear";
-
-#Check if Input File Exist
-$inputFileExists = Test-Path $inputFile;
-if(!$inputFileExists)
-{
- PrintMessageAndExit($inputFileErrorString)
-}
-
-#Check if Download Cache Exist
-$downloadCacheExists = Test-Path $downloadCache;
-if(!$downloadCacheExists)
-{
- PrintMessageAndExit($downloadCacheErrorString)
-}
-
-$downloadCacheFileCount = (Get-ChildItem $downloadCache).Length;
-if ($downloadCacheFileCount -ne 0)
-{
-#Clear the directory
- Remove-Item $downloadCache -Recurse -Force -Confirm -ErrorVariable RemoveItemError -ErrorAction SilentlyContinue > $null
- if ($RemoveItemError -ne "")
- {
- PrintMessageAndExit $downloadCacheRemoveError
- }
-
- $childItem = Get-ChildItem $downloadCache -ErrorAction SilentlyContinue > $null
- $downloadCacheFileCount = ($childItem).Length;
- if ($downloadCacheFileCount -ne 0)
- {
- PrintMessageAndExit $downloadCacheRemoveError
- }
-
-#Create a new directory
- New-Item -Path $downloadCache -ItemType Directory -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null
- if ($NewItemError -ne "")
- {
- PrintMessageAndExit $downloadCacheAddError
- }
-}
-
-DownloadFiles $inputFile $downloadCache $localCacheURL
-```
-
-
-## Retrieve a device update report using Microsoft Endpoint Manager logs
-
-**For pre-GDR1 devices**
-Use this procedure for pre-GDR1 devices:
-
-1. Trigger a device scan by going to **Settings** > **Phone Update** > **Check for Updates**.
-
- Since the DUReport settings have not been remedied, you should see a non-compliance.
-2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
-3. Select **Create Configuration Item**.
-
- 
-4. Enter a filename (such as GetDUReport), and then select **Mobile Device**.
-5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
-
- 
-6. On the **Additional Settings** page, select **Add**.
-
- 
-7. On the **Browse Settings** page, select **Create Setting**.
-
- 
-8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
-9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
-
- 
-10. On the **Browse Settings** page, select **Close**.
-11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
-
- 
-12. Close the **Create Configuration Item Wizard** page.
-13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
-14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
-15. Enter a dummy value (such as zzz) that is different from the one on the device.
-
- 
-16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
-17. Select **OK** to close the **Edit Rule** page.
-18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
-19. Select **Create Configuration Item**.
-
- 
-20. Enter a baseline name (such as RetrieveDUReport).
-21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
-
- 
-22. Select **OK**, and then select **OK** again to complete the configuration baseline.
-23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
-
- 
-24. Select **Remediate noncompliant rules when supported**.
-25. Select the appropriate device collection and define the schedule.
-
- 
-26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
-27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
-28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
-
- 
-29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
-
- 
-30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
-31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index 0f51e05177..9397684167 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -1,6 +1,6 @@
---
title: Enterprise app management
-description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
+description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 10/04/2021
# Enterprise app management
-This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. It is the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
+This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals
@@ -26,20 +26,20 @@ Windows 10 offers the ability for management servers to:
- Inventory all apps for a user (Store and non-Store apps)
- Inventory all apps for a device (Store and non-Store apps)
- Uninstall all apps for a user (Store and non-Store apps)
-- Provision apps so they are installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
+- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps
-Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications:
+Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
-- nonStore - Apps that were not acquired from the Microsoft Store.
-- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
+- nonStore - Apps that weren't acquired from the Microsoft Store.
+- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
-The following shows the EnterpriseModernAppManagement CSP in a tree format.
+The following information shows the EnterpriseModernAppManagement CSP in a tree format:
```console
./Device/Vendor/MSFT
@@ -145,13 +145,10 @@ EnterpriseAppManagement
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
-Inventory can be performed recursively at any level from the AppManagement node through the package full name. Inventory can also be performed only for a specific inventory attribute.
+Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute.
Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name.
-> [!NOTE]
-> On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name.
-
Here are the nodes for each package full name:
- Name
@@ -172,11 +169,11 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
### App inventory
-You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
+You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
-Note that performing a full inventory of a device can be resource intensive on the client based on the hardware and number of apps that are installed. The data returned can also be very large. You may want to chunk these requests to reduce the impact to clients and network traffic.
+Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic.
-Here is an example of a query for all apps on the device.
+Here's an example of a query for all apps on the device.
```xml
@@ -190,7 +187,7 @@ Here is an example of a query for all apps on the device.
```
-Here is an example of a query for a specific app for a user.
+Here's an example of a query for a specific app for a user.
```xml
@@ -206,7 +203,7 @@ Here is an example of a query for a specific app for a user.
### Store license inventory
-You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
+You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Here are the nodes for each license ID:
@@ -219,7 +216,7 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
> [!NOTE]
> The LicenseID in the CSP is the content ID for the license.
-Here is an example of a query for all app licenses on a device.
+Here's an example of a query for all app licenses on a device.
```xml
@@ -233,7 +230,7 @@ Here is an example of a query for all app licenses on a device.
```
-Here is an example of a query for all app licenses for a user.
+Here's an example of a query for all app licenses for a user.
```xml
@@ -249,13 +246,13 @@ Here is an example of a query for all app licenses for a user.
## Enable the device to install non-Store apps
-There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
+There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
### Unlock the device for non-Store apps
-To deploy app that are not from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
+To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
-The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
+The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
@@ -291,13 +288,13 @@ Here are some examples.
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
-AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
+AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
-Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device.
+Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
-Here is an example.
+Here's an example.
```xml
@@ -327,20 +324,20 @@ Here is an example.
## Install your apps
-You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
+You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
-To deploy an app to a user directly from the Microsoft Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
+To deploy an app to a user directly from the Microsoft Store, the management server runs an Add and Exec command on the AppInstallation node of the EnterpriseModernAppManagement CSP. This feature is only supported in the user context, and not supported in the device context.
-If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Microsoft Store.
+If you purchased an app from the Store for Business and the app is specified for an online license, then the app and license must be acquired directly from the Microsoft Store.
Here are the requirements for this scenario:
-- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server.
+- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
- The device requires connectivity to the Microsoft Store.
-- Microsoft Store services must be enabled on the device. Note that the UI for the Microsoft Store can be disabled by the enterprise admin.
-- The user must be signed in with their AAD identity.
+- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
+- The user must be signed in with their Azure AD identity.
Here are some examples.
@@ -364,9 +361,9 @@ Here are the changes from the previous release:
1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
2. The value for flags can be "0" or "1"
- When using "0" the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1" the management tool does not call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
+ When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
-3. The skuid is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
+3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
@@ -376,10 +373,10 @@ The app license only needs to be deployed as part of the initial installation of
In the SyncML, you need to specify the following information in the Exec command:
-- License ID - This is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
-- License Content - This is specified in the data section. The License Content is the Base64 encoded blob of the license.
+- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
+- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
-Here is an example of an offline license installation.
+Here's an example of an offline license installation.
```xml
@@ -405,15 +402,15 @@ Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled.
-- The user must be logged in, but association with AAD identity is not required.
+- The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
+- The user must be logged in, but association with Azure AD identity isn't required.
> [!NOTE]
> You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
-Here is an example of a line-of-business app installation.
+Here's an example of a line-of-business app installation.
```xml
@@ -440,7 +437,7 @@ Here is an example of a line-of-business app installation.
```
-Here is an example of an app installation with dependencies.
+Here's an example of an app installation with dependencies.
```xml
@@ -474,7 +471,7 @@ Here is an example of an app installation with dependencies.
```
-Here is an example of an app installation with dependencies and optional packages.
+Here's an example of an app installation with dependencies and optional packages.
```xml
@@ -516,23 +513,23 @@ Here is an example of an app installation with dependencies and optional package
### Provision apps for all users of a device
-Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This is only supported for app purchased from the Store for Business and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
+Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Microsoft Store, or store services enabled.
-- The device does not need any AAD identity or domain membership.
+- The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
+- The device doesn't need any Azure AD identity or domain membership.
- For nonStore app, your device must be unlocked.
-- For Store offline apps, the required licenses must be deployed prior to deploying the apps.
+- For Store offline apps, the required licenses must be deployed before deploying the apps.
-To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
+To provision app for all users of a device from a hosted location, the management server runs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
> [!NOTE]
> When you remove the provisioned app, it will not remove it from the users that already installed the app.
-Here is an example of app installation.
+Here's an example of app installation.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
@@ -564,12 +561,12 @@ Here is an example of app installation.
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
-- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPs location.
+- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
- Dependencies can be specified if required to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
-Here is an example of app installation with dependencies.
+Here's an example of app installation with dependencies.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
@@ -608,22 +605,22 @@ Here is an example of app installation with dependencies.
### Get status of app installations
-When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here is the list of information you can get back in the query:
+When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query:
- Status - indicates the status of app installation.
- - NOT\_INSTALLED (0) - The node was added, but the execution was not completed.
- - INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success this value is updated.
+ - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
+ - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- - INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
-- LastError - This is the last error reported by the app deployment server.
+ - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
+- LastError - The last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
-- Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress.
+- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress.
- Status is not available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
+ Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node.
-Here is an example of a query for a specific app installation.
+Here's an example of a query for a specific app installation.
```xml
@@ -637,7 +634,7 @@ Here is an example of a query for a specific app installation.
```
-Here is an example of a query for all app installations.
+Here's an example of a query for all app installations.
```xml
@@ -653,9 +650,9 @@ Here is an example of a query for all app installations.
### Alert for installation completion
-Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
+Application installations can take some time to complete. So, they're done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
-Here is an example of an alert.
+Here's an example of an alert.
```xml
@@ -676,10 +673,10 @@ Here is an example of an alert.
For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path.
-The Data field value of 0 (zero) indicates success, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node.
+The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node.
> [!NOTE]
-> At this time, the alert for Store app installation is not yet available.
+> At this time, the alert for Store app installation isn't yet available.
## Uninstall your apps
@@ -687,12 +684,12 @@ The Data field value of 0 (zero) indicates success, otherwise it is an error cod
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
-- nonStore - These apps that were not acquired from the Microsoft Store.
-- System - These apps are part of the OS. You cannot uninstall these apps.
+- nonStore - These apps that weren't acquired from the Microsoft Store.
+- System - These apps are part of the OS. You can't uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name.
-Here is an example for uninstalling all versions of an app for a user.
+Here's an example for uninstalling all versions of an app for a user.
```xml
@@ -706,7 +703,7 @@ Here is an example for uninstalling all versions of an app for a user.
```
-Here is an example for uninstalling a specific version of the app for a user.
+Here's an example for uninstalling a specific version of the app for a user.
```xml
@@ -722,7 +719,7 @@ Here is an example for uninstalling a specific version of the app for a user.
### Removed provisioned apps from a device
-You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users.
+You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them will continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users.
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
@@ -730,7 +727,7 @@ You can remove provisioned apps from a device for a specific version or for all
Removing provisioned app occurs in the device context.
-Here is an example for removing a provisioned app from a device.
+Here's an example for removing a provisioned app from a device.
```xml
@@ -744,7 +741,7 @@ Here is an example for removing a provisioned app from a device.
```
-Here is an example for removing a specific version of a provisioned app from a device:
+Here's an example for removing a specific version of a provisioned app from a device:
```xml
@@ -762,7 +759,7 @@ Here is an example for removing a specific version of a provisioned app from a d
You can remove app licenses from a device per app based on the content ID.
-Here is an example for removing an app license for a user.
+Here's an example for removing an app license for a user.
```xml
@@ -776,7 +773,7 @@ Here is an example for removing an app license for a user.
```
-Here is an example for removing an app license for a provisioned package (device context).
+Here's an example for removing an app license for a provisioned package (device context).
```xml
@@ -792,11 +789,11 @@ Here is an example for removing an app license for a provisioned package (device
### Alert for app uninstallation
-Uninstallation of an app can take some time complete, hence the uninstallation is performed asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
+Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
For user-based uninstallation, use ./User in the LocURI, and for provisioning, use ./Device in the LocURI.
-Here is an example. There is only one uninstall for hosted and store apps.
+Here's an example. There's only one uninstall for hosted and store apps.
```xml
@@ -822,7 +819,7 @@ Apps installed on a device can be updated using the management server. Apps can
To update an app from Microsoft Store, the device requires contact with the store services.
-Here is an example of an update scan.
+Here's an example of an update scan.
```xml
@@ -836,7 +833,7 @@ Here is an example of an update scan.
```
-Here is an example of a status check.
+Here's an example of a status check.
```xml
@@ -860,11 +857,11 @@ A provisioned app automatically updates when an app update is sent to the user.
### Prevent app from automatic updates
-You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
+You can prevent specific apps from being automatically updated. This feature allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
-Turning off updates only applies to updates from the Microsoft Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
+Turning off updates only applies to updates from the Microsoft Store at the device level. This feature isn't available at a user level. You can still update an app if the offline packages are pushed from hosted install location.
-Here is an example.
+Here's an example.
```xml
@@ -882,96 +879,24 @@ Here is an example.
```
-## Additional app management scenarios
+## More app management scenarios
-The following subsections provide information about additional settings configurations.
-
-### Restrict app installation to the system volume
-
-You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md).
-
-> [!NOTE]
-> This is only supported in mobile devices.
-
-Here is an example.
-
-```xml
-
-
- 1
-
-
- ./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppToSystemVolume?list=StructData
-
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume
-
-
- int
- text/plain
-
- 1
-
-
-```
-
-### Restrict AppData to the system volume
-
-In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved.
-
-> [!NOTE]
-> The feature is only for Windows 10 Mobile.
-
-The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1.
-
-Here is an example.
-
-```xml
-
-
- 1
-
-
- ./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppDataToSystemVolume?list=StructData
-
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume
-
-
- int
- text/plain
-
- 1
-
-
-```
+The following subsections provide information about more settings configurations.
### Enable shared user app data
-The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device.
+The Universal Windows app can share application data between the users of the device. The ability to share data can be set at a package family level or per device.
> [!NOTE]
> This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
-If you disable this policy, applications cannot share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there is any shared data, and /Remove-SharedAppxData to remove it).
+If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
The valid values are 0 (off, default value) and 1 (on).
-Here is an example.
+Here's an example.
```xml
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
index f5132cb038..1910df9821 100644
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment.
-> **Note** The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile.
+> [!NOTE]
+> The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile.
@@ -81,7 +82,8 @@ Optional. The character string that contains the search criteria to search for t
Supported operations are Get and Add.
-> **Note** Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00
+> [!NOTE]
+> Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00
@@ -158,48 +160,16 @@ Supported operations are Get, Add, and Replace.
**/Download/*ProductID*/Status**
Required. The integer value that indicates the status of the current download process. The following table shows the possible values.
-
-
-
-
-
-
-
-
0: CONFIRM
-
Waiting for confirmation from user.
-
-
-
1: QUEUED
-
Waiting for download to start.
-
-
-
2: DOWNLOADING
-
In the process of downloading.
-
-
-
3: DOWNLOADED
-
Waiting for installation to start.
-
-
-
4: INSTALLING
-
Handed off for installation.
-
-
-
5: INSTALLED
-
Successfully installed
-
-
-
6: FAILED
-
Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)
-
-
-
7:DOWNLOAD_FAILED
-
Unable to connect to server, file doesn't exist, etc.
-
-
-
-
-
+|Value|Description|
+|--- |--- |
+|0: CONFIRM|Waiting for confirmation from user.|
+|1: QUEUED|Waiting for download to start.|
+|2: DOWNLOADING|In the process of downloading.|
+|3: DOWNLOADED|Waiting for installation to start.|
+|4: INSTALLING|Handed off for installation.|
+|5: INSTALLED|Successfully installed|
+|6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)|
+|7:DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.|
Scope is dynamic. Supported operations are Get, Add, and Replace.
@@ -463,10 +433,10 @@ Install or update the installed app with the product ID “{B316008A-141D-4A79-8
To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog.
-> **Note**
-> 1. If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
-
-2. The application product ID curly braces need to be escaped where { is %7B and } is %7D.
+> [!NOTE]
+> - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
+>
+> - The application product ID curly braces need to be escaped where { is %7B and } is %7D.
diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
index ee057f96bd..db8f48e055 100644
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@@ -17,12 +17,14 @@ ms.date: 07/12/2017
The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings, such as language and themes, lock down a device, and configure custom layouts on a device. For example, the administrator can lock down a device so that only applications specified in an Allow list are available. Apps not on the Allow list remain installed on the device, but are hidden from view and blocked from launching.
-> **Note** The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
+> [!NOTE]
+> The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
-```
+
+```console
./Vendor/MSFT
EnterpriseAssignedAccess
----AssignedAccess
@@ -38,6 +40,7 @@ EnterpriseAssignedAccess
----Locale
--------Language
```
+
The following list shows the characteristics and parameters.
**./Vendor/MSFT/EnterpriseAssignedAccess/**
@@ -631,110 +634,30 @@ Supported operations are Get and Replace.
**Theme/ThemeAccentColorID**
The accent color to apply as the foreground color for tiles, controls, and other visual elements on the device. The following table shows the possible values.
-
-
-
-
-
-
-
-
Value
-
Description
-
-
-
-
-
0
-
Lime
-
-
-
1
-
Green
-
-
-
2
-
Emerald
-
-
-
3
-
Teal (Viridian)
-
-
-
4
-
Cyan (Blue)
-
-
-
5
-
Cobalt
-
-
-
6
-
Indigo
-
-
-
7
-
Violet (Purple)
-
-
-
8
-
Pink
-
-
-
9
-
Magenta
-
-
-
10
-
Crimson
-
-
-
11
-
Red
-
-
-
12
-
Orange (Mango)
-
-
-
13
-
Amber
-
-
-
14
-
Yellow
-
-
-
15
-
Brown
-
-
-
16
-
Olive
-
-
-
17
-
Steel
-
-
-
18
-
Mauve
-
-
-
19
-
Sienna
-
-
-
101 through 104
-
Optional colors, as defined by the OEM
-
-
-
151
-
Custom accent color for Enterprise
-
-
-
-
-
+|Value|Description|
+|--- |--- |
+|0|Lime|
+|1|Green|
+|2|Emerald|
+|3|Teal (Viridian)|
+|4|Cyan (Blue)|
+|5|Cobalt|
+|6|Indigo|
+|7|Violet (Purple)|
+|8|Pink|
+|9|Magenta|
+|10|Crimson|
+|11|Red|
+|12|Orange (Mango)|
+|13|Amber|
+|14|Yellow|
+|15|Brown|
+|16|Olive|
+|17|Steel|
+|18|Mauve|
+|19|Sienna|
+|101 through 104|Optional colors, as defined by the OEM|
+|151|Custom accent color for Enterprise|
Supported operations are Get and Replace.
@@ -758,440 +681,119 @@ An integer that specifies the time zone of the device. The following table shows
Supported operations are Get and Replace.
-
-
-
-
-
-
-
-
Value
-
Time zone
-
-
-
-
-
0
-
UTC-12 International Date Line West
-
-
-
100
-
UTC+13 Samoa
-
-
-
110
-
UTC-11 Coordinated Universal Time-11
-
-
-
200
-
UTC-10 Hawaii
-
-
-
300
-
UTC-09 Alaska
-
-
-
400
-
UTC-08 Pacific Time (US & Canada)
-
-
-
410
-
UTC-08 Baja California
-
-
-
500
-
UTC-07 Mountain Time (US & Canada)
-
-
-
510
-
UTC-07 Chihuahua, La Paz, Mazatlan
-
-
-
520
-
UTC-07 Arizona
-
-
-
600
-
UTC-06 Saskatchewan
-
-
-
610
-
UTC-06 Central America
-
-
-
620
-
UTC-06 Central Time (US & Canada)
-
-
-
630
-
UTC-06 Guadalajara, Mexico City, Monterrey
-
-
-
700
-
UTC-05 Eastern Time (US & Canada)
-
-
-
710
-
UTC-05 Bogota, Lima, Quito
-
-
-
720
-
UTC-05 Indiana (East)
-
-
-
800
-
UTC-04 Atlantic Time (Canada)
-
-
-
810
-
UTC-04 Cuiaba
-
-
-
820
-
UTC-04 Santiago
-
-
-
830
-
UTC-04 Georgetown, La Paz, Manaus, San Juan
-
-
-
840
-
UTC-04 Caracas
-
-
-
850
-
UTC-04 Asuncion
-
-
-
900
-
UTC-03:30 Newfoundland
-
-
-
910
-
UTC-03 Brasilia
-
-
-
920
-
UTC-03 Greenland
-
-
-
930
-
UTC-03 Montevideo
-
-
-
940
-
UTC-03 Cayenne, Fortaleza
-
-
-
950
-
UTC-03 Buenos Aires
-
-
-
960
-
UTC-03 Salvador
-
-
-
1000
-
UTC-02 Mid-Atlantic
-
-
-
1010
-
UTC-02 Coordinated Universal Time-02
-
-
-
1100
-
UTC-01 Azores
-
-
-
1110
-
UTC-01 Cabo Verde
-
-
-
1200
-
UTC Dublin, Edinburgh, Lisbon, London
-
-
-
1210
-
UTC Monrovia, Reykjavik
-
-
-
1220
-
UTC Casablanca
-
-
-
1230
-
UTC Coordinated Universal Time
-
-
-
1300
-
UTC+01 Belgrade, Bratislava, Budapest, Ljubljana, Prague
-
-
-
1310
-
UTC+01 Sarajevo, Skopje, Warsaw, Zagreb
-
-
-
1320
-
UTC+01 Brussels, Copenhagen, Madrid, Paris
-
-
-
1330
-
UTC+01 West Central Africa
-
-
-
1340
-
UTC+01 Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
-
-
-
1350
-
UTC+01 Windhoek
-
-
-
1360
-
UTC+01 Tripoli
-
-
-
1400
-
UTC+02 E. Europe
-
-
-
1410
-
UTC+02 Cairo
-
-
-
1420
-
UTC+02 Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius
-
-
-
1430
-
UTC+02 Athens, Bucharest
-
-
-
1440
-
UTC+02 Jerusalem
-
-
-
1450
-
UTC+02 Amman
-
-
-
1460
-
UTC+02 Beirut
-
-
-
1470
-
UTC+02 Harare, Pretoria
-
-
-
1480
-
UTC+02 Damascus
-
-
-
1490
-
UTC+02 Istanbul
-
-
-
1500
-
UTC+03 Kuwait, Riyadh
-
-
-
1510
-
UTC+03 Baghdad
-
-
-
1520
-
UTC+03 Nairobi
-
-
-
1530
-
UTC+03 Kaliningrad, Minsk
-
-
-
1540
-
UTC+04 Moscow, St. Petersburg, Volgograd
-
-
-
1550
-
UTC+03 Tehran
-
-
-
1600
-
UTC+04 Abu Dhabi, Muscat
-
-
-
1610
-
UTC+04 Baku
-
-
-
1620
-
UTC+04 Yerevan
-
-
-
1630
-
UTC+04 Kabul
-
-
-
1640
-
UTC+04 Tbilisi
-
-
-
1650
-
UTC+04 Port Louis
-
-
-
1700
-
UTC+06 Ekaterinburg
-
-
-
1710
-
UTC+05 Tashkent
-
-
-
1720
-
UTC+05 Chennai, Kolkata, Mumbai, New Delhi
-
-
-
1730
-
UTC+05 Sri Jayawardenepura
-
-
-
1740
-
UTC+05 Kathmandu
-
-
-
1750
-
UTC+05 Islamabad, Karachi
-
-
-
1800
-
UTC+06 Astana
-
-
-
1810
-
UTC+07 Novosibirsk
-
-
-
1820
-
UTC+06 Yangon (Rangoon)
-
-
-
1830
-
UTC+06 Dhaka
-
-
-
1900
-
UTC+08 Krasnoyarsk
-
-
-
1910
-
UTC+07 Bangkok, Hanoi, Jakarta
-
-
-
1900
-
UTC+08 Krasnoyarsk
-
-
-
2000
-
UTC+08 Beijing, Chongqing, Hong Kong SAR, Urumqi
-
-
-
2010
-
UTC+09 Irkutsk
-
-
-
2020
-
UTC+08 Kuala Lumpur, Singapore
-
-
-
2030
-
UTC+08 Taipei
-
-
-
2040
-
UTC+08 Perth
-
-
-
2050
-
UTC+08 Ulaanbaatar
-
-
-
2100
-
UTC+09 Seoul
-
-
-
2110
-
UTC+09 Osaka, Sapporo, Tokyo
-
-
-
2120
-
UTC+10 Yakutsk
-
-
-
2130
-
UTC+09 Darwin
-
-
-
2140
-
UTC+09 Adelaide
-
-
-
2200
-
UTC+10 Canberra, Melbourne, Sydney
-
-
-
2210
-
UTC+10 Brisbane
-
-
-
2220
-
UTC+10 Hobart
-
-
-
2230
-
UTC+11 Vladivostok
-
-
-
2240
-
UTC+10 Guam, Port Moresby
-
-
-
2300
-
UTC+11 Solomon Is., New Caledonia
-
-
-
2310
-
UTC+12 Magadan
-
-
-
2400
-
UTC+12 Fiji
-
-
-
2410
-
UTC+12 Auckland, Wellington
-
-
-
2420
-
UTC+12 Petropavlovsk-Kamchatsky
-
-
-
2430
-
UTC+12 Coordinated Universal Time +12
-
-
-
2500
-
UTC+13 Nuku'alofa
-
-
-
-
+|Value|Time zone|
+|--- |--- |
+|0|UTC-12 International Date Line West|
+|100|UTC+13 Samoa|
+|110|UTC-11 Coordinated Universal Time-11|
+|200|UTC-10 Hawaii|
+|300|UTC-09 Alaska|
+|400|UTC-08 Pacific Time (US & Canada)|
+|410|UTC-08 Baja California|
+|500|UTC-07 Mountain Time (US & Canada)|
+|510|UTC-07 Chihuahua, La Paz, Mazatlan|
+|520|UTC-07 Arizona|
+|600|UTC-06 Saskatchewan|
+|610|UTC-06 Central America|
+|620|UTC-06 Central Time (US & Canada)|
+|630|UTC-06 Guadalajara, Mexico City, Monterrey|
+|700|UTC-05 Eastern Time (US & Canada)|
+|710|UTC-05 Bogota, Lima, Quito|
+|720|UTC-05 Indiana (East)|
+|800|UTC-04 Atlantic Time (Canada)|
+|810|UTC-04 Cuiaba|
+|820|UTC-04 Santiago|
+|830|UTC-04 Georgetown, La Paz, Manaus, San Juan|
+|840|UTC-04 Caracas|
+|850|UTC-04 Asuncion|
+|900|UTC-03:30 Newfoundland|
+|910|UTC-03 Brasilia|
+|920|UTC-03 Greenland|
+|930|UTC-03 Montevideo|
+|940|UTC-03 Cayenne, Fortaleza|
+|950|UTC-03 Buenos Aires|
+|960|UTC-03 Salvador|
+|1000|UTC-02 Mid-Atlantic|
+|1010|UTC-02 Coordinated Universal Time-02|
+|1100|UTC-01 Azores|
+|1110|UTC-01 Cabo Verde|
+|1200|UTC Dublin, Edinburgh, Lisbon, London|
+|1210|UTC Monrovia, Reykjavik|
+|1220|UTC Casablanca|
+|1230|UTC Coordinated Universal Time|
+|1300|UTC+01 Belgrade, Bratislava, Budapest, Ljubljana, Prague|
+|1310|UTC+01 Sarajevo, Skopje, Warsaw, Zagreb|
+|1320|UTC+01 Brussels, Copenhagen, Madrid, Paris|
+|1330|UTC+01 West Central Africa|
+|1340|UTC+01 Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna|
+|1350|UTC+01 Windhoek|
+|1360|UTC+01 Tripoli|
+|1400|UTC+02 E. Europe|
+|1410|UTC+02 Cairo|
+|1420|UTC+02 Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius|
+|1430|UTC+02 Athens, Bucharest|
+|1440|UTC+02 Jerusalem|
+|1450|UTC+02 Amman|
+|1460|UTC+02 Beirut|
+|1470|UTC+02 Harare, Pretoria|
+|1480|UTC+02 Damascus|
+|1490|UTC+02 Istanbul|
+|1500|UTC+03 Kuwait, Riyadh|
+|1510|UTC+03 Baghdad|
+|1520|UTC+03 Nairobi|
+|1530|UTC+03 Kaliningrad, Minsk|
+|1540|UTC+04 Moscow, St. Petersburg, Volgograd|
+|1550|UTC+03 Tehran|
+|1600|UTC+04 Abu Dhabi, Muscat|
+|1610|UTC+04 Baku|
+|1620|UTC+04 Yerevan|
+|1630|UTC+04 Kabul|
+|1640|UTC+04 Tbilisi|
+|1650|UTC+04 Port Louis|
+|1700|UTC+06 Ekaterinburg|
+|1710|UTC+05 Tashkent|
+|1720|UTC+05 Chennai, Kolkata, Mumbai, New Delhi|
+|1730|UTC+05 Sri Jayawardenepura|
+|1740|UTC+05 Kathmandu|
+|1750|UTC+05 Islamabad, Karachi|
+|1800|UTC+06 Astana|
+|1810|UTC+07 Novosibirsk|
+|1820|UTC+06 Yangon (Rangoon)|
+|1830|UTC+06 Dhaka|
+|1900|UTC+08 Krasnoyarsk|
+|1910|UTC+07 Bangkok, Hanoi, Jakarta|
+|1900|UTC+08 Krasnoyarsk|
+|2000|UTC+08 Beijing, Chongqing, Hong Kong SAR, Urumqi|
+|2010|UTC+09 Irkutsk|
+|2020|UTC+08 Kuala Lumpur, Singapore|
+|2030|UTC+08 Taipei|
+|2040|UTC+08 Perth|
+|2050|UTC+08 Ulaanbaatar|
+|2100|UTC+09 Seoul|
+|2110|UTC+09 Osaka, Sapporo, Tokyo|
+|2120|UTC+10 Yakutsk|
+|2130|UTC+09 Darwin|
+|2140|UTC+09 Adelaide|
+|2200|UTC+10 Canberra, Melbourne, Sydney|
+|2210|UTC+10 Brisbane|
+|2220|UTC+10 Hobart|
+|2230|UTC+11 Vladivostok|
+|2240|UTC+10 Guam, Port Moresby|
+|2300|UTC+11 Solomon Is., New Caledonia|
+|2310|UTC+12 Magadan|
+|2400|UTC+12 Fiji|
+|2410|UTC+12 Auckland, Wellington|
+|2420|UTC+12 Petropavlovsk-Kamchatsky|
+|2430|UTC+12 Coordinated Universal Time +12|
+|2500|UTC+13 Nuku'alofa|
**Locale/Language/**
The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c).
The language setting is configured in the Default User profile only.
-> **Note** Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required.
+> [!NOTE]
+> Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required.
Supported operations are Get and Replace.
@@ -1200,7 +802,8 @@ Supported operations are Get and Replace.
The XML examples in this section show how to perform various tasks by using OMA client provisioning.
-> **Note** These examples are XML snippets and do not include all sections that are required for a complete lockdown XML file.
+> [!NOTE]
+> These examples are XML snippets and do not include all sections that are required for a complete lockdown XML file.
@@ -1469,212 +1072,45 @@ The following example shows how to set the language.
## Product IDs in Windows 10 Mobile
-
The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile.
-
\ No newline at end of file
+|App|Product ID|AUMID|
+|--- |--- |--- |
+|Alarms and clock|44F7D2B4-553D-4BEC-A8B7-634CE897ED5F|Microsoft.WindowsAlarms_8wekyb3d8bbwe!App|
+|Calculator|B58171C6-C70C-4266-A2E8-8F9C994F4456|Microsoft.WindowsCalculator_8wekyb3d8bbwe!App|
+|Camera|F0D8FEFD-31CD-43A1-A45A-D0276DB069F1|Microsoft.WindowsCamera_8wekyb3d8bbwe!App|
+|Contact Support|0DB5FCFF-4544-458A-B320-E352DFD9CA2B|Windows.ContactSupport_cw5n1h2txyewy!App|
+|Cortana|FD68DCF4-166F-4C55-A4CA-348020F71B94|Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI|
+|Excel|EAD3E7C0-FAE6-4603-8699-6A448138F4DC|Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel|
+|Facebook|82A23635-5BD9-DF11-A844-00237DE2DB9E|Microsoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e|
+|File Explorer|C5E2524A-EA46-4F67-841F-6A9465D9D515|c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App|
+|FM Radio|F725010E-455D-4C09-AC48-BCDEF0D4B626|N/A|
+|Get Started|B3726308-3D74-4A14-A84C-867C8C735C3C|Microsoft.Getstarted_8wekyb3d8bbwe!App|
+|Groove Music|D2B6A184-DA39-4C9A-9E0A-8B589B03DEC0|Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic|
+|Maps|ED27A07E-AF57-416B-BC0C-2596B622EF7D|Microsoft.WindowsMaps_8wekyb3d8bbwe!App|
+|Messaging|27E26F40-E031-48A6-B130-D1F20388991A|Microsoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax|
+|Microsoft Edge|395589FB-5884-4709-B9DF-F7D558663FFD|Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge|
+|Money|1E0440F1-7ABF-4B9A-863D-177970EEFB5E|Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance|
+|Movies and TV|6AFFE59E-0467-4701-851F-7AC026E21665|Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo|
+|News|9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1|Microsoft.BingNews_8wekyb3d8bbwe!AppexNews|
+|OneDrive|AD543082-80EC-45BB-AA02-FFE7F4182BA8|Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App|
+|OneNote|CA05B3AB-F157-450C-8C49-A1F127F5E71D|Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim|
+|Outlook Calendar|A558FEBA-85D7-4665-B5D8-A2FF9C19799B|Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar|
+|Outlook Mail|A558FEBA-85D7-4665-B5D8-A2FF9C19799B|Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail|
+|People|60BE1FB8-3291-4B21-BD39-2221AB166481|Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x|
+|Phone (dialer)|F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7|Microsoft.CommsPhone_8wekyb3d8bbwe!App|
+|Photos|FCA55E1B-B9A4-4289-882F-084EF4145005|Microsoft.Windows.Photos_8wekyb3d8bbwe!App|
+|Podcasts|C3215724-B279-4206-8C3E-61D1A9D63ED3|Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x|
+|PowerPoint|B50483C4-8046-4E1B-81BA-590B24935798|Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim|
+|Settings|2A4E62D8-8809-4787-89F8-69D0F01654FB|2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App|
+|Skype|C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51|Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId|
+|Skype Video|27E26F40-E031-48A6-B130-D1F20388991A|Microsoft.Messaging_8wekyb3d8bbwe!App|
+|Sports|0F4C8C7E-7114-4E1E-A84C-50664DB13B17|Microsoft.BingSports_8wekyb3d8bbwe!AppexSports|
+|Storage|5B04B775-356B-4AA0-AAF8-6491FFEA564D|N/A|
+|Store|7D47D89A-7900-47C5-93F2-46EB6D94C159|Microsoft.WindowsStore_8wekyb3d8bbwe!App|
+|Voice recorder|7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0|Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App|
+|Wallet|587A4577-7868-4745-A29E-F996203F1462|Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App|
+|Weather|63C2A117-8604-44E7-8CEF-DF10BE3A57C8|Microsoft.BingWeather_8wekyb3d8bbwe!App|
+|Windows Feedback|7604089D-D13F-4A2D-9998-33FC02B63CE3|Microsoft.WindowsFeedback_8wekyb3d8bbwe!App|
+|Word|258F115C-48F4-4ADB-9A68-1387E634459B|Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word|
+|Xbox|B806836F-EEBE-41C9-8669-19E243B81B83|Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp|
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 3b596b6652..07388f0b79 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -30,7 +30,8 @@ To learn more about WIP, see the following articles:
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
The following shows the EnterpriseDataProtection CSP in tree format.
-```
+
+```console
./Device/Vendor/MSFT
EnterpriseDataProtection
----Settings
@@ -45,6 +46,7 @@ EnterpriseDataProtection
--------EDPShowIcons
----Status
```
+
**./Device/Vendor/MSFT/EnterpriseDataProtection**
The root node for the CSP.
@@ -71,7 +73,6 @@ Changing the primary enterprise ID is not supported and may cause unexpected beh
> [!Note]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
-
Here are the steps to create canonical domain names:
@@ -111,7 +112,6 @@ The CSP checks the current edition and hardware support (TPM), and returns an er
> [!Note]
> This setting is only supported in Windows 10 Mobile.
-
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
@@ -124,7 +124,7 @@ Specifies a recovery certificate that can be used for data recovery of encrypted
DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
The binary blob is the serialized version of following structure:
-``` syntax
+```cpp
//
// Recovery Policy Data Structures
//
@@ -243,7 +243,6 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
EfsCertificate,
EfsCertificateThumbprint
} PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG;
-
```
For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.
@@ -300,36 +299,9 @@ A read-only bit mask that indicates the current state of WIP on the Device. The
Suggested values:
-
-
-
-
-
-
-
-
-
-
-
Reserved for future use
-
WIP mandatory settings
-
Set = 1
-
Not set = 0
-
Reserved for future use
-
AppLocker configured
-
Yes = 1
-
No = 0
-
WIP on = 1
-
WIP off = 0
-
-
-
4
-
3
-
2
-
1
-
0
-
-
-
+|Reserved for future use|WIP mandatory settings Set = 1 Not set = 0|Reserved for future use|AppLocker configured Yes = 1 No = 0|WIP on = 1 WIP off = 0|
+|--- |--- |--- |--- |--- |
+|4|3|2|1|0|
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index 78f0b5cb28..70beb72229 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -259,41 +259,12 @@ The following table describes the fields in the previous sample:
The following table describes the fields in the previous sample:
-
-
-
-
-
-
-
-
Name
-
Description
-
-
-
-
-
Add
-
This is required to precede the Exec command.
-
-
CmdID - Input value used to reference the request. Responses includes this value, which can be use to match the request and response.
-
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
-
-
-
-
Exec
-
The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
-
-
CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.
-
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
-
Data - The Data node contains an embedded XML, of type “MsiInstallJob”
-
MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).
-
-
-
+|Name|Description|
+|--- |--- |
+|Add|This is required to precede the Exec command.
CmdID - Input value used to reference the request. Responses includes this value, which can be use to match the request and response.
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.|
+|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
Data - The Data node contains an embedded XML, of type “MsiInstallJob”
MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).|
-
-
> [!Note]
> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
@@ -353,70 +324,20 @@ The following table describes the fields in the previous sample:
The following table MsiInstallJob describes the schema elements.
-
-
-
-
-
-
-
-
Element
-
Description
-
-
-
-
-
MsiInstallJob
-
root element
-
"Attribute: "id - the application identifier of the application being installed
-
-
-
Product
-
child element of MsiInstallJob
-
Attribute: “Version” – string representation of application version
-
-
-
Download
-
child element of Product. Container for download configuration information.
-
-
-
ContentURLList
-
child element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.
-
-
-
ContentURL
-
Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.
-
-
-
Validation
-
Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content
-
-
-
FileHash
-
SHA256 hash value of file content
-
-
-
Enforcement
-
installation properties to be used when installing this MSI
-
-
-
CommandLine
-
Command-line options to be used when calling MSIEXEC.exe
-
-
-
TimeOut
-
Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.
-
-
-
RetryCount
-
The number of times the download and installation operation will be retried before the installation will be marked as failed.
-
-
-
RetryInterval
-
Amount of time, in minutes between retry operations.
-
-
-
+|Element|Description|
+|--- |--- |
+|MsiInstallJob|root element "Attribute: "id - the application identifier of the application being installed|
+|Product|child element of MsiInstallJob Attribute: “Version” – string representation of application version|
+|Download|child element of Product. Container for download configuration information.|
+|ContentURLList|child element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.|
+|ContentURL|Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.|
+|Validation|Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content|
+|FileHash|SHA256 hash value of file content|
+|Enforcement|installation properties to be used when installing this MSI|
+|CommandLine|Command-line options to be used when calling MSIEXEC.exe|
+|TimeOut|Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.|
+|RetryCount|The number of times the download and installation operation will be retried before the installation will be marked as failed.|
+|RetryInterval|Amount of time, in minutes between retry operations.|
@@ -453,85 +374,17 @@ The following tables shows how app targeting and MSI package type (per-user, per
For Intune standalone environment, the MSI package will determine the MSI execution context.
-
-
-
-
-
-
-
-
-
-
Target
-
Per-user MSI
-
Per-machine MSI
-
Dual mode MSI
-
-
-
-
-
User
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
Install the MSI per-device
-
LocURI contains a Device prefix, such as ./Device
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
-
-
System
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
Install the MSI per-device
-
LocURI contains a Device prefix, such as ./Device
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
-
-
-
-
+|Target|Per-user MSI|Per-machine MSI|Dual mode MSI|
+|--- |--- |--- |--- |
+|User|Install the MSI per-user LocURI contains a User prefix, such as ./User|Install the MSI per-device LocURI contains a Device prefix, such as ./Device|Install the MSI per-user LocURI contains a User prefix, such as ./User|
+|System|Install the MSI per-user LocURI contains a User prefix, such as ./User|Install the MSI per-device LocURI contains a Device prefix, such as ./Device|Install the MSI per-user LocURI contains a User prefix, such as ./User|
The following table applies to SCCM hybrid environment.
-
-
-
-
-
-
-
-
-
-
Target
-
Per-user MSI
-
Per-machine MSI
-
Dual mode MSI
-
-
-
-
-
User
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
Install the MSI per-device
-
LocURI contains a Device prefix, such as ./Device
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
-
-
System
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
Install the MSI per-device
-
LocURI contains a Device prefix, such as ./Device
-
Install the MSI per- system context
-
LocURI contains a Device prefix, such as ./Device
-
-
-
-
-
+|Target|Per-user MSI|Per-machine MSI|Dual mode MSI|
+|--- |--- |--- |--- |
+|User|Install the MSI per-user LocURI contains a User prefix, such as ./User|Install the MSI per-device LocURI contains a Device prefix, such as ./Device|Install the MSI per-user LocURI contains a User prefix, such as ./User|
+|System|Install the MSI per-user LocURI contains a User prefix, such as ./User|Install the MSI per-device LocURI contains a Device prefix, such as ./Device|Install the MSI per- system context LocURI contains a Device prefix, such as ./Device|
## How to determine the package type from the MSI package
diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md
index 94c9465267..4c01145bb3 100644
--- a/windows/client-management/mdm/get-inventory.md
+++ b/windows/client-management/mdm/get-inventory.md
@@ -21,143 +21,34 @@ The **Get Inventory** operation retrieves information from the Microsoft Store f
## Request
-
-
-
-
+**GET:**
+```http
+https://bspmts.mp.microsoft.com/V1/Inventory?continuationToken={ContinuationToken}&modifiedSince={ModifiedSince}&licenseTypes={LicenseType}&maxResults={MaxResults}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Default value
-
Description
-
-
-
-
-
continuationToken
-
string
-
Null
-
-
-
-
modifiedSince
-
datetime
-
Null
-
Optional. Used to determine changes since a specific date.
Optional. Specifies the maximum number of applications returned in a single query.
-
-
-
-
-
-
+|Parameter|Type|Default value|Description|
+|--- |--- |--- |--- |
+|continuationToken|string|Null||
+|modifiedSince|datetime|Null|Optional. Used to determine changes since a specific date.|
+|licenseTypes|collection of [LicenseType](data-structures-windows-store-for-business.md#licensetype)|{online,offline}|Optional. A collection of license types|
+|maxResults|integer-32|25|Optional. Specifies the maximum number of applications returned in a single query.|
Here are some examples.
-
+**GET:**
+
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{ProductId}/{SkuId}/LocalizedDetails/{language}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
language
-
string
-
Required. Language in ISO format, such as en-us, en-ca.
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|language|string|Required. Language in ISO format, such as en-us, en-ca.|
-
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
Item type: productId, skuId, language
-
-
-
-
-
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name Reason: Missing parameter or invalid parameter Details: String|
+|404|Not found||Item type: productId, skuId, language|
## Response
diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md
index 87699a8b11..0f60251a1c 100644
--- a/windows/client-management/mdm/get-offline-license.md
+++ b/windows/client-management/mdm/get-offline-license.md
@@ -18,102 +18,27 @@ The **Get offline license** operation retrieves the offline license information
## Request
-
+**POST:**
+
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/OfflineLicense/{contentId}
+```
-
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Identifies a specific product that has been acquired.
-
-
-
skuId
-
string
-
Required. The SKU identifier.
-
-
-
contentId
-
string
-
Required. Identifies a specific application.
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Identifies a specific product that has been acquired.|
+|skuId|string|Required. The SKU identifier.|
+|contentId|string|Required. Identifies a specific application.|
-
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
-
-
-
409
-
Conflict
-
-
Reason: Not owned, Not offline
-
-
-
-
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name Reason: Missing parameter or invalid parameter Details: String|
+|404|Not found|||
+|409|Conflict||Reason: Not owned, Not offline|
## Response
diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md
index 18a0174509..9b32395cbd 100644
--- a/windows/client-management/mdm/get-product-details.md
+++ b/windows/client-management/mdm/get-product-details.md
@@ -18,92 +18,26 @@ The **Get product details** operation retrieves the product information from the
## Request
-
+**GET:**
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name Reason: Missing parameter or invalid parameter Details: String|
+|404|Not found|||
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
-
-
-
-
-
## Response
### Response body
diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md
index 662580acde..d08a8b434a 100644
--- a/windows/client-management/mdm/get-product-package.md
+++ b/windows/client-management/mdm/get-product-package.md
@@ -18,108 +18,27 @@ The **Get product package** operation retrieves the information about a specific
## Request
-
+**GET:**
-
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages/{packageId}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
packageId
-
string
-
Required.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
Details
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Invalid parameter
-
Details: String
-
Can be productId, skuId, or packageId
-
-
-
404
-
Not found
-
-
-
Item type: Product/SKU
-
-
-
409
-
Conflict
-
-
Reason: Not owned
-
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|packageId|string|Required.|
+|Error code|Description|Retry|Data field|Details|
+|--- |--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name
Reason: Invalid parameter
Details: String|Can be productId, skuId, or packageId|
+|404|Not found|||Item type: Product/SKU|
+|409|Conflict||Reason: Not owned||
## Response
diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md
index 5ad2851bc5..6dede5eb3e 100644
--- a/windows/client-management/mdm/get-product-packages.md
+++ b/windows/client-management/mdm/get-product-packages.md
@@ -18,97 +18,27 @@ The **Get product packages** operation retrieves the information about applicati
## Request
-
+**GET:**
+
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
-
-
-
409
-
Conflict
-
-
Reason: Not owned
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name
Reason: Missing parameter or invalid parameter
Details: String|
+|404|Not found|||
+|409|Conflict||Reason: Not owned|
## Response
diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md
index 598d24ea19..920c40c4e5 100644
--- a/windows/client-management/mdm/get-seat.md
+++ b/windows/client-management/mdm/get-seat.md
@@ -18,61 +18,21 @@ The **Get seat** operation retrieves the information about an active seat for a
## Request
-
+**GET:**
+```http
+https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
username
-
string
-
Requires UserPrincipalName (UPN). User name of the target user account.
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
## Response
@@ -81,56 +41,8 @@ The following parameters may be specified in the request URI.
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
-
+**GET:**
+```http
+https://bspmts.mp.microsoft.com/V1/Users/{username}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
useName
-
string
-
Requires UserPrincipalName (UPN). User name of the target user account.
-
-
-
continuationToken
-
string
-
Optional.
-
-
-
maxResults
-
inteter-32
-
Optional. Default = 25, Maximum = 100
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|useName|string|Requires UserPrincipalName (UPN). User name of the target user account.|
+|continuationToken|string|Optional.|
+|maxResults|inteter-32|Optional. Default = 25, Maximum = 100|
## Response
@@ -81,39 +41,10 @@ The following parameters may be specified in the request URI.
The response body contain [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
-
Values: UserName|
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index d7ae502365..bba400d65a 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -38,6 +38,7 @@ The MDM security baseline includes policies that cover the following areas:
For more details about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
+- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 13c000e4f5..57cbee7b16 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -29,7 +29,6 @@ ms.date: 07/22/2020
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
-- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index acf05925b9..bbd3101f94 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -5841,9 +5841,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
@@ -690,75 +687,6 @@ The following list shows the supported values:
-
-**Defender/AllowIntrusionPreventionSystem**
-
-
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender Intrusion Prevention functionality.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
**Defender/AllowOnAccessProtection**
@@ -3400,4 +3328,4 @@ ADMX Info:
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index dc8d037b70..792dab97f1 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -123,51 +123,11 @@ The following list shows the supported values:
**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
-
-
-
-
> [!NOTE]
-> This policy has been deprecated in Windows 10, version 1607
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
+>
+> - This policy is deprecated in Windows 10, version 1607.
+> - This policy is only enforced in Windows 10 for desktop.
Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
@@ -764,4 +724,4 @@ The following list shows the supported values:
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index d4dcbc0b56..588586543f 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -2215,22 +2215,22 @@ To validate on Desktop, do the following:
Pro
Yes
-
Yes
+
No
Business
Yes
-
Yes
+
No
Enterprise
Yes
-
Yes
+
No
Education
Yes
-
Yes
+
No
@@ -2275,4 +2275,4 @@ ADMX Info:
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index f243b06ff1..c38caf5830 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3494,22 +3494,22 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
Pro
Yes
-
Yes
+
No
Business
Yes
-
Yes
+
No
Enterprise
Yes
-
Yes
+
No
Education
Yes
-
Yes
+
No
@@ -3569,22 +3569,22 @@ The following list shows the supported values:
Pro
Yes
-
Yes
+
No
Business
Yes
-
Yes
+
No
Enterprise
Yes
-
Yes
+
No
Education
Yes
-
Yes
+
No
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index f82377ff80..7a1fa1b52f 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -82,8 +82,6 @@ items:
href: bulk-assign-and-reclaim-seats-from-user.md
- name: Get seats assigned to a user
href: get-seats-assigned-to-a-user.md
- - name: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
- href: enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
- name: Certificate renewal
href: certificate-renewal-windows-mdm.md
- name: Disconnecting from the management infrastructure (unenrollment)
@@ -151,8 +149,6 @@ items:
items:
- name: BitLocker DDF file
href: bitlocker-ddf-file.md
- - name: BOOTSTRAP CSP
- href: bootstrap-csp.md
- name: BrowserFavorite CSP
href: browserfavorite-csp.md
- name: CellularSettings CSP
@@ -174,8 +170,6 @@ items:
href: clientcertificateinstall-ddf-file.md
- name: CM_CellularEntries CSP
href: cm-cellularentries-csp.md
- - name: CM_ProxyEntries CSP
- href: cm-proxyentries-csp.md
- name: CMPolicy CSP
href: cmpolicy-csp.md
- name: CMPolicyEnterprise CSP
@@ -203,8 +197,6 @@ items:
items:
- name: DeveloperSetup DDF
href: developersetup-ddf.md
- - name: DeviceInstanceService CSP
- href: deviceinstanceservice-csp.md
- name: DeviceLock CSP
href: devicelock-csp.md
items:
diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
index e5e7511669..bb12be25b3 100644
--- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
@@ -12,12 +12,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 06/26/2017
+ms.date: 11/02/2021
---
# Enterprise settings, policies, and app management
-The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).
+The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf).
Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](configuration-service-provider-reference.md).
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index ccd89eb916..cc5b2bff12 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
-ms.date: 10/11/2021
+ms.date: 11/02/2021
ms.reviewer:
manager: dansimp
---
@@ -266,7 +266,7 @@ ADMX Info:
**Status**
-Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device.
+Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device.
Value type is integer. Supported operation is Get.
@@ -275,11 +275,13 @@ Value type is integer. Supported operation is Get.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
+ > [!IMPORTANT]
+ > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
-- Bit 6 - Set to 1 when system reboot is required.
+- Bit 6 - Set to 1 when system reboot is required.
**PlatformStatus**
-Added in Windows 10, version 2004. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
+Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
Value type is integer. Supported operation is Get.
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 6170a3e35e..24868ba91e 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -190,14 +190,8 @@
href: wcd/wcd-admxingestion.md
- name: AssignedAccess
href: wcd/wcd-assignedaccess.md
- - name: AutomaticTime
- href: wcd/wcd-automatictime.md
- name: Browser
href: wcd/wcd-browser.md
- - name: CallAndMessagingEnhancement
- href: wcd/wcd-callandmessagingenhancement.md
- - name: Calling
- href: wcd/wcd-calling.md
- name: CellCore
href: wcd/wcd-cellcore.md
- name: Cellular
@@ -218,8 +212,6 @@
href: wcd/wcd-developersetup.md
- name: DeviceFormFactor
href: wcd/wcd-deviceformfactor.md
- - name: DeviceInfo
- href: wcd/wcd-deviceinfo.md
- name: DeviceManagement
href: wcd/wcd-devicemanagement.md
- name: DeviceUpdateCenter
@@ -236,10 +228,6 @@
href: wcd/wcd-folders.md
- name: HotSpot
href: wcd/wcd-hotspot.md
- - name: InitialSetup
- href: wcd/wcd-initialsetup.md
- - name: InternetExplorer
- href: wcd/wcd-internetexplorer.md
- name: KioskBrowser
href: wcd/wcd-kioskbrowser.md
- name: Licensing
@@ -247,23 +235,13 @@
- name: Location
href: wcd/wcd-location.md
- name: Maps
- href: wcd/wcd-maps.md
- - name: Messaging
- href: wcd/wcd-messaging.md
- - name: ModemConfigurations
- href: wcd/wcd-modemconfigurations.md
- - name: Multivariant
- href: wcd/wcd-multivariant.md
+ href: wcd/wcd-maps.md
- name: NetworkProxy
href: wcd/wcd-networkproxy.md
- name: NetworkQOSPolicy
- href: wcd/wcd-networkqospolicy.md
- - name: NFC
- href: wcd/wcd-nfc.md
+ href: wcd/wcd-networkqospolicy.md
- name: OOBE
- href: wcd/wcd-oobe.md
- - name: OtherAssets
- href: wcd/wcd-otherassets.md
+ href: wcd/wcd-oobe.md
- name: Personalization
href: wcd/wcd-personalization.md
- name: Policies
@@ -271,13 +249,9 @@
- name: Privacy
href: wcd/wcd-privacy.md
- name: ProvisioningCommands
- href: wcd/wcd-provisioningcommands.md
- - name: RcsPresence
- href: wcd/wcd-rcspresence.md
+ href: wcd/wcd-provisioningcommands.md
- name: SharedPC
- href: wcd/wcd-sharedpc.md
- - name: Shell
- href: wcd/wcd-shell.md
+ href: wcd/wcd-sharedpc.md
- name: SMISettings
href: wcd/wcd-smisettings.md
- name: Start
@@ -293,11 +267,7 @@
- name: TabletMode
href: wcd/wcd-tabletmode.md
- name: TakeATest
- href: wcd/wcd-takeatest.md
- - name: TextInput
- href: wcd/wcd-textinput.md
- - name: Theme
- href: wcd/wcd-theme.md
+ href: wcd/wcd-takeatest.md
- name: Time
href: wcd/wcd-time.md
- name: UnifiedWriteFilter
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 351f09ce8e..4fd1194b2e 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -1,6 +1,6 @@
---
title: Add image for secondary Microsoft Edge tiles (Windows 10)
-description:
+description: Add app tiles on Windows 10 that's a secondary tile.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,7 +18,6 @@ manager: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
App tiles are the Start screen tiles that represent and launch an app. A tile that allows a user to go to a specific location in an app is a *secondary tile*. Some examples of secondary tiles include:
@@ -43,7 +42,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
**Example of secondary tiles in XML generated by Export-StartLayout**
-```
+```xml
.xml
```
+
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
- Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
-
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet does not append the file name extension, and the policy settings require the extension.
+
3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
- - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images.
-
+ - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images.
+
4. In Windows PowerShell, enter the following command:
- ```
+ ```powershell
Export-StartLayoutEdgeAssets assets.xml
```
@@ -91,22 +91,38 @@ You can apply the customized Start layout with images for secondary tiles by usi
In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
+3. Enter the following properties:
-1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
-2. Select **Device configuration**.
-3. Select **Profiles**.
-4. Select **Create profile**.
-5. Enter a friendly name for the profile.
-6. Select **Windows 10 and later** for the platform.
-7. Select **Device restrictions** for the profile type.
-8. Select **Start**.
-9. In **Start menu layout**, browse to and select your Start layout XML file.
-9. In **Pin websites to tiles in Start menu**, browse to and select your assets XML file.
-10. Select **OK** twice, and then select **Create**.
-11. [Assign the profile to a group](/intune/device-profile-assign).
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile**: Select **Templates** > **Device restrictions**.
->[!NOTE]
->The device restrictions in Microsoft Intune include [other Start settings](/intune/device-restrictions-windows-10#start) that you can also configure in your profile.
+4. Select **Create**.
+5. In **Basics**, enter the following properties:
+
+ - **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later.
+ - **Description**: Enter a description for the policy. This setting is optional, but recommended.
+
+6. Select **Next**.
+
+7. In **Configuration settings**, select **Start**. Configure the following properties:
+
+ - **Start menu layout**: Browse to, and select your Start layout XML file.
+ - **Pin websites to tiles in Start menu**: Browse to, and select your assets XML file.
+
+ There are more Start menu settings you can configure. For more information on these settings, see [Start settings in Intune](/intune/device-restrictions-windows-10#start)
+
+8. Select **Next**.
+9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+
+ Select **Next**.
+
+10. In **Assignments**, select the users or groups that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
+
+ Select **Next**.
+
+11. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
### Using a provisioning package
@@ -199,7 +215,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
26. Double-click the ppkg file and allow it to install.
- ## Related topics
+## Related articles
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
@@ -207,7 +223,6 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 1f02d08053..000617ec7e 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -21,7 +21,6 @@ ms.date: 4/16/2018
**Applies to**
- Windows 10
-- Windows 10 Mobile
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
@@ -36,7 +35,7 @@ You can use these tools to configure access to Microsoft Store: AppLocker or Gro
## Block Microsoft Store using AppLocker
-Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
+Applies to: Windows 10 Enterprise, Windows 10 Education
AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers.
@@ -100,23 +99,9 @@ You can also use Group Policy to manage access to Microsoft Store.
> [!Important]
> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store.
-## Block Microsoft Store on Windows 10 Mobile
-
-
-Applies to: Windows 10 Mobile
-
-If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 CSPs with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Microsoft Store app.
-
-When your MDM tool supports Microsoft Store for Business, the MDM can use these CSPs to block Microsoft Store app:
-
-- [Policy](/windows/client-management/mdm/policy-configuration-service-provider)
-
-- [EnterpriseAssignedAccess](/windows/client-management/mdm/enterpriseassignedaccess-csp) (Windows 10 Mobile, only)
-
-For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-windows-store-for-business).
-
## Show private store only using Group Policy
-Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
+
+Applies to Windows 10 Enterprise, Windows 10 Education
If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md
index 3ac49ccd7e..8d4bfbfc06 100644
--- a/windows/configuration/wcd/wcd-accountmanagement.md
+++ b/windows/configuration/wcd/wcd-accountmanagement.md
@@ -19,13 +19,13 @@ Use these settings to configure the Account Manager service.
## Applies to
-| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [DeletionPolicy](#deletionpolicy) | | | | X | |
-| [EnableProfileManager](#enableprofilemanager) | | | | X | |
-| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | | X | |
-| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | | X | |
-| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | | X | |
+| Settings | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [DeletionPolicy](#deletionpolicy) | | | ✔️ | |
+| [EnableProfileManager](#enableprofilemanager) | | | ✔️ | |
+| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | ✔️ | |
+| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | ✔️ | |
+| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | ✔️ | |
>[!NOTE]
>Although the AccountManagement settings are available in advanced provisioning for other editions, you should only use them for HoloLens devices.
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index f5ef92247d..a6462788e1 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -19,7 +19,7 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac
## Applies to
-| Setting groups | Desktop editions | Surface Hub | HoloLens | IoT Core |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
| [Azure](#azure) | ✔️ | ✔️ | ✔️ | |
| [ComputerAccount](#computeraccount) | ✔️ | ✔️ | | ✔️ |
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 9a474ff6c8..1116a54650 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -26,10 +26,10 @@ Starting in Windows 10, version 1703, you can import (*ingest*) select Group Pol
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | X | | | | |
-| [ConfigOperations](#configoperations) | X | | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | |
+| [ConfigOperations](#configoperations) | ✔️ | | | |
## ConfigADMXInstalledPolicy
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index a891fbcb93..36eb055038 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -19,10 +19,10 @@ Use this setting to configure single use (kiosk) devices.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | |
-| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | | X | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [AssignedAccessSettings](#assignedaccesssettings) | ✔️ | | ✔️ | |
+| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | ✔️ | | ✔️ | |
## AssignedAccessSettings
@@ -31,9 +31,7 @@ Enter the account and the application you want to use for Assigned access, using
**Example**:
-```
-{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
-```
+`{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`
## MultiAppAssignedAccessSettings
diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md
deleted file mode 100644
index 53200de533..0000000000
--- a/windows/configuration/wcd/wcd-automatictime.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: AutomaticTime (Windows 10)
-description: This section describes the AutomaticTime settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 04/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# AutomaticTime (Windows Configuration Designer reference)
-
-Use these settings to configure automatic time updates. Mobile devices primarily rely on Network Identify and Time zone (NITZ), which is provided by the mobile operator, to automatically update the time on the device. When NITZ is available from the cellular network, there are no issues maintaining accurate time in devices. However, for devices that do not have a SIM or have had the SIM removed for some time, or for devices that have a SIM but NITZ is not supported, the device may run into issues maintaining accurate time on the device.
-
-The OS includes support for Network Time Protocol (NTP), which enables devices to receive time when NITZ is not supported or when cellular data is not available. NTP gets the time by querying a server at a specified time interval. NTP is based on Coordinated Universal Time (UTC) and doesn't support time zone or daylight saving time so users will need to manually update the time zone after an update from NTP if users move between time zones.
-
-## Applies to
-
-| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableAutomaticTime](#enableautomatictime) | | X | | | |
-| [NetworkTimeUpdateThreshold](#networktimeupdatethreshold) | | X | | | |
-| [NTPEnabled](#ntpenabled) | | X | | | |
-| [NTPRegularSyncInterval](#ntpregularsyncinterval) | | X | | | |
-| [NTPRetryInterval](#ntpretryinterval) | | X | | | |
-| [NTPServer](#ntpserver) | | X | | | |
-| [PreferredSlot](#preferredslot) | | X | | | |
-
-## EnableAutomaticTime
-
-Set to **True** to enable automatic time and to **False** to disable automatic time.
-
-## NetworkTimeUpdateThreshold
-
-Specify the difference (in number of seconds) between the NITZ information and the current device time before a device time update is triggered.
-
-## NTPEnabled
-
-Set to **True** to enable the NTP client and to **False** to disable the NTP client.
-
-## NTPRegularSyncInterval
-
-Set the regular sync interval for phones that are set to use Network Time Protocol (NTP) time servers. Select a value between `1` and `168` hours, inclusive, The default sync interval is `12` hours.
-
-
-## NTPRetryInterval
-
-Set the retry interval if the regular sync fails. Select a value between `1` and `24` hours, inclusive.
-
-## NTPServer
-
-Change the default NTP server for phones that are set to use NTP. To enumerate the NTP source server(s) used by the NTP client, set the value for NTPServer to a list of server names, delimited by semi-colons.
-
-**Example**:
-
-```
-ntpserver1.contoso.com;ntpserver2.fabrikam.com;ntpserver3.contoso.com
-```
-
-The list should contain one or more server names. The default NTP source server value is `time.windows.com`.
-
-
-
-
-
-## PreferredSlot
-
-Specify which UICC slot will be preferred for NITZ handling on a C+G dual SIM phone.
-
-- Set to `0` to use the UICC in Slot 0 for NITZ handling.
-- Set to '1' to use the UICC in Slot 1 for NITZ handling.
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index d7e8ff6e10..3b57376dae 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -19,13 +19,13 @@ Use to configure browser settings that should only be set by OEMs who are part o
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowPrelaunch](#allowprelaunch) | | | X | | |
-| [FavoriteBarItems](#favoritebaritems) | X | | | | |
-| [Favorites](#favorites) | | X | | | |
-| [PartnerSearchCode](#partnersearchcode) | X | X | X | | |
-| [SearchProviders](#searchproviders) | | X | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [AllowPrelaunch](#allowprelaunch) | | ✔️ | | |
+| [FavoriteBarItems](#favoritebaritems) | ✔️ | | | |
+| [Favorites](#favorites) | | | | |
+| [PartnerSearchCode](#partnersearchcode) | ✔️ | ✔️ | | |
+| [SearchProviders](#searchproviders) | | | | |
## AllowPrelaunch
@@ -76,9 +76,6 @@ OEMs who are part of the program only have one PartnerSearchCode and this should
Contains the settings you can use to configure the default and additional search providers.
-Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default).
-
-
### Default
Use *Default* to specify a name that matches one of the search providers you enter in [SearchProviderList](#searchproviderlist). If you don't specify a default search provider, this will default to Microsoft Bing.
@@ -104,8 +101,3 @@ For example, to specify Yandex in Russia and Commonwealth of Independent States
When configured with multiple search providers, the browser can display up to ten search providers.
->[!IMPORTANT]
->Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default).
-
-
-
diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
deleted file mode 100644
index d841991b53..0000000000
--- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: CallAndMessageEnhancement (Windows 10)
-description: This section describes the CallAndMessagingEnhancement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/21/2017
-ms.reviewer:
-manager: dansimp
----
-
-# CallAndMessagingEnhancement (Windows Configuration Designer reference)
-
-Use to configure call origin and blocking apps.
-
->[!IMPORTANT]
->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
-
-## Applies to
-
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [BlockingApp](#blockingapp) | | X | | | |
-| [CallOriginApp](#calloriginapp) | | X | | | |
-
-## BlockingApp
-
-| Setting | Value | Description |
-| --- | --- | --- |
-| ActiveBlockingAppUserModelId | AUMID | The AUMID of the application that will be set as the active blocking app by default. |
-| DefaultBlockingAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active blocking app if the user uninstalls the current active blocking app. This app should be uninstallable. |
-
-## CallOriginApp
-
-| Setting | Value | Description |
-| --- | --- | --- |
-| ActiveCallOriginAppUserModelId | AUMID | The AUMID of the application to be set as the active call origin provider app by default. |
-| DefaultCallOriginAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active call origin provider app if the user uninstalls the current active call origin app. This app should be uninstallable. |
diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
deleted file mode 100644
index d346a04e2c..0000000000
--- a/windows/configuration/wcd/wcd-calling.md
+++ /dev/null
@@ -1,218 +0,0 @@
----
-title: Calling (Windows 10)
-description: This section describes the Calling settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 04/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Calling (Windows Configuration Designer reference)
-
-Use to configure settings for Calling.
-
->[!IMPORTANT]
->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
-
-## Applies to
-
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-
-## Branding
-
-See [Branding for phone calls](/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls).
-
-## CallIDMatchOverrides
-
-Enter a GEOID, select **Add**, and then enter the number of digits for matching caller ID.
-
-For a list of GEOID codes and default number of digits for each country/region, see [Overriding the OS default minimu number of digits for caller ID matching](/windows-hardware/customize/mobile/mcsf/caller-id-matching#a-href-idoverriding-os-default-min-number-digitsaoverriding-the-os-default-minimum-number-of-digits-for-caller-id-matching).
-
-## CauseCodeRegistrationTable
-
-See [Cause codes](/windows-hardware/customize/mobile/mcsf/cause-codes).
-
-
-## CDMAHeuristics
-
-CDMA Heuristics (on by default) makes CDMA calling more user-friendly by exposing an interface that supports multiple calls with call waiting, swapping, and three-way calling.
-
-For **CDMAPriorityCallPrefix**, enter a custom call prefix that would allow the user to override an ongoing call with a remote party mostly used in emergency services and law enforcement.
-
-Set **DisableCdmaHeuristics** to **True** to disable the built-in heuristics.
-
-
-## PartnerAppSupport
-
-See [Dialer codes to launch diagnostic applications](/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications).
-
-## PerSimSettings
-
-Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the following settings.
-
-### Critical
-
-Setting | Description
---- | ---
-MOSimFallbackVoicemailNumber | Partners who do not have the voicemail numbers on the device SIM can configure the voicemail number for their devices. If the voicemail number is not on the SIM and the registry key is not set, the default voicemail will not be set and the user will need to set the number. Set MOSimFallbackVoicemailNumber to the voicemail number that you want to use for the phone.
-SimOverrideVoicemailNumber | Mobile operators can override the voicemail number on the UICC with a different voicemail number that is configured in the registry. Set SimOverrideVoicemailNumber to a string that contains the digits of the voicemail number to use instead of the voicemail number on the UICC.
-
-
-### General
-
-Setting | Description
---- | ---
-AllowMixedAudioVideoConferencing | Set as **True** to enable audio and video calls in the same conference.
-AllowVideoConferencing | Set as **True** to enable the ability to conference video calls.
-AutoDismissUssedWaitingDialog | Set as **True** to enable automatic dismissal of "Waiting" dialog on USSD session termination.
-CallerIdBlockingPrefixList | Enter a list of prefixes which will not see the caller ID. Use a semicolon (;) as a delimiter.
-DefaultCallerIdSetting | Configure the default setting for caller ID. Select between `No one`, `Only contacts`, `Every one`, and `Network default`. If set to `Network default`, set `ShowCallerIdNetworkDefaultSetting` to **True**.
-DefaultEnableVideoCalling | Set as **True** to enable LTE video calling as the default setting.
-DefaultEnableVideoCapability | Set as **True** to enable LTE video capability sharing as the default setting.
-EnableSupplementaryServiceEraseToDeactivateOverride | Enables conversion of supplementary service erase commands to deactivate commands.
-IgnoreCallerIdBlockingPrefix | DO NOT USE
-IgnoreMWINotifications | Set as **True** to configure the voicemail system so the phone ignores message waiting indicator (MWI) notifications.
-IgnoreProhibitedDialingPrefix | Ignore prohibited dialing prefix. An OEM/MO can specify a certain set of strings by region that when dialed will block a user's caller ID from being displayed on the device receiving the call. The list is separated by semicolon. This setting does not apply beyond Windows 10, version 1709.
-IgnoreUssdExclusions | Set as **True** to ignore Unstructured Supplementary Service Data (USSD) exclusions.
-ProhibitedDialingPrefixList | A semicolon delimited list of previxes that are prohibited from being dialed.
-ResetCallForwarding | When set to **True**, user is provided with an option to retry call forwarding settings query.
-ShowCallerIdNetworkDefaultSetting | Indicates whether the network default setting can be allowed for outgoing caller ID.
-ShowVideoCallingSwitch | Use to specify whether to show the video capability sharing switch on the mobile device's Settings screen.
-ShowVideoCapabilitySwitch | Configure the phone settings to show the video capability sharing switch.
-SupressVideoCallingChargesDialog | Configure the phone settings CPL to suppress the video calling charges dialog.
-UssdExclusionList | List used to exclude predefined USSD entries, allowing the number to be sent as standard DTMF tones instead. Set UssdExclusionList to the list of desired exclusions, separated by semicolons. For example, setting the value to 66;330 will override 66 and 330. Leading zeros are specified by using F. For example, to override code 079, set the value to F79. If you set UssdExclusionList, you must set IgnoreUssdExclusions as well. Otherwise, the list will be ignored. See [List of USSD codes](#list-of-ussd-codes) for values.
-WiFiCallingOperatorName | Enter the operator name to be shown when the phone is using WiFi calling. If you don't set a value for WiFiCallingOperatorName, the device will always display **SIMServiceProviderName Wi-Fi**, where *SIMServiceProviderName* is a string that corresponds to the SPN for the SIM on the device. If the service provider name in the SIM is not set, only **Wi-Fi** will be displayed.
-
-### HDAudio
-
-To customize call progress branding when a call is made using a specific audio codec, select the audio codec from the dropdown menu and select **Add**. Select the codec in **Available Customizations** and then enter a text string (up to 10 characters) to be used for call progress branding for calls using that codec. For more information, see [Use HD audio codec for call branding](/windows-hardware/customize/mobile/mcsf/use-hd-audio-codec-for-call-branding).
-
-### IMSSubscriptionUpdate
-
-These are Verizon/Sprint-only settings to allow the operator to send an OMA-DM update to the device with the given alert characteristics, which are defined between the mobile operator and OEM, which in turn will inform the device to turn on or off IMS.
-
-### RoamingNumberOverrides
-
-See [Dial string overrides when roaming](/windows-hardware/customize/mobile/mcsf/dial-string-overrides-when-roaming).
-
-## PhoneSettings
-
-Setting | Description
---- | ---
-AdjustCDMACallTime | Change the calculation of CDMA call duration to exclude the time before the call connects.
-AssistedDialSetting | Turn off the international assist feature that helps users with the country codes needed for dialing international phone numbers.
-CallIDMatch | Sets the number of digits that the OS will try to match against contacts for Caller ID. For any country/region that doesn't exist in the default mapping table, mobile operators can use this legacy CallIDMatch setting to specify the minimum number of digits to use for matching caller ID.
-CallRecordingOff | Indicates if call recording is turned off. Users will not see the call recording functionality when this is set to **True**.
-ConferenceCallMaximumPartyCount | Enter a number to limit the number of parties that can participate in a conference call.
-ContinuousDTMFEnabled | Enable DTMF tone duration for as long as the user presses a dialpad key.
-DisableVideoUpgradeStoreNavigation | If there are no compatible video upgrade apps installed, tapping the video upgrade button will launch a dialog that will navigate to the Microsoft Store. If this option is enabled, it will show a dialog that informs the user that no video app is installed, but it will not navigate to the Microsoft Store.
-DisableVoicemailPhoneNumberDisplay | Disable the display of the voicemail phone number below the Voicemail label in call progress dialog.
-DisplayNoDataMessageDuringCall | Display a message to the user indicating that there is no Internet connectivity during a phone call.
-DisplayNumberAsDialed | Display the outgoing number "as dialed" rather than "as connected".
-EnableVideoCalling | Set to **True** to enable video calling.
-HideCallForwarding | Partners can hide the user option to turn on call forwarding. By default, users can decide whether to turn on call forwarding. Partners can hide this user option so that call forwarding is permanently disabled.
-HideSIMSecurityUI | Hide the SIM Security panel from phone Settings.
-LowVideoQualityTimeout | Configure the phone timer to automatically drop video when the quality is low, in milliseconds.
-MinTimeBetweenCallSwaps | Configure how often the user can swap between two active phone calls, in milliseconds.
-PromptVideoCallingCharges | Prompt user for charges associated with video calls.
-ShowLongTones | Partners can make a user option visible that makes it possible to toggle between short and long DTMF tones, instead of the default continuous tones. By default, the phone supports Dual-Tone Multi-frequency (DTMF) with continuous tones. Partners can make a user option visible that makes it possible to toggle between short and long tones instead.
-UseOKForUssdDialogs | OEMs can change the button label in USSD dialogs from **Close** (the default) to **OK**.
-UseVoiceDomainForEmergencyCallBranding | Use voice domain to decide whether to use **Emergency calls only** or **No service** in branding.
-VideoCallingChargesMessage | Enter text for the message informing the user about the charges associated with video calls.
-VideoCallingChargesTitle | Enter text for the title of the dialog informing the user about the charges associated with video calls.
-VideoCallingDescription | Enter text to describe the video calling feature.
-VideoCallingLabel | Enter text to describe the video calling toggle.
-VideoCapabilityDescription | Enter text to describe the video capability feature.
-VideoCapabilityLabel | Enter text to describe the video capability toggle.
-VideoTransitionTimeout | Enter the time in milliseconds to check how long the video transition state will remain until the remote party responds. The minimum value is 10000 and the maximum value is 30000.
-VoLTEAudioQualityString | Partners can add a string to the call progress screen to indicate if the active call is a high quality voice over LTE (VoLTE). Set the value of VoLTEAudioQualityString to the string that you want to display in the call progress screen to indicate that the call is a VoLTE call. This string is combined with the PLMN so if the string is "VoLTE", the resulting string is "PLMN_String VoLTE". For example, the string displayed in the call progress screen can be "Litware VoLTE" if the PLMN_String is "Litware". The value you specify for VoLTEAudioQualityString must exceed 10 characters.
-
-
-## PhoneShellUI
-
-Setting | Description
---- | ---
-EnableSoftwareProximitySensorMitigation | Enable software proximity sensor mitigation.
-
-## PhoneSmsFilter
-
-Setting | Description
---- | ---
-AppId | Enter the app ID for your phone call/SMS filter application.
-
-## SupplementaryServiceCodeOverrides
-
-See [Dialer codes for supplementary services](/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services).
-
-## VoicemailRegistrationTable
-
-Configure these settings to customize visual voicemail in the Windows 10 Mobile UI. For settings and values, see [Visual voicemail](/windows-hardware/customize/mobile/mcsf/visual-voicemail).
-
-
-## List of USSD codes
-
-
-Codes | Description | DWORD Value
---- | --- | ---
-04 | CHANGEPIN | 000000F4
-042 | CHANGEPIN2 | 00000F42
-05 | UNBLOCKPIN | 000000F5
-052 | UNBLOCKPIN2 | 00000F52
-03 | SSCHANGEPASSWORD | 000000F3
-75 | EMLPPBASE | 00000075
-750 | EMLPPLEVEL0 | 00000750
-751 | EMLPPLEVEL1 | 00000751
-752 | EMLPPLEVEL2 | 00000752
-753 | EMLPPLEVEL3 | 00000753
-754 | EMLPPLEVEL4 | 00000754
-66 | CALLDEFLECT | 00000066
-30 | CALLIDCLIP | 00000030
-31 | CALLIDCLIR | 00000031
-76 | CALLIDCOLP | 00000076
-77 | CALLIDCOLR | 00000077
-21 | FWDUNCONDITIONAL | 00000021
-67 | FWDBUSY | 00000067
-61 | FWDNOREPLY | 00000061
-62 | FWDNOTREACHABLE | 00000062
-002 | FWDALL | 00000FF2
-004 | FWDALLCONDITIONAL | 00000FF4
-43 | CALLWAITING | 00000043
-360 | UUSALL | 00000360
-361 | UUSSERVICE1 | 00000361
-362 | UUSSERVICE2 | 00000362
-363 | UUSSERVICE3 | 00000363
-33 | BARROUT | 00000033
-331 | BARROUTINTL | 00000331
-332 | BARROUTINTLEXTOHOME | 00000332
-35 | BARRIN | 00000035
-351 | BARRINROAM | 00000351
-330 | BARRALL | 00000330
-333 | BARRALLOUT | 00000333
-353 | BARRALLIN | 00000353
-354 | BARRINCOMINGINTERMEDIATE | 00000354
-96 | CALLTRANSFER | 00000096
-37 | CALLCOMPLETEBUSY | 00000037
-070 | PNP0 | 00000F70
-071 | PNP1 | 00000F71
-072 | PNP2 | 00000F72
-073 | PNP3 | 00000F73
-074 | PNP4 | 00000F74
-075 | PNP5 | 00000F75
-076 | PNP6 | 00000F76
-077 | PNP7 | 00000F77
-078 | PNP8 | 00000F78
-079 | PNP9 | 00000F79
-300 | CALLCNAP | 00000300
-591 | MSP1 | 00000591
-592 | MSP2 | 00000592
-593 | MSP3 | 00000593
-594 | MSP4 | 00000594
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index de0d3359b2..56d5c63695 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -24,26 +24,26 @@ Use to configure settings for cellular data.
## Applies to
- Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core
- --- | :---: | :---: | :---: | :---: | :---:
- PerDevice: [CellConfigurations](#cellconfigurations) | | X | | | |
- PerDevice: [CellData](#celldata) | X | X | X | |
- PerDevice: [CellUX](#cellux) | X | X | X | |
- PerDevice: [CGDual](#cgdual) | | X | | |
- PerDevice: [eSim](#esim) | X | X | X | |
- PerDevice: [External](#external) | | X | | |
- PerDevice: [General](#general) | | X | | |
- PerDevice: [RCS](#rcs) | | X | | |
- PerDevice: [SMS](#sms) | X | X | X | |
- PerDevice: [UIX](#uix) | | X | | |
- PerDevice: [UTK](#utk) | | X | | |
- PerlMSI: [CellData](#celldata2) | | X | | |
- PerIMSI: [CellUX](#cellux2) | | X | | |
- PerIMSI: [General](#general2) | | X | | |
- PerIMSI: [RCS](#rcs2) | | X | | |
- PerIMSI: [SMS](#sms2) | X | X | X | |
- PerIMSI: [UTK](#utk2) | | X | | |
- PerIMSI: [VoLTE](#volte) | | X | | |
+ Setting groups | Windows client | Surface Hub | HoloLens | IoT Core
+ --- | :---: | :---: | :---: | :---:
+ PerDevice: [CellConfigurations](#cellconfigurations) | | | | |
+ PerDevice: [CellData](#celldata) | ✔️ | ✔️ | |
+ PerDevice: [CellUX](#cellux) | ✔️ | ✔️ | |
+ PerDevice: [CGDual](#cgdual) | | | |
+ PerDevice: [eSim](#esim) | ✔️ | ✔️ | |
+ PerDevice: [External](#external) | | | |
+ PerDevice: [General](#general) | | | |
+ PerDevice: [RCS](#rcs) | | | |
+ PerDevice: [SMS](#sms) | ✔️ | ✔️ | |
+ PerDevice: [UIX](#uix) | | | |
+ PerDevice: [UTK](#utk) | | | |
+ PerlMSI: [CellData](#celldata2) | | | |
+ PerIMSI: [CellUX](#cellux2) | | | |
+ PerIMSI: [General](#general2) | | | |
+ PerIMSI: [RCS](#rcs2) | | | |
+ PerIMSI: [SMS](#sms2) | ✔️ | ✔️ | |
+ PerIMSI: [UTK](#utk2) | | | |
+ PerIMSI: [VoLTE](#volte) | | | |
## PerDevice
@@ -124,7 +124,7 @@ ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency cal
ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message.
SlotSelectionSim1Name | Enter text for the name of SIM 1 in slot selection UI.
SlotSelectionSim2Name | Enter text for the name of SIM 2 in slot selection UI.
-SuppressDePersoUI | Select **Yes** to hide the perso unlock UI.
+SuppressDePersoUI | Select **Yes** to hide the Perso unlock UI.
### CGDual
@@ -228,11 +228,11 @@ UserEnabled | Select **Yes** to show the user setting if RCS is enabled on the d
| SmsStoreDeleteSize | Set the number of messages that can be deleted when a "message full" indication is received from the modem. |
| SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. |
| Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. |
-| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. |
+| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recipient address**, or **network connectivity trouble**. |
| Type3GPP > IMS > AttemptThresholdForIMS | Set the maximum number of tries to send SMS on IMS. |
| Type3GPP > IMS > RetryEnabled | Configure whether to enable one automatic retry after failure to send over IMS. |
| Type 3GPP > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. |
-| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. |
+| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recipient address**, or **network connectivity trouble**. |
| Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. |
### UIX
@@ -385,9 +385,9 @@ See descriptions in Windows Configuration Designer.
| SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message. |
| SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. |
| Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. |
-| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. |
+| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recipient address**, or **network connectivity trouble**. |
| Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. |
-| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. |
+| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recipient address**, or **network connectivity trouble**. |
| Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. |
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index 2a3982c0d3..825f43c4c2 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -21,9 +21,9 @@ Use to configure settings for cellular connections.
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
## PerDevice
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
index 79d200e65c..ca41ffe27e 100644
--- a/windows/configuration/wcd/wcd-certificates.md
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -25,9 +25,9 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All setting groups | X | X | X | X | X |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All setting groups | ✔️ | ✔️ | ✔️ | ✔️ |
## CACertificates
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
index 17750d5db9..32bdc154b2 100644
--- a/windows/configuration/wcd/wcd-cleanpc.md
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -19,10 +19,10 @@ Use to remove user-installed and pre-installed applications, with the option to
## Applies to
-| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| CleanPCRetainingUserData | X | | | | |
-| CleanPCWithoutRetainingUserData | X | | | | |
+| Settings | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| CleanPCRetainingUserData | ✔️ | | | |
+| CleanPCWithoutRetainingUserData | ✔️ | | | |
For each setting, the options are **Enable** and **Not configured**.
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 807e392469..5c59173b68 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -19,9 +19,9 @@ Use to configure settings related to various types of phone connections.
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | ✔️ | | |
For each setting group:
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index 248a5ab250..33b7de451b 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -19,14 +19,14 @@ Use to configure profiles that a user will connect with, such as an email accoun
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Email](#email) | X | X | X | | |
-| [Exchange](#exchange) | X | X | X | | |
-| [KnownAccounts](#knownaccounts) | X | X | X | | |
-| [VPN](#vpn) | X | X | X | X | |
-| [WiFiSense](#wifisense) | X | X | X | | |
-| [WLAN](#wlan) | X | X | X | X | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Email](#email) | ✔️ | ✔️ | | |
+| [Exchange](#exchange) | ✔️ | ✔️ | | |
+| [KnownAccounts](#knownaccounts) | ✔️ | ✔️ | | |
+| [VPN](#vpn) | ✔️ | ✔️ | ✔️ | |
+| [WiFiSense](#wifisense) | ✔️ | ✔️ | | |
+| [WLAN](#wlan) | ✔️ | ✔️ | ✔️ | |
## Email
@@ -118,8 +118,8 @@ Configure settings to change the default maximum transmission unit ([MTU](#mtu))
| --- | --- |
| **ProfileType** | Choose between **Native** and **Third Party** |
| AlwaysOn | Set to **True** to automatically connect the VPN at sign-in |
-| ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi neetwork as the VPN client can bypass VPN |
-| DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is usedas the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. |
+| ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi network as the VPN client can bypass VPN |
+| DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is used as the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. |
| LockDown | When set to **True**:- Profile automatically becomes an "always on" profile- VPN cannot be disconnected-If the profile is not connected, the user has no network connectivity- No other profiles can be connected or modified |
| Proxy | Configure to **Automatic** or **Manual** |
| ProxyAutoConfigUrl | When **Proxy** is set to **Automatic**, enter the URL to automatically retrieve the proxy settings |
@@ -135,7 +135,7 @@ AuthenticationUserMethod | When you set **NativeProtocolType** to **IKEv2**, cho
EAPConfiguration | When you set **AuthenticationUserMethod** to **EAP**, enter the HTML-encoded XML to configure EAP. For more information, see [EAP configuration](/windows/client-management/mdm/eap-configuration).
NativeProtocolType | Choose between **PPTP**, **L2TP**, **IKEv2**, and **Automatic**.
RoutingPolicyType | Choose between **SplitTunnel**, in which traffic can go over any interface as determined by the networking stack, and **ForceTunnel**, in which all IP traffic must go over the VPN interface.
-Server | Enter the public or routable IP address or DNS name for the VPN gateway. It can point to the exteranl IP of a gateway or a virtual IP for a server farm.
+Server | Enter the public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm.
When **ProfileType** is set to **Third Party**, the following additional settings are available.
@@ -201,4 +201,4 @@ Enter a SSID, click **Add**, and then configure the following settings for the S
| ProxyServerPort | (Optional) Specify the configuration of the network proxy as **host:port**. A proxy server host and port can be specified per connection for Windows 10 for mobile devices. The host can be server name, FQDN, or SLN or IPv4 or IPv6 address. This proxy configuration is only supported in Windows 10 for mobile devices. Using this configuration in Windows 10 for desktop editions will result in failure. |
| AutoConnect | (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN. |
| HiddenNetwork | (Optional) Select **True** or **false** to specify whether the network is hidden. |
-| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. |
\ No newline at end of file
+| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. |
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
index 3b9642b8e8..81597e49d4 100644
--- a/windows/configuration/wcd/wcd-countryandregion.md
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -19,8 +19,8 @@ Use to configure a setting that partners must customize to ship Windows devices
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| CountryCodeForExtendedCapabilityPrompts | X | X | X | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| CountryCodeForExtendedCapabilityPrompts | ✔️ | ✔️ | | |
You can set the **CountryCodeForExtendedCapabilityPrompts** setting for **China** to enable additional capability prompts when apps use privacy-sensitive features (such as Contacts or Microphone).
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index 2d6ed40d77..e18abe6ad1 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -19,7 +19,7 @@ Do not use. Instead, use the [Personalization settings](wcd-personalization.md).
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index 6053bddbbd..eee860859f 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -19,22 +19,20 @@ Use to unlock developer mode on HoloLens devices and configure authentication to
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableDeveloperMode](#enabledevelopermode) | | | | X | |
-| [AuthenticationMode](#authenticationmode) | | | | X | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [EnableDeveloperMode](#developersetupsettings-enabledevelopermode) | | | ✔️ | |
+| [AuthenticationMode](#windowsdeviceportalsettings-authentication-mode) | | | ✔️ | |
-
## DeveloperSetupSettings: EnableDeveloperMode
When this setting is configured as **True**, the device is unlocked for developer functionality.
-
## WindowsDevicePortalSettings: Authentication Mode
When AuthenticationMode is set to **Basic Auth**, enter a user name and password to enable the device to connect to and authenticate with the Windows Device Portal.
## Related topics
-- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens)
\ No newline at end of file
+- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens)
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
index 0cb8ee869d..b233406d79 100644
--- a/windows/configuration/wcd/wcd-deviceformfactor.md
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -19,9 +19,9 @@ Use to identify the form factor of the device.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| DeviceForm | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| DeviceForm | ✔️ | ✔️ | | |
Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization.
diff --git a/windows/configuration/wcd/wcd-deviceinfo.md b/windows/configuration/wcd/wcd-deviceinfo.md
deleted file mode 100644
index 8f5e48d6c7..0000000000
--- a/windows/configuration/wcd/wcd-deviceinfo.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: DeviceInfo (Windows 10)
-description: This section describes the DeviceInfo settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/21/2017
-ms.reviewer:
-manager: dansimp
----
-
-# DeviceInfo (Windows Configuration Designer reference)
-
-Use to configure settings for DeviceInfo.
-
->[!IMPORTANT]
->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
-
-## Applies to
-
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-
-## PhoneMobileOperatorDisplayName
-
-Enter a friendly name for the mobile operator. This string is displayed in the support section of the **Settings > About** screen and in the ringtone list.
-
-## PhoneMobileOperatorName
-
-This setting is used for targeting phone updates. It must contain a code specified by Microsoft that corresponds to the mobile operator. These codes are provided in [Registry values for mobile operator IDs](https://msdn.microsoft.com/library/windows/hardware/dn772250.aspx). For open market phones, in which the mobile operator is not known, use the codes in [Registry values for carrier-unlocked phones](https://msdn.microsoft.com/library/windows/hardware/dn772248.aspx) instead.
-
-This string is not visible to the user.
-
-This setting must not be changed over time even if the user switches SIMs or mobile operators, as updates are always targeted based on the first mobile operator associated with the phone.
-
-The [PhoneManufacturer](/previous-versions/windows/hardware/previsioning-framework/mt138328(v=vs.85)), [PhoneManufacturerModelName](/previous-versions/windows/hardware/previsioning-framework/mt138336(v=vs.85)), and PhoneMobileOperatorName should create a unique Phone-Operator-Pairing (POP).
-
-
-
-## PhoneOEMSupportLink
-
-This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
-
-The default is an empty string (""), which means that a support link will not be displayed to the user.
-
-This setting varies by OEM.
-
-
-## PhoneSupportLink
-
-This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
-
-The default is an empty string (""), which means that a support link will not be displayed to the user.
-
-This setting varies by OEM.
-
-
-## PhoneSupportPhoneNumber
-
-Use to specify the OEM or mobile operator's support contact phone number. The country code is not required. This string is displayed in the About screen in Settings. This setting also corresponds to the Genuine Windows Phone Certificates (GWPC) support number.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 22142d87cb..bb1692d17e 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -19,12 +19,12 @@ Use to configure device management settings.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Accounts](#accounts) | X | X | X | | |
-| [PGList](#pglist) | X | X | X | | |
-| [Policies](#policies) | X | X | X | | |
-| [TrustedProvisioningSource](#trustedprovisioningsource) | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Accounts](#accounts) | ✔️ | ✔️ | | |
+| [PGList](#pglist) | ✔️ | ✔️ | | |
+| [Policies](#policies) | ✔️ | ✔️ | | |
+| [TrustedProvisioningSource](#trustedprovisioningsource) | ✔️ | ✔️ | | |
## Accounts
@@ -45,7 +45,7 @@ Use to configure device management settings.
| DisableOnRoaming | Specify whether the client will connect while cellular roaming |
| InitialBackOffTime | Specify the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry |
| InitiateSession | Specify whether a session should be started with the MDM server when the account is provisioned |
-| MaxBackOffTime | Specify the maximum number of milliseconds to wait before attemption a connection retry |
+| MaxBackOffTime | Specify the maximum number of milliseconds to wait before attempting a connection retry |
| Name | Enter a display name for the management server |
| Port | Enter the OMA DM server port |
| PrefConRef | Enter a URI to NAP management object or a connection GUID used by the device Connection Manager |
@@ -92,4 +92,4 @@ In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS).
## Related topics
- [DMAcc configuration service provider (CSP)](/windows/client-management/mdm/dmacc-csp)
-- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp)
\ No newline at end of file
+- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp)
diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md
index 8db59d7617..e72df83e2d 100644
--- a/windows/configuration/wcd/wcd-deviceupdatecenter.md
+++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md
@@ -17,7 +17,7 @@ Do not use **DeviceUpdateCenter** settings at this time.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index dfabf75bda..31d0ed7b8c 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -19,9 +19,9 @@ Use to specify enterprise-specific mobile device management configuration settin
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| UpdateManagementServiceAddress | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| UpdateManagementServiceAddress | ✔️ | ✔️ | | ✔️ |
For the **UpdateManagementServiceAddress** setting, enter a list of servers. The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions.
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index 7b0b331a3a..aaa3c9a10e 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -19,11 +19,11 @@ Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [ChangeProductKey](#changeproductkey) | X | X | | | |
-| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | X | X | | X | |
-| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | X | X | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [ChangeProductKey](#changeproductkey) | ✔️ | | | |
+| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | ✔️ | | ✔️ | |
+| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | ✔️ | | | |
## ChangeProductKey
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
index f769dc4594..cd505cda87 100644
--- a/windows/configuration/wcd/wcd-firewallconfiguration.md
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -19,9 +19,9 @@ Use to enable AllJoyn router to work on public networks.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| EnableAllJoynOnPublicNetwork | | | | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| EnableAllJoynOnPublicNetwork | | | | ✔️ |
Set to **True** or **False**.
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index b44927ef29..a854a53a49 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -19,9 +19,9 @@ Use these settings to configure the out-of-box experience (OOBE) to set up HoloL
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | | X | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | | ✔️ | |
Setting | Description
--- | ---
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
index 38880a5f7d..1eab5f086b 100644
--- a/windows/configuration/wcd/wcd-folders.md
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -19,8 +19,8 @@ Use to add files to the device.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| PublicDocuments | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| PublicDocuments | ✔️ | ✔️ | | |
Browse to and select a file or files that will be included in the provisioning package and added to the public profile documents folder on the target device. You can use the **Relative path to directory on target device** field to create a new folder within the public profile documents folder.
diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md
deleted file mode 100644
index a2ea279640..0000000000
--- a/windows/configuration/wcd/wcd-initialsetup.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: InitialSetup (Windows 10)
-description: This section describes the InitialSetup setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# InitialSetup (Windows Configuration Designer reference)
-
-Use to set the name of the Windows mobile device.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| DeviceName | | X | | | |
-
-In **DeviceName**, enter a name for the device. If **DeviceName** is set to an asterisk (*) or is an empty string, a random device name will be generated.
-
-**DeviceName** is a string with a maximum length of 15 bytes of content:
-
-- **DeviceName** can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.
-- **DeviceName** cannot use spaces or any of the following characters: { | } ~ [ \ ] ^ ' : ; < = > ? @ ! " # $ % ` ( ) + / . , * &, or contain any spaces.
-- **DeviceName** cannot use some non-standard characters, such as emoji.
-
diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md
deleted file mode 100644
index df4ef198d7..0000000000
--- a/windows/configuration/wcd/wcd-internetexplorer.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: InternetExplorer (Windows 10)
-description: This section describes the InternetExplorer settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# InternetExplorer (Windows Configuration Designer reference)
-
-Use to configure settings related to Internet Explorer.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [CustomHTTPHeaders](#customhttpheaders) | | X | | | |
-| [CustomUserAgentString](#customuseragentstring) | | X | | | |
-| DataSaving > [BrowseDataSaver](#browsedatasaver) | | X | | | |
-| DataSaving > [ShowPicturesAutomatically](#showpicturesautomatically) | | X | | | |
-| [FirstRunURL](#firstrunurl) | | X | | | |
-
-## CustomHTTPHeaders
-
-Configure Microsoft Edge to send custom HTTP headers. These will be sent in addition to the default HTTP headers with all HTTP and HTTPS requests. The header is the portion of the HTTP request that defines the form of the message.
-
-- A maximum of 16 custom headers can be defined.
-- Custom headers cannot be used to modify the user agent string.
-- Each header must be no more than 1 KB in length.
-
-The following header names are reserved and must not be overwritten:
-
-- Accept
-- Accept-Charset
-- Accept-Encoding
-- Authorization
-- Expect
-- Host
-- If-Match
-- If-Modified-Since
-- If-None-Match
-- If-Range
-- If-Unmodified-Since
-- Max-Forwards
-- Proxy-Authorization
-- Range
-- Referer
-- TE
-- USER-AGENT
-- X-WAP-PROFILE
-
-1. In **Available customizations**, select **CustomHTTPHeaders**, enter a name, and then click **Add**.
-2. In **Available customizations**, select the name that you just created.
-3. Enter the custom header.
-
-## CustomUserAgentString
-
-The user agent string indicates which browser you are using, its version number, and details about your system, such as operating system and version. A web server can use this information to provide content that is tailored for your specific browser and phone.
-
-The user agent string for the browser cannot be modified. By default, the string has the following format:
-
-`Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; ; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.10166`
-
-- `` is automatically replaced with the OEM name. This is the same as the PhoneManufacturer setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
-- `` is replaced with the device name or phone name. This is the same as the PhoneModelName setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
-
-
-**Limitations and restrictions:**
-
-- The user agent string for the browser cannot be modified outside of the customizations listed above.
-- The user agent type registry setting cannot be modified or used to change the default browser view from Mobile to Desktop.
-
-
-
-## BrowseDataSaver
-
-Use to set the browser data saver default setting. **True** turns on the browser data saver feature.
-
-Partners can configure the default setting for the browser data saver feature by turning the browser optimization service (through the BrowserDataSaver setting) on or off.
-
-
-## ShowPicturesAutomatically
-
-Use to enable or disable whether the **Show pictures automatically** setting is available in Internet Explorer **advanced settings**.
-
-
-## FirstRunURL
-
-Use to set the home page that appears the first time that Microsoft Edge is opened. This page is only shown the first time the browser is opened. After that, the browser displays either the most recently viewed page or an empty page if the user has closed all tabs or opens a new tab.
-
-Specify the **FirstRunURL** value with a valid link that starts with http://. It is recommended you use a forward link that redirects the user to a localized page.
diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md
index 011302e771..b8dc34d1e1 100644
--- a/windows/configuration/wcd/wcd-kioskbrowser.md
+++ b/windows/configuration/wcd/wcd-kioskbrowser.md
@@ -19,12 +19,12 @@ Use KioskBrowser settings to configure Internet sharing.
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | | | X |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | | | ✔️ |
>[!NOTE]
->To configure Kiosk Browser settings for desktop editions, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser).
+>To configure Kiosk Browser settings for Windows client, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser).
Kiosk Browser settings | Use this setting to
--- | ---
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
index b4db1ca601..82adee0181 100644
--- a/windows/configuration/wcd/wcd-licensing.md
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -19,10 +19,10 @@ Use for settings related to Microsoft licensing programs.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | X | | | | |
-| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | ✔️ | | | |
+| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | ✔️ | | | |
## AllowWindowsEntitlementReactivation
diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md
index 2e623a716c..a2989cead5 100644
--- a/windows/configuration/wcd/wcd-location.md
+++ b/windows/configuration/wcd/wcd-location.md
@@ -18,9 +18,9 @@ Use Location settings to configure location services.
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableLocation](#enablelocation) | | | | | X |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [EnableLocation](#enablelocation) | | | | ✔️ |
## EnableLocation
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index dd1ffc9a9a..51aacf0da3 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -18,11 +18,11 @@ Use for settings related to Maps.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [ChinaVariantWin10](#chinavariantwin10) | X | X | X | | |
-| [UseExternalStorage](#useexternalstorage) | X | X | X | | |
-| [UseSmallerCache](#usesmallercache) | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [ChinaVariantWin10](#chinavariantwin10) | ✔️ | ✔️ | | |
+| [UseExternalStorage](#useexternalstorage) | ✔️ | ✔️ | | |
+| [UseSmallerCache](#usesmallercache) | ✔️ | ✔️ | | |
## ChinaVariantWin10
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
deleted file mode 100644
index fabee5c8f9..0000000000
--- a/windows/configuration/wcd/wcd-messaging.md
+++ /dev/null
@@ -1,359 +0,0 @@
----
-title: Messaging (Windows 10)
-description: This section describes the Messaging settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# Messaging (Windows Configuration Designer reference)
-
-Use for settings related to Messaging and Commercial Mobile Alert System (CMAS).
-
->[!IMPORTANT]
->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
-
->[!NOTE]
->CMAS is now known as Wireless Emergency Alerts (WEA).
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-## GlobalSettings
-
-### DisplayCmasLifo
-
-Use this setting to change the order in which CMAS alert messages are displayed, from the default first in/first out (FIFO) message order to last in/first out (LIFO) message order.
-
-If the phone receives at least one CMAS alert message which has not been acknowledged by the user, and another CMAS alert message arrives on the phone, partners can configure the order in which the newly received alert messages are displayed on the phone regardless of the service category of the alert. Users will not be able to change the message order once it has been set.
-
-If partners do not specify a value for this customization, the default FIFO display order is used. Users will be able to acknowledge the messages in the reverse order they were received.
-
-When configured as **True**, you set a LIFO message order. When configured as **False**, you set a FIFO message order.
-
-### EnableCustomLineSetupDialog
-
-Enable this setting to allow custom line setup dialogs in the Messaging app.
-
-### ExtractPhoneNumbersInStrings"
-
-Set as **True** to tag any 5-or-more digit number as a tappable phone number.
-
-### ShowSendingStatus
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages.
-
-### VoicemailIntercept
-
-Partners can define a filter that intercepts an incoming SMS message and triggers visual voicemail synchronization. The filtered message does not appear in the user’s conversation list.
-
-A visual voicemail sync is triggered by an incoming SMS message if the following conditions are met:
-
-- The message sender value starts with the string specified in the SyncSender setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
-
-- The body of the message starts with the string specified in the SyncPrefix setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
-
-- Visual voicemail is configured and enabled. For more information, see [Visual voicemail](https://msdn.microsoft.com/library/windows/hardware/dn790032.aspx).
-
->[!NOTE]
->These settings are atomic, so both SyncSender and SyncPrefix must be set.
->
->The SyncSender and SyncPrefix values vary for each mobile operator, so you must work with your mobile operators to obtain the correct or required values.
-
-Setting | Description
---- | ---
-SyncPrefix | Specify a value for SyncPrefix that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be the keyword for the SMS notification.
-SyncSender | Specify a value for SyncSender that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be a short code of the mailbox server that sends a standard SMS notification.
-
-
-
-## PerSimSettings
-
-Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the following settings.
-
-### AllowMmsIfDataIsOff
-
-Setting | Description
---- | ---
-AllowMmsIfDataIsOff | **True** allows MMS if data is off
-AllowMmsIfDataIsOffSupported | **True** shows the toggle for allowing MMS if data is turned off
-AllowMmsIfDataIsOffWhileRoaming | **True** allows MMS if data is off while roaming
-
-### AllowSelectAllContacts
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709, and later.
-
-Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
-
-Windows 10 Mobile supports the following select multiple recipients features:
-
-- A multi-select chooser, which enables users to choose multiple contacts.
-- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
-
-### AllowSendingDeliveryReport
-
-Specify whether the phone automatically sends a receipt acknowledgment for MMS messages. Partners can specify whether the phone automatically sends a receipt acknowledgment for MMS messages when they arrive, and they can determine whether users can control the receipt acknowledgments by using the **Send MMS acknowledgment** toggle in **Messaging > settings**. By default, this user setting is visible and turned on.
-
-| Setting | Description |
-| --- | --- |
-| AllowSendingDeliveryReport | **True** sets the **Send MMS acknowledgment** toggle to **On** |
-| AllowSendingDeliveryReportIsSupported | **True** shows the **Send MMS acknowledgment** toggle, and **False** hides the toggle |
-
-### AutomaticallyDownload
-
-Specify whether MMS messages are automatically downloaded.
-
-| Setting | Description |
-| --- | --- |
-| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** |
-| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle |
-
-
-### DefaultContentLocationUrl
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification.
-
-Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC.
-
-### ErrorCodeEnabled
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem.
-
-Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
-
-### EmergencyAlertOptions
-
-Configure settings for CMAS alerts.
-
-Setting | Description
---- | ---
-CmasAMBERAlertEnabled | **True** enables the device to receive AMBER alerts
-CmasExtremeAlertEnabled | **True** enables the device to receive extreme alerts
-CmasSevereAlertEnabled | **True** enables the device to receive severe alerts
-EmOperatorEnabled | Select which Emergency Alerts Settings page is displayed from dropdown menu
-EtwsSoundEnabled | Set to **True** to play Earthquake & Tsunami Warning System (ETWS) sound during alert.
-SevereAlertDependentOnExtremeAlert | When set as **True**, the CMAS-Extreme alert option must be on to modify CMAS-Severe alert option
-
-
-### General
-
-Setting | Description
---- | ---
-AllowSelectAllContacts | Set to **True** to show the **select all contacts/unselect all** menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks. Windows 10 Mobile supports the following select multiple recipients features:- A multi-select chooser, which enables users to choose multiple contacts.- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
-AllowSMStoSMTPAddress | Allow SMS to SMTP address.
-AssistedDialingMcc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Country Code (MCC) to use for sending SMS.
-AssistedDialingMnc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Network Code (MNC) to use for sending SMS.
-AssistedDialingPlusCodeSupportOverride | For devices that support IMS over SMS, you can override support for the assisted dialing plus (+) code for SMS by setting AssistedDialingPlusCodeSupportOverride. If enabled, the OS will not convert the plus (+) code to the proper assisted number when the user turns on the dialing assist option.
-AutoRetryDownload | You can configure the messaging app to automatically retry downloading an MMS message if the initial download attempt fails. When this customization is enabled, the download is retried 3 times at 20-, 40-, and 60-second intervals.
-BroadcastChannels | You can specify one or more ports from which the device will accept cellular broadcast messages. Set the BroadcastChannels value to the port number(s) that can accept cellular broadcast messages. If you specify the same port that Windows 10 Mobile already recognizes as an Emergency Alert port (a CMAS or ETWS port number) and a cell broadcast message is received on that port, the user will only receive the message once. The message that is received will be displayed as an Emergency Alert message.
-ConvertLongSMStoMMS | For networks that do support MMS and do not support segmentation of SMS messages, you can specify an automatic switch from SMS to MMS for long messages.
-DefaultContentLocationUrl | For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification. Set DefaultContentLocationUrl to specify the default GET path within the MMSC.
-EarthquakeMessageString | To override the Primary Earthquake default message, specify the EarthquakeMessageString setting value. This string will be used regardless of what language is set on the device.
-EarthquakeTsunamiMessageString| To override the Primary Tsunami and Earthquake default message, specify the EarthquakeTsunamiMessageString setting value. This string will be used regardless of what language is set on the device.
-ErrorCodeEnabled | You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem. Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
-EtwsSoundFileName | Set the value to the name of a sound file.
-HideMediumSIPopups | By default, when a service indication message is received with a signal-medium or signal-high setting, the phone interrupts and shows the user prompt for these messages. However, you can hide the user prompts for signal-medium messages.
-ImsiAuthenticationToken | Configure whether MMS messages include the IMSI in the GET and POST header. Set ImsiAuthenticationToken to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
-LimitRecipients | Set the maximum number of recipients to which a single SMS or MMS message can be sent. Enter a number between 1 and 500 to limit the maximum number of recipients.
-MaxRetryCount | You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
-MMSLimitAttachments | You can specify the maximum number of attachments for MMS messages, from 1 to 20. The default is 5.
-NIInfoEnabled | NIInfoEnabled
-ProxyAuthorizationToken | See [Proxy authorization for MMS.](/windows-hardware/customize/mobile/mcsf/proxy-authorization-for-mms)
-RetrySize | For MMS messages that have photo attachments and that fail to send, you can choose to automatically resize the photo and attempt to resend the message. Specify the maximum size to use to resize the photo in KB. Minimum is 0xA (10 KB).
-SetCacheControlNoTransform | When set, proxies and transcoders are instructed not to change the HTTP header and the content should not be modified. A value of 1 or 0x1 adds support for the HTTP header Cache-Control No-Transform directive. When the SetCacheControlNoTransform``Value is set to 0 or 0x0 or when the setting is not set, the default HTTP header Cache-Control No-Cache directive is used.
-ShowRequiredMonthlyTest | **True** enables devices to receive CMAS Required Monthly Test (RMT) messages and have these show up on the device. **False** disables devices from receiving CMAS RMT messages.
-SIProtocols | Additional supported service indication protocol name.
-SmscPanelDisabled | **True** disables the short message service center (SMSC) panel.
-SMStoSMTPShortCode | Use to configure SMS messages to be sent to email addresses and phone numbers. `0` disables sending SMS messages to SMTP addresses. `1` enables sending SMS messages to SMTP addresses.
-TargetVideoFormat | You can specify the transcoding to use for video files sent as attachments in MMS messages. Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:- 0 or 0x0 Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS.- 1 or 0x1 Sets the transcoding to H.264 + AAC + 3GP.- 2 or 0x2 Sets the transcoding to H.263 + AMR.NB + 3GP.- 3 or 0x3 Sets the transcoding to MPEG4 + AMR.NB + 3GP.
-TsunamiMessageString | To override the Primary Tsunami default message, specify the TsunamiMessageString setting value. This string will be used regardless of what language is set on the device.
-UAProf | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. There are two ways to correlate a user agent profile with a given phone:- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.- Alternatively, you can directly set the URI of the user agent profile on the phone.Set UAProf to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting UAProfToken to either `x-wap-profile` or `profile`.
-UAProfToken | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
-UseDefaultAddress | By default, the MMS transport sends an acknowledgement to the provisioned MMS application server (MMSC). However, on some networks, the correct server to use is sent as a URL in the MMS message. In that case, a registry key must be set, or else the acknowledgement will not be received and the server will continue to send duplicate messages. **True** enables some networks to correctly acknowledge MMS messages. **False** disables the feature.
-UseInsertAddressToken | Use insert address token or local raw address.
-UserAgentString | Set UserAgentString to the new user agent string for MMS in its entirely. By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
-UseUTF8ForUnspecifiedCharset | Some incoming MMS messages may not specify a character encoding. To properly decode MMS messages that do not specify a character encoding, you can set UTF-8 to decode the message.
-WapPushTechnology | For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values. `1` or `0x1` enables MMS messages to have some of their content truncated. `0` or `0x0` disables MMS messages from being truncated
-
-## ImsiAuthenticationToken
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-Configure whether MMS messages include the IMSI in the GET and POST header.
-
-Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
-
-
-### LatAlertOptions
-
-Enable `LatLocalAlertEnabled` to enable support for LAT-Alert Local Alerts for devices sold in Chile. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications).
-
-### MaxRetryCount
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent.
-
-Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
-
-### MMSGroupText
-
-Set options for group messages sent to multiple people.
-
-Setting | Description
---- | ---
-MMSGroupText | **True** enables group messages to multiple people sent as MMS.
-ShowMMSGroupTextUI | **True** shows the toggle for group text in messaging settings.
-ShowMmsGroupTextWarning | **True** shows the warning that alerts users of possible additional charges before sending a group text as MMS.
-
-### NIAlertOptions
-
-Enable `NI2AlertEnabled` to enable support for the Netherlands Announcements for devices sold in the Netherlands. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications).
-
-### RcsOptions
-
-Set options for Rich Communications Services (RCS).
-
-| Setting | Description |
-| --- | --- |
-RcsAllowLeaveClosedGroupChats | Whether or not to allow users to leave closed group chats.
-| RcsEnabled | Toggle to enable/disable RCS service. Set to **True** to enable. |
-| RcsFileTransferAutoAccept | Set to **True** to auto-accept RCS incoming file transfer if the file size is less than warning file size.|
-RcsFiletransferAutoAcceptWhileRoaming | Auto-accept RCS incoming file transfer when the file size is less than the warning file size while roaming.
-RcsGroupChatCreationMode | The mode used to create new RCS group chats.
-RcsGroupChatCreationgThreadingMode | The mode used to thread newly created RCS group chats.
-| RcsSendReadReceipt | Set to **True** to send read receipt to the sender when a message is read. |
-RcsTimeWindowsAfterSelfLeave | After RCS receives a self-left message, it will ignore messages during this time (in milliseconds), except self-join.
-| ShowRcsEnabled | Set to **True** to show the toggle for RCS activation. |
-
-
-### RequestDeliveryReport
-
-Set options related to MMS message notifications. You can specify whether users receive notification that MMS messages could not be delivered, and determine whether users can control this by using the MMS delivery confirmation toggle in **Messaging > settings**. By default, this user setting is visible but turned off.
-
-| Setting | Description |
-| --- | --- |
-| RequestDeliveryReport | Set to **True** to set the default value to on. |
-| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. |
-
-
-### SMSDeliveryNotify
-
-Setting | Description
---- | ---
-DeliveryNotifySupported | Set to **True** to enable SMS delivery confirmation.
-SMSDeliveryNotify | Set to **True** to toggle SMS delivery confirmation.
-
-### TargetVideoFormat
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can specify the transcoding to use for video files sent as attachments in MMS messages.
-
-Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:
-
-| Value | Description |
-| --- | --- |
-| 0 or 0x0 | Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS. |
-| 1 or 0x1 | Sets the transcoding to H.264 + AAC + 3GP. |
-| 2 or 0x2 | Sets the transcoding to H.263 + AMR.NB + 3GP. |
-| 3 or 0x3 | Sets the transcoding to MPEG4 + AMR.NB + 3GP. |
-
-
-### TaiwanAlertOptions
-
-Set options for Taiwan Emergency Alerts system. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications#taiwan-alerts).
-
-
-Setting | Description
---- | ---
-TaiwanAlertEnabled | Receive Taiwan alerts.
-TaiwanEmergencyAlertEnabled | Receive Taiwan emergency alerts.
-TaiwanPresidentialAlertEnabled | Receive alerts from the Leader of the Taiwan Area.
-TaiwanRequiredMonthlytestEnabled | Receive Taiwan Required Monthly Test alerts.
-
-
-
-### UAProf
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
-
-There are two ways to correlate a user agent profile with a given phone:
-- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.
-- Alternatively, you can directly set the URI of the user agent profile on the phone.
-
-Set **UAProf** to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
-
-
-### UAProfToken
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
-
-Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
-
-
-### UserAgentString
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-Set **UserAgentString** to the new user agent string for MMS in its entirely.
-
-By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
-
-
-### w4
-
-| Setting | Description |
-| --- | --- |
-| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:- A Uniform Resource Identifier (URI)- An IPv4 address represented in decimal format with dots as delimiters- A fully qualified Internet domain name |
-| APPID | Set to `w4`. |
-| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
-| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to ``. If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
-| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](/windows/client-management/mdm/napdef-csp). |
-| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. |
-
-### WapPushTechnology
-
->[!NOTE]
->These settings are removed in Windows 10, version 1709.
-
-For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values.
-
-| Value | Description |
-| --- | --- |
-| 1 or 0x1 | Enables MMS messages to have some of their content truncated. |
-| 0 or 0x0 | Disables MMS messages from being truncated. |
-
-
-
-## Related topics
-- [Customizations for SMS and MMS](/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md
deleted file mode 100644
index 79cc7624f2..0000000000
--- a/windows/configuration/wcd/wcd-modemconfigurations.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: ModemConfiguration (Windows 10)
-description: This section describes the ModemConfiguration settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# ModemConfiguration (Windows Configuration Designer reference)
-
-ModemConfiguration settings are removed in Windows 10, version 1709.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md
deleted file mode 100644
index 4b46abbb30..0000000000
--- a/windows/configuration/wcd/wcd-multivariant.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-title: Multivariant (Windows 10)
-description: This section describes the Multivariant settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# Multivariant (Windows Configuration Designer reference)
-
-Use to select a default profile for mobile devices that have multivariant configurations.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| DefaultProfile | | X | | | |
-
-If you will be adding [multivariant settings](../provisioning-packages/provisioning-multivariant.md) to your provisioning package, you can use the **DefaultProfile** setting to specify which variant should be applied by default if OOBE is skipped. In the **DefaultProfile** field, enter the UINAME from your customizations.xml that you want to use as default.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index 26dc49ac76..957bc2abd1 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -18,9 +18,9 @@ Use for settings related to NetworkProxy.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✔️ | | |
## AutoDetect
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
index 899b27631b..177a49d274 100644
--- a/windows/configuration/wcd/wcd-networkqospolicy.md
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -18,9 +18,9 @@ Use to create network Quality of Service (QoS) policies. A QoS policy performs a
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✔️ | | |
1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**.
2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure.
diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md
deleted file mode 100644
index b584cad59c..0000000000
--- a/windows/configuration/wcd/wcd-nfc.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: NFC (Windows 10)
-description: This section describes the NFC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# NFC (Windows Configuration Designer reference)
-
-Use to configure settings related to near field communications (NFC) subsystem.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-Expand **NFC** > **SEMgr** > **UI**. The following table describes the settings you can configure.
-
-| Setting | Description |
-| --- | --- |
-| CardEmulationState | Configure the default state of **Tap to pay**. Select between **OFF**, **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
-| DefaultFastCardSetting | Configure the default fast card usage for NFC payments. Select between **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
-| HideFastCardsOption | Show or hide the fast cards options drop-down menu in the **NFC** > **Tap to pay** control panel. |
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index 72fc4e529e..9110aeec1d 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -18,40 +18,21 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Desktop > EnableCortanaVoice](#enablecortanavoice) | X | | | | |
-| [Desktop > HideOobe](#hided) | X | | | | |
-| [Mobile > EnforceEnterpriseProvisioning](#nforce) | | X | | | |
-| [Mobile > HideOobe](#hidem) | | X | | | |
-
-
-
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️ | | | |
+| [Desktop > HideOobe](#hideoobe-for-desktop) | ✔️ | | | |
## EnableCortanaVoice
Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE, or **False** to disable voice-over during OOBE.
-
## HideOobe for desktop
When set to **True**, it hides the interactive OOBE flow for Windows 10.
->[!NOTE]
->You must create a user account if you set the value to true or the device will not be usable.
+> [!NOTE]
+> You must create a user account if you set the value to true or the device will not be usable.
When set to **False**, the OOBE screens are displayed.
-
-## EnforceEnterpriseProvisioning
-
-When set to **True**, it forces the OOBE flow into using the enterprise provisioning page without making the user interact with the Windows button. This is the default setting.
-
-When set to **False**, it does not force the OOBE flow to the enterprise provisioning page.
-
-
-## HideOobe for mobile
-
-When set to **True**, it hides the interactive OOBE flow for Windows 10 Mobile.
-
-When set to **False**, the OOBE screens are displayed.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md
deleted file mode 100644
index 5166212585..0000000000
--- a/windows/configuration/wcd/wcd-otherassets.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: OtherAssets (Windows 10)
-description: This section describes the OtherAssets settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# OtherAssets (Windows Configuration Designer reference)
-
-Use to configure settings for Map data.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| MapData | | X | | | |
-
-Use **MapData** to specify the source directory location of the map region you want to include.
-
-For example, if C:\Path\Maps\Europe contains the downloaded map data that you want to preload, set the value to that directory.
-
-To add additional maps, add a new MapData setting and set the source to the directory location of the map region you want to include.
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
index 4f20e71ba6..18b6259bdc 100644
--- a/windows/configuration/wcd/wcd-personalization.md
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -18,12 +18,12 @@ Use to configure settings to personalize a PC.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [DeployDesktopImage](#deploydesktopimage) | X | | | | |
-| [DeployLockScreenImage](#deploylockscreenimage) | X | | | | |
-| [DesktopImageUrl](#desktopimageurl) | X | | | | |
-| [LockScreenImageUrl](#lockscreenimageurl) | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [DeployDesktopImage](#deploydesktopimage) | ✔️ | | | |
+| [DeployLockScreenImage](#deploylockscreenimage) | ✔️ | | | |
+| [DesktopImageUrl](#desktopimageurl) | ✔️ | | | |
+| [LockScreenImageUrl](#lockscreenimageurl) | ✔️ | | | |
## DeployDesktopImage
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 8800dbb685..f7629487bb 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -18,316 +18,316 @@ This section describes the **Policies** settings that you can configure in [prov
## AboveLock
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | |
-| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | | | |
+| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | ✔️ | | | |
## Accounts
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | |
-| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | |
-| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | |
-| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | ✔️ | | | |
+| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | ✔️ | | ✔️ | |
+| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | ✔️ | | | |
+| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | ✔️ | | | |
## ApplicationDefaults
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | |
## ApplicationManagement
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | X |
-| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | X |
-| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X |
-| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | |
-| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | |
-| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | |
-| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | |
-| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | X | | | | |
-| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | X |
-| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ | | | ✔️ |
+| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✔️ | | | ✔️ |
+| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | ✔️ | | | |
+| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✔️ | | | |
+| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | | | |
+| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | | | |
+| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | ✔️ | | | |
+| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✔️ | | | ✔️ |
+| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✔️ | | | ✔️ |
## Authentication
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X |
-| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | X | X | X | | X |
-| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | X | X | X | | X |
-| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | X | X | X | | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✔️ | ✔️ | | ✔️ |
+| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | ✔️ | ✔️ | | ✔️ |
+| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✔️ | ✔️ | | ✔️ |
## BitLocker
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✔️ | | | |
## Bluetooth
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
-| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
-| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X |
-| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | X | X | X | X | X |
-| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X |
-| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | ✔️ | ✔️ | ✔️ | ✔️ |
+| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | ✔️ | ✔️ | ✔️ | ✔️ |
+| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | ✔️ | ✔️ | ✔️ | ✔️ |
## Browser
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | |
-| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | | X |
-| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | X | X | | | |
-[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | X | | | |
-| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | | X |
-| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | |
-| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | | X |
-| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | |
-| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | |
-| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | |
-| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | X | X | X | | X |
-| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | | X |
-| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | X |
-| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | | X |
-| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | |
-| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | X | | | | |
-| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | X | X | X | | X |
-| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | X | | | | |
-| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | X | X | | X |
-| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | | X |
-| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | X | | | | |
-| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | X |
-| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | X | | | | |
-| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | X | X | X | | X |
-[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | X | | | |
-| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | |
-| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | X | X | X | | X |
-| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | X | | | | |
-| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | X | | | | |
-| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | X | | | | |
-| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | X | | | | |
-| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | X | | | | |
-| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | X | | | | |
-| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | |
-[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | X | | | |
-| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | |
-| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
-| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | X | X | | | |
-| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | |
-[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | X | | | |
-| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | X |
-| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | X | X | X | | X |
-| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | |
-| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | X |
-| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | X | X | X | | X |
-| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | X | X | X | | X |
-PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | X | | | | |
-| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | X | | | | |
-| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | X |
-[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | X | | | |
-| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | |
-| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | X |
-| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | X | | | | |
-| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | X | | | | |
-| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | |
-| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | |
-| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | X | | | | |
-[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✔️ | | | |
+| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✔️ | | | |
+[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✔️ | | | |
+| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✔️ | | | |
+| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✔️ | | | |
+| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✔️ | | | |
+| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✔️ | | | |
+| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | ✔️ | ✔️ | | ✔️ |
+| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
+| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | ✔️ | | ✔️ | |
+| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | ✔️ | | | |
+| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
+| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | ✔️ | | | |
+| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ |
+| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | ✔️ | ✔️ | | ✔️ |
+| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | ✔️ | | | |
+| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | ✔️ | | | |
+| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✔️ | ✔️ | | ✔️ |
+[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✔️ | | | |
+| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✔️ | | | |
+| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ |
+| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✔️ | | | |
+| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | |
+| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✔️ | | | |
+| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✔️ | | | |
+| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✔️ | | | |
+| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✔️ | | | |
+| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✔️ | | | |
+[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | |
+| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✔️ | | | |
+| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✔️ | | | |
+| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | ✔️ | | | |
+| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✔️ | | | |
+[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✔️ | | | |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✔️ | ✔️ | | ✔️ |
+| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | ✔️ | ✔️ | | ✔️ |
+| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | ✔️ | | | |
+| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
+| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✔️ | ✔️ | | ✔️ |
+| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✔️ | ✔️ | | ✔️ |
+PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✔️ | | | |
+| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | |
+| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✔️ | ✔️ | | ✔️ |
+[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | ✔️ | | | |
+| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✔️ | | | |
+| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✔️ | ✔️ | | ✔️ |
+| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✔️ | | | |
+| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | ✔️ | | | |
+| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | ✔️ | | | |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | ✔️ | | | |
+| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | ✔️ | | | |
+[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | ✔️ | | | |
## Camera
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✔️ | ✔️ | | |
## Connectivity
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | X |
-| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | X |
-| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | X |
-| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | X |
-| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | X |
-| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | X |
-| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | X |
-| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | X |
-| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | X |
-| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✔️ | ✔️ | | ✔️ |
+| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✔️ | ✔️ | | ✔️ |
+| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✔️ | ✔️ | | ✔️ |
+| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | | | ✔️ |
+| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | | | ✔️ |
+| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlying connections VPN is allowed to use. |✔️ | ✔️ | | ✔️ |
+| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✔️ | ✔️ | | ✔️ |
+| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✔️ | ✔️ | | ✔️ |
+| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | ✔️ | ✔️ | | ✔️ |
## CredentialProviders
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | ✔️ | | | |
## Cryptography
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | |
-| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✔️ | | | |
+| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✔️ | | | |
## Defender
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | |
-| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | |
-| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | |
-| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | |
-| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | |
-| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | |
-| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | |
-| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | |
-| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | |
-| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | |
-| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | |
-| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | |
-| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | |
-| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | |
-| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | |
-| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | |
-| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | |
-| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | |
-| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | |
-| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | |
-| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | |
-| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | |
-| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | |
-| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | |
-| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | |
-| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | |
+| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✔️ | | | |
+| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✔️ | | | |
+| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✔️ | | | |
+| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✔️ | | | |
+| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✔️ | | | |
+| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | ✔️ | | | |
+| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✔️ | | | |
+| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✔️ | | | |
+| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✔️ | | | |
+| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | ✔️ | | | |
+| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✔️ | | | |
+| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | ✔️ | | | |
+| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defender scan (in percent). | ✔️ | | | |
+| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✔️ | | | |
+| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore during a scan. Separate each file type in the list by using \|. | ✔️ | | | |
+| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✔️ | | | |
+| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore during a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | |
+| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✔️ | | | |
+| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ | | | |
+| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✔️ | | | |
+| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | ✔️ | | | |
+| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | ✔️ | | | |
+| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | |
+| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | |
+| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | |
## DeliveryOptimization
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | |
-| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | |
-| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | X | | | | |
-| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | X | | | | |
-| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | |
-| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | |
-| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | X | | | | |
-| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | |
-| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | |
-| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | |
-| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | |
-| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | |
-| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | |
-| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | |
-| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | |
-| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | |
-| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | |
-| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | |
-| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
-| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
-| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
-| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | X | | | | |
-| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
-| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | ✔️ | | | |
+| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | ✔️ | | | |
+| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | ✔️ | | | |
+| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | ✔️ | | | |
+| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | ✔️ | | | |
+| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | ✔️ | | | |
+| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | ✔️ | | | |
+| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✔️ | | | |
+| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✔️ | | | |
+| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✔️ | | | |
+| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity using Delivery Optimization. | ✔️ | | | |
+| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✔️ | | | |
+| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✔️ | | | |
+| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capacity in GB) for the device to use Peer Caching. | ✔️ | | | |
+| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✔️ | | | |
+| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB required to use Peer Caching. | ✔️ | | | |
+| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✔️ | | | |
+| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✔️ | | | |
+| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | ✔️ | | | |
+| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
## DeviceGuard
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | ✔️ | | | |
## DeviceLock
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | |
-| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | |
-| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | |
-|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | |
-| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | |
-| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | |
-| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | |
-| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | |
-| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | |
-| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | |
-| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | |
-| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | | | |
+| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | | | |
+| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✔️ | | ✔️ | |
+|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | ✔️ | | ✔️ | |
+| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | ✔️ | | ✔️ | |
+| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | ✔️ | | ✔️ | |
+| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | ✔️ | | ✔️ | |
+| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | ✔️ | | ✔️ | |
+| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | ✔️ | | ✔️ | |
+| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | ✔️ | | ✔️ | |
+| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | ✔️ | | ✔️ | |
+| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | | | |
## DeviceManagement
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | ✔️ | | | |
## Experience
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | |
-| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | |
-| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | |
-| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | |
-| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | |
-| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | |
-| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | |
-| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | |
-| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | |
-| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | |
-| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | |
-| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | |
-| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
-| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | |
-| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | |
-| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | |
-| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | |
-| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | | | |
+| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | | ✔️ | |
+| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | | | |
+| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✔️ | | | |
+| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | ✔️ | | ✔️ | |
+| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | | | |
+| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | | | |
+| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | ✔️ | | | |
+| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | ✔️ | | | |
+| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | | | |
+| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✔️ | | | |
+| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | | | |
+| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggestions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ | | | |
+| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | ✔️ | | | |
+| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✔️ | | | |
+| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✔️ | | | |
+| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | ✔️ | | | |
+| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | ✔️ | | | |
## ExploitGuard
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✔️ | | | |
## Games
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | ✔️ | | | |
## KioskBrowser
These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](../guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | | | | |
-[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | | | | |
-[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | X | | | | |
-[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | X | | | | |
-[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | X | | | | |
-[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X | | | | |
-[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+|[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | |
+|[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ | | | |
+|[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | |
+|[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✔️ | | | |
+|[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✔️ | | | |
+|[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ | | | |
+|[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ | | | |
To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
@@ -340,252 +340,253 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
## LocalPoliciesSecurityOptions
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | X | | | | |
-| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | X | | | | |
-| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✔️ | | | |
+| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✔️ | | | |
+| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✔️ | | | |
## Location
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | |
## Power
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | X | | | | |
-| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | X | | | | |
-| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | X | | | | |
-| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | X | | | | |
-| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | X | | | | |
-| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | X | | | | |
-| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | X | | | | |
-| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | X | | | | |
-| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | X | | | | |
-| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | X | | | | |
-| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | X | | | | |
-| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | X | | | | |
-| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | X | | | | |
-| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | X | | | | |
-| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | X | | | | |
-| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | X | | | | |
-| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | X | | | | |
-| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | X | | | | |
-| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | X | | | | |
-| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | X | | | | |
-| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | X | | | | |
-| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✔️ | | | |
+| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✔️ | | | |
+| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✔️ | | | |
+| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | ✔️ | | | |
+| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | ✔️ | | | |
+| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | ✔️ | | | |
+| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | ✔️ | | | |
+| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | ✔️ | | | |
+| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | ✔️ | | | |
+| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | ✔️ | | | |
+| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | ✔️ | | | |
+| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | ✔️ | | | |
+| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | ✔️ | | | |
+| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | ✔️ | | | |
+| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | ✔️ | | | |
+| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | ✔️ | | | |
+| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | ✔️ | | | |
+| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✔️ | | | |
+| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✔️ | | | |
+| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✔️ | | | |
+| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | ✔️ | | | |
+| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | ✔️ | | | |
## Privacy
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | |
-| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | | | |
+| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✔️ | | ✔️ | |
## Search
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | X | X | | | |
-[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | X | | | | |
-| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | |
-| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | |
-| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | |
-| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consuemrs | X | X | | | |
-| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | |
-| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | X | X | | | |
-| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | |
-| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | |
-| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | |
-| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | |
-| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | | | |
+[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | |
+| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | | | |
+| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ | | ✔️ | |
+| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ | | | |
+| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consumers | ✔️ | | | |
+| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ | | | |
+| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ | | | |
+| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ | | | |
+| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | ✔️ | | | |
+| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | ✔️ | | | |
+| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | ✔️ | | | |
+| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | | | |
## Security
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X |
-| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | |
-| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X |
-| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | |
-| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X |
-| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X |
-| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | ✔️ | ✔️ | | ✔️ |
+| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | | | |
+| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | | | |
+| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | ✔️ | ✔️ | | ✔️ |
+| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | ✔️ | | | |
## Settings
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | |
-| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | |
-| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | |
-| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | |
-[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | | | |
+| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | | | |
+| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | | ✔️ | |
+| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | |
+[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✔️ | | | |
## Start
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
-DisableContextMenus | Prevent context menus from being invoked in the Start menu. | X | | | | |
-| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | |
-| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | |
-| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | |
-| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | |
-| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | |
-| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | |
-| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | | | | |
-| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | |
-| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | |
-| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | |
-| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | |
-| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | |
-| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | |
-| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | |
-| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | |
-| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | |
-| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | X | | | | |
-| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | |
-| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloads shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | ✔️ | | | |
+| DisableContextMenus | Prevent context menus from being invoked in the Start menu. | ✔️ | | | |
+| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✔️ | | | |
+| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✔️ | | | |
+| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✔️ | | | |
+| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✔️ | | | |
+| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✔️ | | | |
+| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✔️ | | | |
+| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | |
+| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✔️ | | | |
+| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✔️ | | | |
+| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✔️ | | | |
+| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | ✔️ | | | |
+| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | ✔️ | | | |
+| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | ✔️ | | | |
+| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | ✔️ | | | |
+| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | ✔️ | | | |
+| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | ✔️ | | | |
+| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | ✔️ | | | |
+| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | ✔️ | | | |
+| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | ✔️ | | | |
## System
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | |
-| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X |
-| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | |
-| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X |
-| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X |
-| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | |
-| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
-ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | X | X | | | |
-ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | X | X | | | |
-| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | X | X | | | |
-| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | X | X | | | |
-| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
-| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✔️ | | | |
+| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✔️ | ✔️ | | ✔️ |
+| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✔️ | | | |
+| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | ✔️ | ✔️ | | ✔️ |
+| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | ✔️ | | ✔️ | |
+| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | ✔️ | | | |
+ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | ✔️ | | | |
+ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | ✔️ | | | |
+| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✔️ | | | |
+| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✔️ | | | |
+| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✔️ | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | | | |
## TextInput
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | |
-| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | |
-| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | |
-| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | |
-| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | |
-| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | |
-| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | |
-| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | |
-| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | |
-| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | |
-| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
-| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
-| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✔️ | | | |
+| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | ✔️ | | | |
+| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✔️ | | | |
+| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✔️ | | | |
+| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✔️ | | | |
+| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | ✔️ | | | |
+| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ | | | |
+| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ | | | |
+| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ | | | |
+| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | |
+| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
+| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
+| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
## TimeLanguageSettings
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | | | |
## Update
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------:|:---------------:|:-----------:|:--------:|:--------:|
-| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X |
-| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X |
-| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X |
-| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
-| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X |
-| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
-| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X |
-| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X |
-| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X |
-| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X |
-| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X |
-| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X |
-| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
-| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X |
-| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X |
-| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X |
-| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | X | X | X | X | X |
-| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
-| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | | X |
-| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X |
-| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X |
-| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X |
-| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X |
-| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X |
-| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X |
-| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | X | | X | | X |
-| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X |
-| ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X |
-| PhoneUpdateRestrictions | Deprecated | | X | | | |
-| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
-| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
-| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
-| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X |
-| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X |
-| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X |
-| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | X | X | X | | X |
-| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | X | X | X | | X |
-| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X |
-| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | X | X | X | | X |
-| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X |
-| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|---------|-------------|:--------------:|:-----------:|:--------:|:--------:|
+| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
+| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ |
+| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
+| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✔️ | ✔️ | | ✔️ |
+| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✔️ | ✔️ | | ✔️ |
+| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ |
+| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ |
+| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
+| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windows Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ |
+| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | | ✔️ |
+| ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ |
+| PhoneUpdateRestrictions | Deprecated | | ✔️ | | |
+| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✔️ | ✔️ | | ✔️ |
+| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✔️ | ✔️ | | ✔️ |
+| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✔️ | ✔️ | | ✔️ |
+| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✔️ | ✔️ | | ✔️ |
+| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✔️ | ✔️ | | ✔️ |
+| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✔️ | ✔️ | | ✔️ |
+| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
## WiFi
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | |
-| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | |
-| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | |
-| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | |
-| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | ✔️ | | | |
+| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | ✔️ | | | |
+| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | | | |
+| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | | | |
+| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | ✔️ | ✔️ | | ✔️ |
## WindowsInkWorkspace
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | |
-| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | ✔️ | | | |
+| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | ✔️ | | | |
## WindowsLogon
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | |
+
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✔️ | | | |
## WirelessDisplay
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | |
\ No newline at end of file
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | | | |
diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md
index a1941225e8..867728c6b3 100644
--- a/windows/configuration/wcd/wcd-privacy.md
+++ b/windows/configuration/wcd/wcd-privacy.md
@@ -17,9 +17,9 @@ Use **Privacy** to configure settings for app activation with voice.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | ✔️ | | ✔️ |
## LetAppsActivateWithVoice
@@ -27,4 +27,4 @@ Select between **User is in control**, **Force allow**, or **Force deny**.
## LetAppsActivateWithVoiceAboveLock
-Select between **User is in control**, **Force allow**, or **Force deny**.
\ No newline at end of file
+Select between **User is in control**, **Force allow**, or **Force deny**.
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index 991bd32799..dab5b939b7 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -19,9 +19,9 @@ Use ProvisioningCommands settings to install Windows desktop applications using
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md).
diff --git a/windows/configuration/wcd/wcd-rcspresence.md b/windows/configuration/wcd/wcd-rcspresence.md
deleted file mode 100644
index ddcb62bed7..0000000000
--- a/windows/configuration/wcd/wcd-rcspresence.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: RcsPresence (Windows 10)
-description: This section describes the RcsPresence settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 04/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# RcsPresence (Windows Configuration Designer reference)
-
-Use these settings to configure RcsPresence.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-Setting | Description
---- | ---
-BypassvideoCapabilities | Do not use.
-MaxWaitForCapabilitiesRequestInSeconds | Maximum number of seconds to wait for a Capabilities Request to complete.
-MinAvailabilityCacheInSeconds | Number of seconds to cache result of Capabilities Request per each number, to avoid excessive network requests.
-
-
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index b8dde5dc3f..3dd25e3954 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -20,9 +20,9 @@ Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as t
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
## AccountManagement
@@ -30,19 +30,19 @@ Use these settings to configure settings for accounts allowed on the shared PC.
| Setting | Value | Description |
| --- | --- | --- |
-| AccountModel | - Only guest- Domain-joined only- Domain-joined and guest | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. - Only guest allows anyone to use the PC as a local standard (non-admin) account.- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account. |
-| DeletionPolicy | - Delete immediately - Delete at disk space threshold- Delete at disk space threshold and inactive threshold | - Delete immediately will delete the account on sign-out.- Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for DiskLevelDeletion, and it will stop deleting accounts when the available disk space reaches the threshold you set for DiskLevelCaching. Accounts are deleted in order of oldest accessed to most recently accessed.- Delete at disk space threshold and inactive threshold will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by InactiveThreshold |
+| AccountModel | - Only guest- Domain-joined only- Domain-joined and guest | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. - Only guest allows anyone to use the PC as a local standard (non-admin) account.- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account. |
+| DeletionPolicy | - Delete immediately - Delete at disk space threshold- Delete at disk space threshold and inactive threshold | - **Delete immediately** deletes the account on sign out.- **Delete at disk space threshold** starts deleting accounts when available disk space falls below the threshold you set for `DiskLevelDeletion`. It stops deleting accounts when the available disk space reaches the threshold you set for `DiskLevelCaching`. Accounts are deleted in order of oldest accessed to most recently accessed.- **Delete at disk space threshold and inactive threshold** applies the same disk space checks as noted above. It also deletes accounts if they haven't signed in within the number of days in `InactiveThreshold`. |
| DiskLevelCaching | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| DiskLevelDeletion | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
-| EnableAccountManager | True or false | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
-| InactiveThreshold | Number | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
-| KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) |
+| EnableAccountManager | True or false | Set as **True** to enable automatic account management. When set to **False**, no automatic account management will be done. |
+| InactiveThreshold | Number | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that hasn't signed in will be deleted. |
+| KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. The app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) |
| KioskModeUserTileDisplayText | String | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. |
## EnableSharedPCMode
-Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
+Set as **True**. When set to **False**, shared PC mode isn't turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
Some of the remaining settings in SharedPC are optional, but we strongly recommend that you also set **EnableAccountManager** to **True**.
@@ -53,13 +53,13 @@ Use these settings to configure policies for shared PC mode.
| Setting | Value | Description |
| --- | --- | --- |
| MaintenanceStartTime | A number between 0 and 1440 | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
-| MaxPageFileSizeMB | A number between 1024 and 2048 | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
+| MaxPageFileSizeMB | A number between 1024 and 2048 | Adjusts the maximum page file size in MB. This setting can be used to fine-tune page file behavior, especially on low end PCs. |
| RestrictLocalStorage | True or false | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) |
| SetEduPolicies | True or false | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
-| SetPowerPolicies | True or false | When set as **True**:- Prevents users from changing power settings- Turns off hibernate- Overrides all power state transitions to sleep (e.g. lid close) |
+| SetPowerPolicies | True or false | When set as **True**:- Prevents users from changing power settings- Turns off hibernate- Overrides all power state transitions to sleep, such as a lid close. |
| SignInOnResume | True or false | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| SleepTimeout | Number | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
-## Related topics
+## Related articles
- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md
deleted file mode 100644
index 459ec29c02..0000000000
--- a/windows/configuration/wcd/wcd-shell.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-title: Shell (Windows 10)
-description: This section describes the Shell settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Shell (Windows Configuration Designer reference)
-
-Do not use. Use [Start > StartLayout](wcd-start.md#startlayout)
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index 3c80f2de84..ed3dbc5df6 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -19,21 +19,21 @@ Use SMISettings settings to customize the device with custom shell, suppress Win
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
## All settings in SMISettings
-The following table describes the settings in SMISettings. Some settings have additional details in sections after the table.
+The following table describes the settings in SMISettings. Some settings have more details in sections after the table.
| Setting | Value | Description |
| --- | --- | --- |
-| AutoLogon | EnableDomain namePasswordUserName | Allows automatic sign-in at startup so that the user does not need to enter a user name and password. |
+| AutoLogon | EnableDomain namePasswordUserName | Allows automatic sign-in at startup. Users don't need to enter a user name and password. |
| BrandingNeutral | See [BrandingNeutral values](#brandingneutral-values) | Specifies which UI elements display on the Welcome screen. |
-| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values) | Specifies the type of information to be saved in the event of a crash. |
+| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values) | Specifies the type of information to be saved if there's a crash. |
| DisableBootMenu | True or false | Disables the F8 and F10 keys during startup to prevent access to the **Advanced Startup Options** menu. |
-| DisplayDisabled | True or false | Configures the device to display a blank screen when the OS encounters an error that it cannot recover from. |
+| DisplayDisabled | True or false | Configures the device to display a blank screen if the OS has an error that it can't recover from. |
| HideAllBootUI | True or false | Suppresses all Windows UI elements (logo, status indicator, and status message) during startup. |
| HideAutologonUI | True or false | Hides the Welcome screen when automatic sign-in (AutoLogon) is enabled. |
| HideBootLogo | True or false | Suppresses the default Windows logo that displays during the OS loading phase. |
@@ -43,7 +43,7 @@ The following table describes the settings in SMISettings. Some settings have ad
| KeyboardFilter | See [KeyboardFilter settings](#keyboardfilter-settings) | Use these settings to configure devices to suppress key presses or key combinations. |
| NoLockScreen | True or false | Disables the lock screen functionality and UI elements |
| ShellLauncher | See [ShellLauncher settings](#shelllauncher-settings) | Settings used to specify the application or executable to use as the default custom shell. |
-| UIVerbosityLevel | Suppress or do not suppress | Disables the Windows status messages during device startup, sign-in, and shut down. |
+| UIVerbosityLevel | Suppress or don't suppress | Disables the Windows status messages during device startup, sign-in, and shut down. |
## BrandingNeutral values
@@ -58,11 +58,11 @@ The default value is **17**, which disables all Welcome screen UI elements and t
| 4 | Disables the Language button |
| 8 | Disables the Ease of access button |
| 16 | Disables the Switch user button |
-| 32 | Disables the blocked shutdown resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any applications that are blocking system shut down. No UI is displayed and users are not given a chance to cancel the shutdown process. This can result in a loss of data if any open applications have unsaved data. |
+| 32 | Disables the blocked shutdown resolver (BSDR) screen. Restarting or shutting down the system causes the OS to immediately force close any applications that are blocking the system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This value can result in a loss of data if any open applications have unsaved data. |
## CrashDumpEnabled values
-Contains an integer that specifies the type of information to capture in a dump (.dmp) file that is generated when the system stops unexpectedly.
+If the system stops unexpectedly, choose the type of information to capture in a dump (.dmp) file.
The .dmp file is typically saved in %SystemRoot% as Memory.dmp.
@@ -71,22 +71,22 @@ Set CrashDumpEnabled to one of the following values:
| Value | Description |
| --- | --- |
| 1 | Records all the contents of system memory. This dump file may contain data from processes that were running when the information was collected. |
-| 2 | Records only the kernel memory. This dump file includes only memory that is allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It does not include unallocated memory or any memory that is allocated to user-mode programs.For most purposes, this kind of dump file is the most useful because it is significantly smaller than the complete memory dump file, but it contains information that is most likely to have been involved in the issue.If a second problem occurs, the dump file is overwritten with new information. |
-| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:- A list of loaded drivers- The processor context (PRCB) for the processor that stopped- The process information and kernel context (EPROCESS) for the process that stopped- The process information and kernel context (ETHREAD) for the thread that stopped- The kernel-mode call stack for the thread that stoppedThis kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by analyzing this file.The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
+| 2 | Records only the kernel memory. This dump file includes only memory that's allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It doesn't include unallocated memory, or any memory that's allocated to user-mode programs. For most purposes, this kind of dump file is the most useful because it's smaller than the complete memory dump file. It also includes information that's most likely involved in the issue. If a second problem occurs, the dump file is overwritten with new information. |
+| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:- A list of loaded drivers- The processor context (PRCB) for the processor that stopped- The process information and kernel context (EPROCESS) for the process that stopped- The process information and kernel context (ETHREAD) for the thread that stopped- The kernel-mode call stack for the thread that stoppedThis dump file can be useful when space is limited. Because of the limited information, errors that aren't directly caused by the running thread at the time of the problem may not be discovered by analyzing this file. The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
| 4 | Records the smallest amount of useful information. This value produces the same results as entering a value of 3. |
| 7 | Records only the kernel memory. This value produces the same results as entering a value of 2. This is the default value. |
-| Any other value | Disables crash dump and does not record anything. |
+| Any other value | Disables crash dump and doesn't record anything. |
## KeyboardFilter settings
-You can use KeyboardFilter to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard.
+Use these settings to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard.
-When you **enable** KeyboardFilter, a number of other settings become available for configuration.
+When you **enable** KeyboardFilter, many other settings become available for configuration.
| Setting | Value | Description |
| --- | --- | --- |
-| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that you may have that are not included in the predefined key filters. Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](/windows-hardware/customize/enterprise/wekf-customkey). |
-| CustomScancodeFilters | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.Enter a custom scancode in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](/windows-hardware/customize/enterprise/wekf-scancode). |
+| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that aren't included in the predefined key filters. Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](/windows-hardware/customize/enterprise/wekf-customkey). |
+| CustomScancodeFilters | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.Enter a custom scan code in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](/windows-hardware/customize/enterprise/wekf-scancode). |
| DisableKeyboardFilterForAdministrators | True or false | Disables the keyboard filter for administrators. |
| ForceOffAccessibility | True or false | Disables all Ease of Access features and prevents users from enabling them. |
| PredefinedKeyFilters | Allow or block | Specifies the list of predefined keys. For each key, the value will default to **Allow**. Specifying **Block** will suppress the key combination. |
@@ -107,7 +107,7 @@ You can also configure ShellLauncher to launch different shell applications for
>
>You cannot use ShellLauncher to launch a Windows app as a custom shell. However, you can use Windows 10 application launcher to launch a Windows app at startup.
-ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior does not meet your needs.
+ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell. So, your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
>[!IMPORTANT]
>A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights cannot. If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for ShellLauncher to launch the shell application.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index 8ac49fc3d0..b5e9674a75 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -19,12 +19,12 @@ Use Start settings to apply a customized Start screen to devices.
## Applies to
-| Setting | Desktop editions | Surface Hub | HoloLens | IoT Core |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
-| StartLayout | X | | | |
+| StartLayout | ✔️ | | | |
>[!IMPORTANT]
->The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but should only be used to apply a layout to Windows 10 Mobile devices. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start).
+>The StartLayout setting is available in the advanced provisioning for Windows 10, but shouldn't be used. For Windows client, use [Policies > StartLayout](wcd-policies.md#start).
## StartLayout
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
index 9516876a6d..49815cf169 100644
--- a/windows/configuration/wcd/wcd-startupapp.md
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -19,8 +19,8 @@ Use StartupApp settings to configure the default app that will run on start for
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| Default | | | | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| Default | | | | ✔️ |
Enter the [Application User Model ID (AUMID)](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
index 67662e4a93..7d169c131d 100644
--- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -19,7 +19,7 @@ Documentation not available at this time.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | | | ✔️ |
diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
index a7cbdabebe..d48b954521 100644
--- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
+++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
@@ -13,12 +13,15 @@ manager: dansimp
# StorageD3InModernStandby (Windows Configuration Designer reference)
-Use **StorageD3InModernStandby** to enable or disable low power state (D3) during standby. When this setting is configured to **Enable Storage Device D3**, SATA and NVMe devices will be able to enter the D3 state when the system transits to modern standby state, if they are using a Microsoft inbox driver such as StorAHCI, StorNVMe.
+Use **StorageD3InModernStandby** to enable or disable low-power state (D3) during standby. When set to **Enable Storage Device D3**, SATA and NVMe devices can enter the D3 state when:
+
+- The system transits to modern standby state.
+- If they're using a Microsoft inbox driver such as StorAHCI, StorNVMe
[Learn more about device power states.](/windows-hardware/drivers/kernel/device-power-states)
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | X |
\ No newline at end of file
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | ✔️ | | ✔️ |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
index 31a54a9d24..edf2a819ed 100644
--- a/windows/configuration/wcd/wcd-surfacehubmanagement.md
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -24,9 +24,9 @@ Use SurfaceHubManagement settings to set the administrator group that will manag
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✔️ | | |
## GroupName
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 09cd2e5d37..e97c3ebf6e 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -19,9 +19,9 @@ Use TabletMode to configure settings related to tablet mode.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | ✔️ | | |
## ConvertibleSlateModePromptPreference
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index b7d826ac98..f9f3708a13 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -19,13 +19,13 @@ Use TakeATest to configure the Take A Test app, a secure browser for test-taking
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
## AllowScreenMonitoring
-When set to True, students are able to record and take screen captures in the Take A Test app.
+When set to True, students can record and take screen captures in the Take A Test app.
## AllowTextSuggestions
@@ -43,9 +43,8 @@ When set to True, students can print in the Take A Test app.
Enter the account to use when taking a test.
-To specify a domain account, enter **domain\user**. To specify an AAD account, enter username@tenant.com. To specify a local account, enter the username.
+To specify a domain account, enter **domain\user**. To specify an Azure AD account, enter `username@tenant.com`. To specify a local account, enter the username.
-
-## Related topics
+## Related articles
- [SecureAssessment configuration service provider (CSP)](/windows/client-management/mdm/secureassessment-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-textinput.md b/windows/configuration/wcd/wcd-textinput.md
deleted file mode 100644
index c5508b901f..0000000000
--- a/windows/configuration/wcd/wcd-textinput.md
+++ /dev/null
@@ -1,209 +0,0 @@
----
-title: TextInput (Windows 10)
-description: This section describes the TextInput settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/15/2017
-ms.reviewer:
-manager: dansimp
----
-
-# TextInput (Windows Configuration Designer reference)
-
-Use TextInput settings to configure text intelligence and keyboard for mobile devices.
-
-## Applies to
-
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| Intelligence > DisablePredictions | | X | | | |
-| PreEnabledKeyboard | | X | | | |
-
-## Intelligence
-
-Set **DisablePredictions** to the locale or alternative input language that must have the text intelligence features disabled. For example, to disable text correction and suggestions for English (UK), set the value of **DisablePredictions** to `en-gb`.
-
-## PreEnabledKeyboard
-
-In addition to the automatically-enabled default keyboard, OEMs may choose to pre-enable more keyboards for a particular market.
-
-During phone bring-up, OEMs must set the boot locale, or default locale, for the phone. During first boot, Windows Phone reads the locale setting and automatically enables a default keyboard based on the locale to keyboard mapping table in Set languages and locales.
-
-The mapping works for almost all regions and additional customizations are not needed unless specified in the pre-enabled keyboard column in Set languages and locales. If an OEM chooses to pre-enable more keyboards for a particular market, they can do so by specifying the setting. Pre-enabled keyboards will automatically be enabled during boot. Microsoft recommends that partners limit the number of pre-enabled keyboards to those languages that correspond to the languages spoken within the market.
-
-
-PreEnabledKeyboard must be entered once for each keyboard you want to pre-enable. As shown below, the format to specify a particular keyboard must be: Locale code.Locale value. See the following table for more information on the locale codes and values that you can use. The setting Value must be set to 1 to enable the keyboard.
-
-The following table shows the values that you can use for the Locale code.Locale value part of the setting name.
-
->[!NOTE]
->The keyboards for some locales require additional language model files: am-ET, bn-IN, gu-IN, hi-IN, ja-JP, kn-IN, ko-KR, ml-IN, mr-IN, my-MM, or-IN, pa-IN, si-LK, ta-IN, te-IN, zh-TW, zh-CN, and zh-HK.
-
-
-Name | Locale code | Keyboard layout value
---- | --- | ---
-Afrikaans (South Africa) | af-ZA | 1
-Albanian | sq-AL | 1
-Amharic | am-ET | 1
-Arabic | ar-SA | 1
-Armenian | hy-AM | 1
-Assamese - INSCRIPT | as-IN | 1
-Azerbaijani (Cyrillic) | az-Cyrl-AZ | 1
-Azerbaijani (Latin) | az-Latn-AZ | 1
-Bangla (Bangladesh) - 49 key | bn-BD | 1
-Bangla (India) - INSCRIPT |bn-IN|1
-Bangla (India) - Phonetic|bn-IN|2
-Bashkir|ba-RU|1
-Basque|eu-ES|1
-Belarusian|be-BY|1
-Bosnian (Cyrillic)|bs-Cyrl-BA|1
-Bosnian (Latin)|bs-Latn-BA|1
-Bulgarian|bg-BG|1
-Catalan|ca-ES|1
-Central Kurdish|ku-Arab-IQ|1
-Cherokee|chr-Cher-US|1
-Chinese Simplified QWERTY|zh-CN|1
-Chinese Simplified - 12-key|zh-CN|2
-Chinese Simplified - Handwriting|zh-CN|3
-Chinese Simplified - Stroke|zh-CN|4
-Chinese Traditional (Hong Kong SAR) - Cangjie|zh-HK|1
-Chinese Traditional (Hong Kong SAR) - Quick|zh-HK|2
-Chinese Traditional (Hong Kong SAR) - Stroke|zh-HK|3
-Chinese Traditional (Taiwan) - BoPoMoFo|zh-TW|1
-Chinese Traditional (Taiwan) - Handwriting|zh-TW|2
-Croatian|hr-HR|1
-Czech|cs-CZ|1
-Danish|da-DK|1
-Divehi|dv-MV|1
-Dutch (Belgium)|nl-BE|1
-Dutch (Netherlands)|nl-NL|1
-Dzongkha|dz-BT|1
-English (Australia)|en-AU|1
-English (Canada)|en-CA|1
-English (India)|en-IN|1
-English (Ireland)|en-IE|1
-English (United Kingdom)|en-GB|1
-English (United States)|en-US|1
-Estonian|et-EE|1
-Faroese|fo-FO|1
-Filipino|fil-PH|1
-Finnish|fi-FI|1
-French (Belgium)|fr-BE|1
-French (Canada)|fr-CA|1
-French (France)|fr-FR|1
-French (Switzerland)|fr-CH|1
-Galician|gl-ES|1
-Georgian|ka-GE|1
-German (Germany)|de-DE|1
-German (Switzerland)|de-CH|1
-Greek|el-GR|1
-Greenlandic|kl-GL|1
-Guarani|gn-PY|1
-Gujarati - INSCRIPT|gu-IN|1
-Gujarati - Phonetic|gu-IN|2
-Hausa|ha-Latn-NG|1
-Hebrew|he-IL|1
-Hindi - 37-key|hi-IN|1
-Hindi - INSCRIPT|hi-IN|3
-Hindi - Phonetic|hi-IN|2
-Hinglish|hi-Latn|1
-Hungarian|hu-HU|1
-Icelandic|is-IS|1
-Igbo|ig-NG|1
-Indonesian|id-ID|1
-Inuktitut - Latin|iu-Latn-CA|1
-Irish|ga-IE|1
-Italian|it-IT|1
-Japanese - 12-key|ja-JP|1
-Japanese - QWERTY|ja-JP|2
-Kannada - INSCRIPT|kn-IN|1
-Kannada - Phonetic|kn-IN|2
-Kazakh|kk-KZ|1
-Khmer|km-KH|1
-Kinyarwanda|rw-RW|1
-Kiswahili|sw-KE|1
-Konkani|kok-IN|1
-Korean - 12-key Chunjiin|ko-KR|2
-Korean - 12-key Naratgeul|ko-KR|3
-Korean - 12-key Sky|ko-KR|4
-Korean - QWERTY|ko-KR|1
-Kyrgyz|ky-KG|1
-Lao|lo-LA|1
-Latvian|lv-LV|1
-Lithuanian|lt-LT|1
-Luxembourgish|lb-LU|1
-Macedonian|mk-MK|1
-Malay (Brunei Darussalam)|ms-BN|1
-Malay (Malaysia)|ms-MY|1
-Malayalam - INSCRIPT|ml-IN|1
-Malayalam - Phonetic|ml-IN|2
-Maltese|mt-MT|1
-Maori|mi-NZ|1
-Marathi - INSCRIPT|mr-IN|1
-Marathi - Phonetic|mr-IN|2
-Mongolian - Cyrillic|mn-MN|1
-Mongolian - Traditional Mongolian|mn-Mong-CN|1
-Myanmar|my-MM|1
-Nepali|ne-NP|1
-Norwegian - Bokmal|nb-NO|1
-Norwegian - Nynorsk|ny-NO|1
-Odia - INSCRIPT|or-IN|1
-Odia - Phonetic|or-IN|2
-Pashto|ps-AF|1
-Persian|fa-IR|1
-Polish|pl-PL|1
-Portuguese (Brazil)|pt-BR|1
-Portuguese (Portugal)|pt-PT|1
-Punjabi - INSCRIPT|pa-IN|1
-Punjabi - Phonetic|pa-IN|2
-Romanian|ro-RO|1
-Romansh|rm-CH|1
-Russian|ru-RU|1
-Sakha|sah-RU|1
-Sami, Northern (Norway)|se-NO|1
-Sami, Northern (Sweden)|se-NO|1
-Scottish Gaelic|gd-GB|1
-Serbian - Cyrillic|sr-Cyrl-RS|1
-Serbian - Latin|sr-Latn-RS|1
-Sesotho sa Leboa|nso-ZA|1
-Setswana|tn-ZA|1
-Sinhala|si-LK|1
-Slovak|sk-SK|1
-Slovenian|sl-SI|1
-Sorbian, Upper|hsb-DE|1
-Spanish (Mexico)|es-MX|1
-Spanish (Spain)|es-ES|1
-Swedish|sv-SE|1
-Syriac|syr-SY|1
-Tajik|tg-Cyrl-TJ|1
-Tamazight (Central Atlas) - Tifinagh|tzm-Tfng-MA|1
-Tamazight (Central Atlas) - Latin|tzm-Latn-DZ|1
-Tamil - INSCRIPT|ta-IN|1
-Tamil - Phonetic|ta-IN|2
-Tatar|tt-RU|1
-Telugu - INSCRIPT|te-IN|1
-Telugu - Phonetic|te-IN|2
-Thai|th-TH|1
-Tibetan|bo-CN|1
-Turkish|tr-TR|1
-Turkmen|tk-TM|1
-Ukrainian|uk-UA|1
-Urdu|ur-PK|1
-Uyghur|ug-CN|1
-Uzbek - Cyrillic|uz-Cyrl-UZ|1
-Uzbek - Latin|uz-Latn-UZ|1
-Valencian|ca-ES-valencia|1
-Vietnamese - QWERTY|vi-VN|1
-Vietnamese - TELEX|vi-VN|2
-Vietnamese - VNI|vi-VN|3
-Welsh|cy-GB|1
-Wolof|N/A|1
-Xhosa|xh-ZA|1
-Yoruba|yo-NG|1
-Zulu|zu-ZA|1
-
diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md
deleted file mode 100644
index 7dc40af968..0000000000
--- a/windows/configuration/wcd/wcd-theme.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Theme (Windows 10)
-description: This section describes the Theme settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# Theme (reference)
-
-Use Theme to configure accent and background colors on Windows 10 Mobile.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-## DefaultAccentColor
-
-In the dropdown menu for DefaultAccentColor, select from the list of colors. The accent color is used for the background of the start tiles, some text, the progress indicator, the user’s My Phone web site, and so on.
-
-
-## DefaultBackgroundColor
-
-Select between **Light** and **Dark** for theme.
-
-
-## Related topics
-
-- [Themes and accent colors](/previous-versions//dn772323(v=vs.85))
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md
index 6294abea3e..259df9fdd1 100644
--- a/windows/configuration/wcd/wcd-time.md
+++ b/windows/configuration/wcd/wcd-time.md
@@ -17,9 +17,9 @@ Use **Time** to configure settings for time zone setup for Windows 10, version (
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [ProvisionSetTimeZone](#provisionsettimezone) | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [ProvisionSetTimeZone](#provisionsettimezone) | ✔️ | | | |
## ProvisionSetTimeZone
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index c4e5aebefe..c5586d1c3a 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -15,14 +15,22 @@ manager: dansimp
# UnifiedWriteFilter (reference)
-Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF) in your device to help protect your physical storage media, including most standard writable storage types that are supported by the OS, such as physical hard disks, solidate-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writeable volume.
+Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF). It helps protect your physical storage media, including most standard writable storage types that are supported by the OS, such as:
+
+- Physical hard disks
+- Solidate-state drives
+- Internal USB devices
+- External SATA devices
+- And so on
+
+You can also use UWF to make read-only media appear to the OS as a writeable volume.
>[!IMPORTANT]
->You cannot use UWF to protect external USB devices or flash drives.
+>You can't use UWF to protect external USB devices or flash drives.
-UWF intercepts all write attempts to a protected volume and redirects those write attempts to a virtual overlay. This improves the reliability and stability of your device and reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
+UWF intercepts all write attempts to a protected volume and redirects these write attempts to a virtual overlay. This feature improves the reliability and stability of your device. It also reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
-The overlay does not mirror the entire volume, but dynamically grows to keep track of redirected writes. Generally the overlay is stored in system memory, although you can cache a portion of the overlay on a physical volume.
+The overlay doesn't mirror the entire volume. It dynamically grows to keep track of redirected writes. Generally, the overlay is stored in system memory. You can cache a portion of the overlay on a physical volume.
>[!NOTE]
>UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume.
@@ -32,9 +40,9 @@ The overlay does not mirror the entire volume, but dynamically grows to keep tra
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | ✔️ |
## FilterEnabled
@@ -42,9 +50,9 @@ Set to **True** to enable UWF.
## OverlayFlags
-OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not be redirected to the overlay file. Enabling this setting helps conserve space on the overlay file.
+OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not redirect to the overlay file. Enabling this setting helps conserve space on the overlay file.
-- Value `0` (default value when [OverlayType](#overlaytype) is not **Disk**): writes are redirected to the overlay file
+- Value `0` (default value when [OverlayType](#overlaytype) isn't **Disk**): writes are redirected to the overlay file
- Value `1`(default value when [OverlayType](#overlaytype) is **Disk**): writes to unused space on the volume are allowed to pass through without being redirected to the overlay file.
## OverlaySize
@@ -60,7 +68,7 @@ OverlayType specifies where the overlay is stored. Select between **RAM** (defau
## RegistryExclusions
-You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts.
+You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering. They're written directly to the registry and persist after the device restarts.
Use **Add** to add a registry entry to the exclusion list after you restart the device.
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index f935eeb700..0822937da4 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -22,17 +22,17 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [DeviceContextApp](#devicecontextapp) | X | | X | | |
-| [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | |
-| [StoreInstall](#storeinstall) | X | X | X | | X |
-| [UserContextApp](#usercontextapp) | X | X | X | | X |
-| [UserContextAppLicense](#usercontextapplicense) | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [DeviceContextApp](#devicecontextapp) | ✔️ | ✔️ | | |
+| [DeviceContextAppLicense](#devicecontextapplicense) | ✔️ | ✔️ | | |
+| [StoreInstall](#storeinstall) | ✔️ | ✔️ | | ✔️ |
+| [UserContextApp](#usercontextapp) | ✔️ | ✔️ | | ✔️ |
+| [UserContextAppLicense](#usercontextapplicense) | ✔️ | ✔️ | | ✔️ |
## DeviceContextApp
-Enter an app package family name to install an app for all users of the device. You can use the [Get-AppxPackage cmdlet](/powershell/module/appx/get-appxpackage) to get the package family name for an installed app.
+Enter an app package family name to install an app for all device users. You can use the [Get-AppxPackage cmdlet](/powershell/module/appx/get-appxpackage) to get the package family name for an installed app.
>[!NOTE]
>For XAP files, enter the product ID.
@@ -41,11 +41,11 @@ For each app that you add to the package, configure the settings in the followin
| Setting | Value | Description |
| --- | --- | --- |
-| ApplicationFile | .appx or .appxbundle | Set the value to the app file that you want to install on the device. In addition, you must also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
-| DependencyAppxFiles | any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
-| DeploymentOptions | - None-Force application shutdown: If this package, or any package that depends on this package, is currently in use, the processes associated with the package are shut down forcibly so that registration can continue- Development mode: do not use- Install all resources: When you set ths option, the app is instructed to skip resource applicability checks.- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
-| LaunchAppAtLogin | - Do not launch app- Launch app | Set the value for app behavior when a user signs in. |
-| OptionalPackageFiles | additional files required by the package | Browse to, select, and add the optional package files. |
+| ApplicationFile | `.appx` or `.appxbundle` | Set the value to the app file that you want to install on the device. Also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
+| DependencyAppxFiles | Any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
+| DeploymentOptions | - None-Force application shutdown: If this package, or any package that depends on this package is currently in use, then the processes associated with the package are forcibly shut down. The registration can continue. - Development mode: Don't use. - Install all resources: When you set this option, the app is instructed to skip resource applicability checks.- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
+| LaunchAppAtLogin | - Don't launch app- Launch app | Set the value for app behavior when a user signs in. |
+| OptionalPackageFiles | Additional files required by the package | Browse to, select, and add the optional package files. |
For more information on deployment options, see [DeploymentOptions Enum](/uwp/api/windows.management.deployment.deploymentoptions).
@@ -53,7 +53,7 @@ For more information on deployment options, see [DeploymentOptions Enum](/uwp/ap
Use to specify the license file for the provisioned app.
-1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
+1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. For example, enter `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and select **Add**.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
@@ -62,7 +62,7 @@ Use to specify the license file for the provisioned app.
Use to install an app from the Microsoft Store for Business.
-1. Enter a package family name, and then click **Add**.
+1. Enter a package family name, and then select **Add**.
2. Configure the following required settings for the app package.
Setting | Description
@@ -75,21 +75,21 @@ SkuID | Enter the SKU ID. [Learn how to find the SKU ID.](/microsoft-store/micro
Use to add a new user context app.
-1. Specify a **PackageFamilyName** for the app, and then click **Add**.
+1. Specify a **PackageFamilyName** for the app, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then configure the following settings.
Setting | Value | Description
--- | --- | ---
-ApplicationFile | app file | Browse to, select, and add the application file,
-DependencyAppxFiles | additional files required by the app | Browse to, select, and add dependency files.
+ApplicationFile | App file | Browse to, select, and add the application file,
+DependencyAppxFiles | Additional files required by the app | Browse to, select, and add dependency files.
DeploymentOptions | - None- Force application shutdown- Development mode- Install all resources- Force target application shutdown | Select a deployment option.
-LaunchAppAtLogin | - Do not launch app- Launch app | Select whether the app should be started when a user signs in.
+LaunchAppAtLogin | - Don't launch app- Launch app | Select whether the app should be started when a user signs in.
## UserContextAppLicense
Use to specify the license file for the user context app.
-1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
+1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. For example, enter `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and select **Add**.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 35204ca772..625891ae05 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -20,23 +20,23 @@ Use UniversalAppUninstall settings to uninstall or remove Windows apps.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [RemoveProvisionedApp](#removeprovisionedapp) | X | | | | |
-| [Uninstall](#uninstall) | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [RemoveProvisionedApp](#removeprovisionedapp) | ✔️ | | | |
+| [Uninstall](#uninstall) | ✔️ | ✔️ | | ✔️ |
## RemoveProvisionedApp
-Universal apps can be *provisioned*, which means that they are available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
+Universal apps can be *provisioned*. Provisioned means that they're available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
-Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user are not uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
+Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user aren't uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
-1. Enter the PackageFamilyName for the app package, and then click **Add**.
+1. Enter the PackageFamilyName for the app package, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then select **RemoveProvisionedApp**.
## Uninstall
Use **Uninstall** to remove provisioned apps that have been installed by a user.
-1. Enter the PackageFamilyName for the app package, and then click **Add**.
+1. Enter the PackageFamilyName for the app package, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then select **Uninstall**.
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index d551248370..3eb9975d01 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -20,9 +20,9 @@ Allows an OEM to hide the USB option UI in Settings and all USB device errors.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | X | X | X | X | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✔️ | ✔️ | ✔️ | |
## HideUsbErrorNotifyOptionUI
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index a8cd376714..ce9f3ab265 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -20,10 +20,10 @@ Use WeakCharger settings to configure the charger notification UI.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | X | X | X | | |
-| [NotifyOnWeakCharger](#notifyonweakcharger) | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✔️ | ✔️ | | |
+| [NotifyOnWeakCharger](#notifyonweakcharger) | ✔️ | ✔️ | | |
## HideWeakChargerNotifyOptionUI
@@ -34,12 +34,15 @@ Select between **Show Weak Charger Notifications UI** and **Hide Weak Charger No
## NotifyOnWeakCharger
-This setting displays a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge or may not charge at all with the current charging source.
+This setting shows a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge. Or, it may not charge at all.
+
+An incompatible charging source is one that doesn't behave like one of the following port types:
-An incompatible charging source is one that does not behave like one of the following port types as defined by the USB Battery Charging Specification, Revision 1.2, available on the USB.org website:
- Charging downstream port
- Standard downstream port
- Dedicated charging port
+The port types are defined by the USB Battery Charging Specification, Revision 1.2, available at `USB.org`.
+
Select between **Disable Weak Charger Notifications UI** and **Enable Weak Charger Notifications UI**.
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index c1dd26f101..fc0d8fbd54 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -15,17 +15,17 @@ manager: dansimp
# WindowsHelloForBusiness (Windows Configuration Designer reference)
-Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md).
+Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to a Windows device configured for [Shared PC mode](wcd-sharedpc.md).
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [SecurityKeys](#securitykeys) | X | | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [SecurityKeys](#securitykeys) | ✔️ | | | |
## SecurityKeys
-Select the desired value:
+Select the value:
-- `0`: security keys for Windows Hello are disabled.
-- `1`: security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md).
+- `0`: Security keys for Windows Hello are disabled.
+- `1`: Security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md).
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index dcefc054fd..9307518bf1 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -20,33 +20,33 @@ Use WindowsTeamSettings settings to configure Surface Hub.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✔️ | | |
## Connect
| Setting | Value | Description |
| --- | --- | --- |
| AutoLaunch | True or false | Open the Connect app automatically when someone projects. |
-| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). |
+| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver won't boot. Or, it will broadcast on the wrong channel, which senders won't be looking for. |
| Enabled | True or false | Enables wireless projection to the device. |
| PINRequired | True or false | Requires presenters to enter a PIN to connect wirelessly to the device. |
## DeviceAccount
-A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device.
+A device account is a Microsoft Exchange account that's connected with Skype for Business. It allows people to join scheduled meetings, make Skype for Business calls, and share content from the device.
| Setting | Value | Description |
| --- | --- | --- |
| CalendarSyncEnabled | True or false | Specifies whether calendar sync and other Exchange Server services are enabled. |
-| DomainName | Domain of the device account when you are using Active Directory | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account. |
+| DomainName | Domain of the device account when using Active Directory | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account. |
| Email | Email address | Email address of the device account. |
| ExchangeServer | Exchange Server | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails. |
| Password | Password | Password for the device account. |
-| PasswordRotationEnabled | 0 = enabled1 = disabled | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD. |
+| PasswordRotationEnabled | 0 = enabled1 = disabled | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD. |
| SipAddress | Session Initiation Protocol (SIP) address | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails. |
-| UserName | User name | Username of the device account when you are using Active Directory. |
+| UserName | User name | Username of the device account when using Active Directory. |
| UserPrincipalName | User principal name (UPN) | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. |
| ValidateAndCommit | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. |
@@ -62,11 +62,11 @@ Enter the name that users will see when they want to project wirelessly to the d
## MaintenanceHours
-Maintenance hours are the period of time during which automatic maintenance tasks are performed.
+Maintenance hours are the period of time when automatic maintenance tasks are run.
| Setting | Value | Description |
| --- | --- | --- |
-| Duration | Duration in minutes. For example, to set a 3-hour duration, set this value to 180. | The amount of time the device will be in maintenance, when the device will continue to download or install updates. |
+| Duration | Duration in minutes. For example, to set a three hour duration, set this value to 180. | The amount of time the device will be in maintenance, when the device will continue to download or install updates. |
| StartTime | Start time in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120 | Start time for when device is allowed to start downloading and installing updates. |
## OMSAgent
@@ -75,7 +75,7 @@ Configures the Operations Management Suite workspace.
| Setting | Value | Description |
| --- | --- | --- |
-| WorkspaceID | GUID | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. |
+| WorkspaceID | GUID | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this value to an empty string to disable the MOM agent. |
| WorkspaceKey | Key | Primary key for authenticating with the workspace. |
## Properties
@@ -85,7 +85,7 @@ Configures the Operations Management Suite workspace.
| AllowAutoProxyAuth | True or false | Specifies if the Surface Hub can use the device account to authenticate into proxy servers requiring authentication. |
| AllowSessionResume | True or false | Specifies if users are allowed to resume their session after session timeout. |
| DefaultVolume | Numeric value between 0 and 100 | Default speaker volume. Speaker volume will be set to this value at every session startup. |
-| DisableSigninSuggestions | True or false | Specifies if the Surface Hub will not show suggestions when users try to sign in to see their meetings and files. |
+| DisableSigninSuggestions | True or false | Specifies if the Surface Hub won't show suggestions when users try to sign in to see their meetings and files. |
| DoNotShowMyMeetingsAndFiles | True or false | Specifies if users can sign in and have full access to personal meetings and most recently used documents. |
| ScreenTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will turn off its screen. |
| SessionTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will time out the current session and return to the welcome screen. |
@@ -105,6 +105,6 @@ Configures the Operations Management Suite workspace.
| CurrentBackgroundPath | Https URL to a PNG file | Background image for the welcome screen. |
| MeetingInfoOption | 0 = organizer and time only1 = organizer, time, and subject (subject is hidden for private meetings) | Specifies whether meeting information is displayed on the welcome screen. |
-## Related topics
+## Related articles
- [SurfaceHub configuration service provider (CSP)](/windows/client-management/mdm/surfacehub-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index 2a746063eb..8b931bc90a 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -20,7 +20,7 @@ Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connecti
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | | | |
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index 7d4431413d..e810f28679 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -20,13 +20,13 @@ Use Workplace settings to configure bulk user enrollment to a mobile device mana
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Enrollments](#enrollments) | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Enrollments](#enrollments) | ✔️ | ✔️ | | ✔️ |
## Enrollments
-Select **Enrollments**, enter a UPN, and then click **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this must a service account that is allowed to enroll multiple users. Example, "generic-device@contoso.com"
+Select **Enrollments**, enter a UPN, and then select **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this value must be a service account that's allowed to enroll multiple users. For example, use `generic-device@contoso.com`.
| Settings | Value | Description |
| --- | --- | --- |
@@ -34,8 +34,8 @@ Select **Enrollments**, enter a UPN, and then click **Add** to configure the set
| DiscoveryServiceFullUrl | URL | The full URL for the discovery service |
| EnrollmentServiceFullUrl | URL | The full URL for the enrollment service |
| PolicyServiceFullUrl | URL | The full URL for the policy service |
-| Secret | - Password string for on-premises authentication enrollment- Federated security token for federated enrollment- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy |
+| Secret | - Password string for on-premises authentication enrollment- Federated security token for federated enrollment- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy. |
-## Related topics
+## Related articles
- [Provisioning configuration service provider (CSP)](/windows/client-management/mdm/provisioning-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 8d75210e45..952a247ff3 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -18,16 +18,13 @@ This section describes the settings that you can configure in [provisioning pack
## Edition that each group of settings applies to
-| Setting group | Desktop editions | Surface Hub | HoloLens | IoT Core |
+| Setting group | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
| [AccountManagement](wcd-accountmanagement.md) | | | ✔️ | |
| [Accounts](wcd-accounts.md) | ✔️ | ✔️ | ✔️ | ✔️ |
| [ADMXIngestion](wcd-admxingestion.md) | ✔️ | | | |
| [AssignedAccess](wcd-assignedaccess.md) | ✔️ | | ✔️ | |
-| [AutomaticTime](wcd-automatictime.md) | | | | |
| [Browser](wcd-browser.md) | ✔️ | ✔️ | | |
-| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | | | |
-| [Calling](wcd-calling.md) | | | | |
| [CellCore](wcd-cellcore.md) | ✔️ | | | |
| [Cellular](wcd-cellular.md) | ✔️ | | | |
| [Certificates](wcd-certificates.md) | ✔️ | ✔️ | ✔️ | ✔️ |
@@ -38,7 +35,6 @@ This section describes the settings that you can configure in [provisioning pack
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | ✔️ | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | ✔️ | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | ✔️ | ✔️ | | |
-| [DeviceInfo](wcd-deviceinfo.md) | | | | |
| [DeviceManagement](wcd-devicemanagement.md) | ✔️ | ✔️ | ✔️ | |
| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | ✔️ | | | |
| [DMClient](wcd-dmclient.md) | ✔️ | ✔️ | | ✔️ |
@@ -47,27 +43,18 @@ This section describes the settings that you can configure in [provisioning pack
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | ✔️ |
| [FirstExperience](wcd-firstexperience.md) | | | ✔️ | |
| [Folders](wcd-folders.md) |✔️ | ✔️ | | |
-| [InitialSetup](wcd-initialsetup.md) | | | | |
-| [InternetExplorer](wcd-internetexplorer.md) | | | | |
| [KioskBrowser](wcd-kioskbrowser.md) | | | | ✔️ |
| [Licensing](wcd-licensing.md) | ✔️ | | | |
| [Location](wcd-location.md) | | | | ✔️ |
| [Maps](wcd-maps.md) |✔️ | ✔️ | | |
-| [Messaging](wcd-messaging.md) | | | | |
-| [ModemConfigurations](wcd-modemconfigurations.md) | | | | |
-| [Multivariant](wcd-multivariant.md) | | | | |
| [NetworkProxy](wcd-networkproxy.md) | | ✔️ | | |
| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | ✔️ | | |
-| [NFC](wcd-nfc.md) | | | | |
| [OOBE](wcd-oobe.md) | ✔️ | | | |
-| [OtherAssets](wcd-otherassets.md) | | | | |
| [Personalization](wcd-personalization.md) | ✔️ | | | |
| [Policies](wcd-policies.md) | ✔️ | ✔️ | ✔️ | ✔️ |
| [Privacy](wcd-folders.md) |✔️ | ✔️ | | ✔️ |
| [ProvisioningCommands](wcd-provisioningcommands.md) | ✔️ | | | |
-| [RcsPresence](wcd-rcspresence.md) | | | | |
| [SharedPC](wcd-sharedpc.md) | ✔️ | | | |
-| [Shell](wcd-shell.md) | | | | |
| [SMISettings](wcd-smisettings.md) | ✔️ | | | |
| [Start](wcd-start.md) | ✔️ | | | |
| [StartupApp](wcd-startupapp.md) | | | | ✔️ |
@@ -76,8 +63,6 @@ This section describes the settings that you can configure in [provisioning pack
| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | ✔️ | | |
| [TabletMode](wcd-tabletmode.md) |✔️ | ✔️ | | |
| [TakeATest](wcd-takeatest.md) | ✔️ | | | |
-| [TextInput](wcd-textinput.md) | | | | |
-| [Theme](wcd-theme.md) | | | | |
| [Time](wcd-time.md) | ✔️ | | | |
| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | ✔️ | | | ✔️ |
| [UniversalAppInstall](wcd-universalappinstall.md) | ✔️ | ✔️ | | ✔️ |
@@ -88,4 +73,3 @@ This section describes the settings that you can configure in [provisioning pack
| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | ✔️ | | |
| [Workplace](wcd-workplace.md) |✔️ | ✔️ | | ✔️ |
-
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 1d1df993e0..0785a4e3d4 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -208,6 +208,8 @@
href: update/update-compliance-security-update-status.md
- name: Feature update status report
href: update/update-compliance-feature-update-status.md
+ - name: Safeguard holds report
+ href: update/update-compliance-safeguard-holds.md
- name: Delivery Optimization in Update Compliance
href: update/update-compliance-delivery-optimization.md
- name: Data handling and privacy in Update Compliance
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 749e56b321..c5160d884a 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -28,7 +28,7 @@ The features described below are no longer being actively developed, and might b
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
-| BitLocker To Go Reader | Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11. The following items might not be available in a future release of Windows client: - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows** - Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv) - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents** - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
+| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.** Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11. The following items might not be available in a future release of Windows client: - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows** - Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv) - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents** - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index b842f08ba3..a790a1e83a 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -64,7 +64,6 @@ The following features and functionalities have been removed from the installed
|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 |
|Tile Data Layer |To be replaced by the Tile Store.| 1709 |
|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
-|Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 |
|By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 |
|Interactive Service Detection Service| See [Interactive Services](/windows/win32/services/interactive-services) for guidance on how to keep software up to date. | 1703 |
|Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 546749d1dd..67aa39dd4e 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -29,6 +29,7 @@ The deployment service is designed for IT Pros who are looking for more control
- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021).
- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise.
- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization.
+- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices.
The service is privacy focused and backed by leading industry compliance certifications.
@@ -52,7 +53,6 @@ Using the deployment service typically follows a common pattern:
2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
-
The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager.
## Prerequisites
@@ -74,7 +74,6 @@ Additionally, your organization must have one of the following subscriptions:
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
-
## Getting started
To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
@@ -87,7 +86,6 @@ Microsoft Endpoint Manager integrates with the deployment service to provide Win
The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
-
### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
@@ -113,14 +111,19 @@ This built-in piloting capability complements your existing ring structure and p
You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring.
+### Safeguard holds against likely and known issues
+
+Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out.
+
+To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold)
+
### Monitoring deployments to detect rollback issues
During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
-
### How to enable deployment protections
-Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your organization, devices must share diagnostic data with Microsoft.
+Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft.
#### Device prerequisites
diff --git a/windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png b/windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png
new file mode 100644
index 0000000000..4f11e64555
Binary files /dev/null and b/windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png differ
diff --git a/windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png b/windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png
new file mode 100644
index 0000000000..b4c348b964
Binary files /dev/null and b/windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png differ
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index e62284c15a..8ff5849aaa 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -14,29 +14,30 @@ ms.topic: article
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
-Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
-The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
+The lifespan of safeguard holds varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
+IT admins managing updates using the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) also benefit from safeguard holds on devices that are likely to be affected by an issue. To learn more, see [Safeguard holds against likely and known issues](/windows/deployment/update/deployment-service-overview#safeguard-holds-against-likely-and-known-issues).
+
## Am I affected by a safeguard hold?
-IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version.
+IT admins can use [Update Compliance](update-compliance-monitor.md) to monitor various update health metrics for devices in their organization. Update Compliance provides a [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds), as well as [queries in the Feature Update Status report](/windows/deployment/update/update-compliance-feature-update-status), to provide you insight into the safeguard holds that are preventing devices from updating or upgrading.
-Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](/windows/release-health/) dashboard, where you can easily find information related to publicly available safeguards.
+The Update Compliance reports identify safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
-
-If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, we’ll release the hold and the update can resume safely.
+This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we will release the safeguard hold and the update can resume safely.
## What can I do?
@@ -45,4 +46,4 @@ We recommend that you do not attempt to manually update until issues have been r
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
-With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
\ No newline at end of file
+With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 8fa81c9860..9613aaa41e 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -43,18 +43,21 @@ Refer to the following list for what each state means:
## Safeguard holds
-Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
### Queries for safeguard holds
-Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
+> [!TIP]
+> For a new Update Compliance report with additional information on safeguard holds, try the [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds).
+
+The Feature Update Status report offers two queries to help you retrieve data related to safeguard holds. These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
-Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
+Update Compliance reporting will display the safeguard hold IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard hold IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
-### Opt out of safeguard hold
+### Opt out of safeguard holds
-You can [opt out of safeguard protections](safeguard-opt-out.md) by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
+You can [opt out of safeguard holds](safeguard-opt-out.md) protecting against known issues by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
diff --git a/windows/deployment/update/update-compliance-safeguard-holds.md b/windows/deployment/update/update-compliance-safeguard-holds.md
new file mode 100644
index 0000000000..a46fbed232
--- /dev/null
+++ b/windows/deployment/update/update-compliance-safeguard-holds.md
@@ -0,0 +1,61 @@
+---
+title: Update Compliance - Safeguard Holds report
+ms.reviewer:
+manager: laurawi
+description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+ms.custom: seo-marvel-apr2020
+---
+
+# Safeguard Holds
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+The Safeguard Holds report provides information about devices in your population that are affected by a [safeguard hold](/windows/deployment/update/safeguard-holds).
+
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
+
+Update Compliance provides two views into the safeguard holds that apply to devices in your population. The report shows data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
+
+The safeguard hold report can be found in a different location from the other Update Compliance reports. To access the safeguard hold report, follow the instructions below.
+
+1. Navigate to your Log Analytics workspace to which Update Compliance is deployed.
+2. In the left-hand menu, select **Solutions**.
+3. Select the solution named **WaaSUpdateInsights(\)**. (This summary page is also where the Update Compliance tile is located.)
+4. In the left-hand menu, select **Workbooks**.
+5. Under the subsection **WaaSUpdateInsights**, select the workbook named **Safeguard Holds**.
+
+## Safeguard hold view
+
+
+
+The safeguard hold view shows which safeguard holds apply to devices in your population, and how many devices are affected by each safeguard hold. You can use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the chart and corresponding table to show only the selected safeguard hold IDs. Note that a device can be affected by more than one safeguard hold.
+
+## Device view
+
+
+
+The device view shows which devices are affected by safeguard holds. In the **Safeguard Hold IDs** column of the table, you can find a list of the safeguard holds that apply to each device. You can also use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the table to show only devices affected by the selected safeguard hold IDs.
+
+## Getting additional information about a safeguard hold
+
+For safeguard holds protecting devices against publicly discussed known issues, you can find their 8-digit identifier on the [Windows release health](/windows/release-health/) page under **Known issues** corresponding to the relevant release.
+
+Devices managed by the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) that are affected by a safeguard hold for a likely issue are listed in the report with the safeguard hold ID value **00000001**.
+
+## Opt out of safeguard holds
+
+To opt out of safeguard holds protecting against known issues, see [Opt out of safeguard holds](/windows/deployment/update/safeguard-opt-out).
+
+To opt out of safeguard holds protecting against likely issues (applicable to devices managed by the deployment service), see [Manage safeguards for a feature update deployment using the Windows Update for Business deployment service](/graph/windowsupdates-manage-safeguards).
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index 9f0ddd10ef..5d923146e5 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -26,7 +26,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
|**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
**Update completed**: Device has completed the update installation.
**In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
**Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
**Canceled**: The update was canceled.
**Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
**Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`.
**Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
**Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
-|**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
**Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
**Update offered**: The device has been offered the update, but has not begun downloading it.
**Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
**Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
**Download started**: The update has begun downloading on the device.
**Download Succeeded**: The update has successfully completed downloading.
**Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
**Install Started**: Installation of the update has begun.
**Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
**Reboot Pending**: The device has a scheduled reboot to apply the update.
**Reboot Initiated**: The scheduled reboot has been initiated.
**Commit**: Changes are being committed post-reboot. This is another step of the installation process.
**Update Completed**: The update has successfully installed.|
+|**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Not Started**: Update hasn't started because the device is not targeting the latest 2 builds
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
**Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
**Update offered**: The device has been offered the update, but has not begun downloading it.
**Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
**Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
**Download started**: The update has begun downloading on the device.
**Download Succeeded**: The update has successfully completed downloading.
**Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
**Install Started**: Installation of the update has begun.
**Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
**Reboot Pending**: The device has a scheduled reboot to apply the update.
**Reboot Initiated**: The scheduled reboot has been initiated.
**Commit**: Changes are being committed post-reboot. This is another step of the installation process.
**Update Completed**: The update has successfully installed.|
|**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
|**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
|**OriginBuild** |[string](/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. |
@@ -43,4 +43,4 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**TimeGenerated** |[datetime](/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
|**UpdateCategory** |[string](/azure/kusto/query/scalar-data-types/string) |`Quality` |The high-level category of content type this Windows Update belongs to. Possible values are **Feature** and **Quality**. |
|**UpdateClassification** |[string](/azure/kusto/query/scalar-data-types/string) |`Security` |Similar to UpdateCategory, this more specifically determines whether a Quality update is a security update or not. |
-|**UpdateReleasedDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. |
\ No newline at end of file
+|**UpdateReleasedDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. |
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 5f04e54883..c33db61e09 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -158,7 +158,7 @@ In the Group Policy editor, you will see a number of policy settings that pertai
| Turn off auto-restart for updates during active hours |  | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time |  | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation |  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
-| No auto-restart with logged on users for scheduled automatic updates installations |  | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. There is no equivalent MDM policy setting for Windows 10 Mobile. |
+| No auto-restart with logged on users for scheduled automatic updates installations |  | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
| Re-prompt for restart with scheduled installations |  | |
| Delay Restart for scheduled installations |  | |
| Reschedule Automatic Updates scheduled installations |  | |
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index ad5011e9b9..17d490b6d0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -12,7 +12,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 09/23/2021
+ms.date: 11/02/2021
ms.reviewer:
---
@@ -389,7 +389,7 @@ The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\
| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios. Default value: 00000000 |
| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired. Default value: 00000400 Default key generation parameter: 1024-bit keys |
| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required. Default value: 00000000 |
-| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail. Default value: 000005dc1500 The default timeout for holding transactions to the smart card is 1.5 seconds. |
+| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail. Default value: 000005dc The default timeout for holding transactions to the smart card is 1.5 seconds. |
**Additional registry keys for the smart card KSP**
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
index a3f1fdac56..8cce54444d 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@@ -15,32 +15,46 @@ metadata:
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
- ms.date: 09/06/2021
- ms.technology: windows-sec
+ ms.date: 11/10/2021
+ ms.technology: mde
title: Advanced security auditing FAQ
-
-
-
- This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
- [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-)
+
- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-)
+
- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-)
+
- [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-)
+
- [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-)
+
- [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-)
+
- [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-)
+
- [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-)
+
- [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-)
+
- [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-)
+
- [How do I figure out why someone was able to access a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-)
+
- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-)
+
- [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-)
+
- [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-)
+
- [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-)
+
- [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-)
+
- [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-)
+
- [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-)
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 44bcc3e46e..4033a6633b 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -23,7 +23,7 @@ If you have a file that you suspect might be malware or is being incorrectly det
## How do I send a malware file to Microsoft?
-You can send us files that you think might be malware or files that have been incorrectly detected through the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission).
+You can send us files that you think might be malware or files that have been incorrectly detected through the [sample submission portal](https://www.microsoft.com/en-us/wdsi/filesubmission).
We receive a large number of samples from many sources. Our analysis is prioritized by the number of file detections and the type of submission. You can help us complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file.
@@ -31,7 +31,7 @@ After you sign in, you will be able to track your submissions.
## Can I send a sample by email?
-No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/wdsi/filesubmission).
+No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/en-us/wdsi/filesubmission).
## Can I submit a sample without signing in?
@@ -43,7 +43,7 @@ The [Software Assurance ID (SAID)](https://www.microsoft.com/licensing/licensing
### How do I dispute the detection of my program?
-[Submit the file](https://www.microsoft.com/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination.
+[Submit the file](https://www.microsoft.com/en-us/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination.
If you’re not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
@@ -51,7 +51,7 @@ We encourage all software vendors and developers to read about [how Microsoft id
## How do I track or view past sample submissions?
-You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
+You can track your submissions through the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
## What does the submission status mean?
@@ -63,7 +63,7 @@ Each submission is shown to be in one of the following status types:
* Closed—a final determination has been given by an analyst
-You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
+You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
## How does Microsoft prioritize submissions
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 36243edbf3..4368a1ce60 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -10,7 +10,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
-ms.date: 04/14/2021
+ms.date: 11/06/2021
ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
@@ -32,7 +32,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
> [!NOTE]
> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
-## Script-based deployment process for Windows 10 version 1903 and above
+## Deploying policies for Windows 10 version 1903 and above
1. Initialize the variables to be used by the script.
@@ -56,23 +56,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
& $RefreshPolicyTool
```
-### Deploying signed policies
-
-In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
-
-1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
-
- ```powershell
- mountvol J: /S
- J:
- mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
- ```
-
-2. Copy the signed policy binary as `{PolicyGUID}.cip` to `J:\EFI\Microsoft\Boot\CiPolicies\Active`.
-
-3. Reboot the system.
-
-## Script-based deployment process for Windows 10 versions earlier than 1903
+## Deploying policies for Windows 10 versions earlier than 1903
1. Initialize the variables to be used by the script.
@@ -93,3 +77,25 @@ In addition to the steps outlined above, the binary policy file must also be cop
```powershell
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}
```
+
+## Deploying signed policies
+
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
+
+1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
+
+ ```powershell
+ $MountPoint = 'C:\EFI'
+ $EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active"
+ $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
+ mkdir $EFIDestinationFolder
+ mountvol $MountPoint $EFIPartition
+ ```
+
+2. Copy the signed policy to the created folder:
+
+ ```powershell
+ Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -Force
+ ```
+
+3. Restart the system.
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
index 6de03178f8..10105e0039 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
@@ -32,9 +32,9 @@ ms.technology: windows-sec
The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
## Configuring Policy Rules
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index acfa2cee01..d9747dc21d 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -37,14 +37,11 @@ You can prevent users from modifying settings in the Exploit protection area. Th
You can only prevent users from modifying Exploit protection settings by using Group Policy.
> [!IMPORTANT]
->
-> ### Requirements
->
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
@@ -59,14 +56,11 @@ You can choose to hide the entire section by using Group Policy. The section wil
This can only be done in Group Policy.
> [!IMPORTANT]
->
-> ### Requirements
->
-> You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
@@ -77,4 +71,4 @@ This can only be done in Group Policy.
> [!NOTE]
> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
-> 
\ No newline at end of file
+> 
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
index 544e0ab263..31d3aba69a 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -42,7 +42,7 @@ Because Windows Sandbox runs the same operating system image as the host, it has
## Integrated kernel scheduler
-With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
+With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
